Cert-In extends deadline for VPN cybersecurity norms till Sept 25

India’s Computer Emergency Response Team (CERT-In) has extended until September 25 the deadline to comply with its cyber security norms for Virtual Private Network (VPN) and cloud services, responding after foreign providers said they will remove their servers in the country.

September 25 is the new compliance date for micro, small and medium enterprises (MSMEs). Other businesses, which don’t provide VPN or cloud services, will have to comply with the earlier deadline of June 27.

The September 25 extension will “enable the industry to build the capacity required for the implementation of the cyber security directions,” said the Ministry of Electronics and Information Technology in a press release.

CERT-In directions, released on April 28, mandate service providers to keep records of every information and communication technology (ICT) transaction for a minimum of 180 days.

They require service providers to maintain the personal information of subscribers for five years or longer, as can be demanded by CERT-In in case of a cybersecurity incident.

The new deadline comes after VPN providers, including ExpressVPN, NordVPN, and SurfShark, earlier this month decided to remove their servers in India. SurfShark said it operates a “no logs” policy, “So such new requirements go against the core ethos of the company. A VPN is an online privacy tool, and Surfshark was founded to make it as easy to use for the common users as possible,” said the company a blog post.

It could not be immediately ascertained if the new deadline will prompt VPN players to reconsider their strategy for India, but the government is unlikely to ease the guidelines.

Rajeev Chandrashekhar, Minister of State for Electronics and Information and Technology, last month told VPN companies they are free to leave India. “If you’re a VPN that wants to hide and be anonymous about those who use VPNs and you don’t want to go by these rules, then if you want to pull out (from the country), frankly, that is the only opportunity you will have. You will have to pull out,” he said.

Pankit Desai, co-founder and CEO of Sequretek, a Mumbai-based cyber security company, said the deadline extension would help firms enter a dialogue with the CERT-IN authority.

“However, there remains ambiguity on what has been asked and how companies will comply with it, for example, Incident reporting. There is a lack of clarity around how an incident is being defined,” Desai said.

He added that it was also not clear whether the companies need to report an unsuccessful attempt to breach companies’ cyber defences and if there would be a framework from the government side to help companies that have suffered a cyberattack.

Sandip Kumar Panda, the co-founder at InstaSafe Technologies, said an extension was expected as CERT-In’s guidelines cannot be implemented quickly. “The timelines and the excessive data retention mandates will have negative implications in delivery and practice of it,” Panda added.

He said the cybersecurity industry is gaining ground in the country and it will have to follow guidelines, but it may need another extension after September 25.

The Guidelines

• MSMEs, data centres, cloud service providers, VPS, and VPN providers must comply with CERT-IN norms by September 25

• Ministry had agreed to consider relaxations for start-ups for compliance with specific requirements

• The decision has been taken to enable the industry to build capacity for the implementation

• Many VPN providers decided to close down servers in India after the norms were released in April

• Industry leaders ask for more clarity on compliance guidelines