The Indian Computer Emergency Response Team (CERT-In) has extended the deadline for its new order, which requires virtual private network (VPN) providers to register and store user information. The new deadline set by CERT-In for the implementation of the new guidelines is September 25.
The Ministry of Electronics and Information Technology (MeitY) has previously ordered VPN companies to collect and store user data in India for at least five years. The Directive was issued to coordinate response activities and emergency measures related to cyber security incidents. Data centers, virtual private server (VPS) providers, and cloud service providers are also required to record and retain accurate information about their services for five years or more “as required by law after any cancellation or registration.” The data includes the user’s home address, IP address, and usage patterns.
The ministry has now postponed fulfilling its new mandate after the companies concerned asked for more time. The CERT-in also stated that it had extended the deadline to give micro, small, and medium-sized enterprises (SMEs) sufficient time to build the capacity needed to implement these guidelines.
The new Cyber Security Guidelines of April 28, 2024, issued under subsection (6) of Section 70B of the Information Technology Act 2000, will be implemented from 25 September. CERT-In also asks the companies concerned to provide the user with additional information such as “valid subscriber names, service login time, assigned and used IP addresses, e-mail address and IP address, as well as the appropriate time recorded at the time of registration, purpose subscription, verified address and contact numbers, and a sample of the properties of the subscribers who sign up for the service.
In addition, all government and private agencies, including ISPs, social media platforms, data centers, etc., should be required to report cyber security incidents within six hours of detection. Many VPN service providers, such as NordVPN, Surfshark, and Express VPN, are shutting down their servers in India. Companies have criticised the new VPN policy, citing privacy concerns. PureVPN is the latest service provider to get its servers from India. The company stated that it did not collect information from users, which is contrary to the policy announced by the Indian government.