Indian cyber security ruling deadline may be extended – again

The deadline for complying with the Indian government’s controversial new cybersecurity directives is likely to be extended, according to Indian media – though only for micro, small and medium enterprises (MSMEs) as well as small and medium enterprises (SMEs).

The Indian Computer Emergency Response Team (CERT-In)’s guidelines originally appeared in late April. They required all companies, intermediaries, data centres and government organisations to report any data breach to the government within six hours of becoming aware of it.

However, they also mandated virtual private network (VPN) service providers to maintain all the information they had gathered for five years and hand it over to the government as and when required. SMEs and MSMEs have to hold on to the data for three years.

As we have reported, citing security and privacy concerns, some VPN service providers such as ExpressVPN, Surfshark, and NordVPN have announced plans to stop offering their services in India.

The Minister of State for Electronics and IT Rajeev Chandrasekhar told India’s Economic Times: “We will not make SMEs or MSMEs bear the burden of this additional compliance until they are ready.” However, the ministry itself seems not to have been ready for the disruption the new ruling might cause. 

In fact this is the second extension in the compliance deadline for SMEs and MSMEs by the ministry. There was an extension in late June to September 25, after representations from SMEs, MSMEs, data centres, VPS, VPN, and cloud service providers that they needed more time to “build capacity”.

It seems, however, that some SMEs and MSMEs still lack the cost-effective human resources needed to comply with the cybersecurity rules. And of course maintaining data will add to their operational costs.