VPNS get more time to comply with new norms
NEW DELHI: The Computer Emergency Response Team (CERT-IN) has extended by about three months the deadline for complying with its controversial rules for small enterprises and virtual private network (VPN) service providers in India.
This comes after several VPN providers removed their servers from the country following the April 28 notice under Section 70B of the Information Technology Act (IT Act), and consultations with the industry wherein many asked for more time to comply. The rules were originally slated to come into force from June 28, which have now been extended to September 25.
“The ministry of electronics and information technology (Meity) and CERT-IN are in receipt of requests for the extension of timelines for implementation of these Cyber Security Directions of 28th April, 2022 in respect of micro, small and medium enterprises (MSMES),” the ministry said in a notice, on
Tuesday. “Further, additional time has been sought for implementation of mechanism for validation of subscribers/customers by Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers,” it added. The MSME sector had sought an extension of 300 days from June 28 for compliance during talks with the ministry. However, experts said the decision is good news for incumbents.
Raj Sivaraju, president, Asiapacific, at Arete, a cyber incident response company, said the extension provides businesses with “reasonable time” for capacity building. “We believe it is a welcome move towards better preparation for faster recovery, easier reporting, post-incident investigations, and a continuous approach to managing risks,” he said.
Further, Amit Jaju, senior managing director at Ankura Consulting Group, said the extension will provide companies time to implement the required processes and technologies. “The time to reconfigure time servers should not take beyond a week across all machines that are centrally connected. To appoint a point-ofcontact (POC), they will have to augment the role of an internal person which can be done swiftly,” said Jaju.
The new rules, which were widely criticised, required VPN service providers to store user data and maintain logs of their usage.