India’s cybersecurity decision deadline could be extended – again


According to Indian media, the deadline for complying with the Indian government’s controversial new cybersecurity guidelines should be extended, but only for micro, small and medium enterprises (MSMEs) and small and medium enterprises (SMEs).

The Computer Emergency Response Team India (CERT-In) guidelines were originally released in late April. They demanded that all companies, intermediaries, data centers and government organizations report any data breaches to the government within six hours of becoming aware of them.

However, they also mandated virtual private network (VPN) service providers to retain all information they had collected for five years and turn it over to the government as needed. SMEs and MSMEs must keep the data for three years.

As we reported, citing security and privacy concerns, some VPN service providers such as ExpressVPN, Surfshark, and NordVPN have announced plans to stop offering their services in India.

Minister of State for Electronics and IT, Rajeev Chandrasekhar, told India’s Economic Times: “We will not put the burden of this additional compliance on SMEs or MSMEs until they won’t be ready”. However, the ministry itself does not appear to have been ready for the disruption the new decision could cause.

In fact, this is the second extension of the compliance deadline for SMEs and MSMEs by the ministry. There was an extension at the end of June until September 25, after SMBs, MSMEs, data centers, VPS, VPNs and cloud service providers said they needed more time to “strengthen their capacities”.

However, it seems that some SMEs and MSMEs still do not have the cost-effective human resources needed to comply with cybersecurity rules. And of course, data maintenance will increase their operational costs.


Source link