The Indian government clarified that corporate and enterprise VPN services are not subject to its new cybersecurity directive, which requires VPN providers to maintain detailed information about their customers. The directive only applies to services catering to the general Internet users, the government said. "For the purpose of this direction, VPN service provider refers to an entity that provides 'Internet proxy like services' through the use of VPN technologies, standard or proprietary, to general Internet subscribers/users," the Ministry of Electronics and Information Technology (MeitY) said in its FAQs document on the directive issued by the Indian Computer Emergency Response Team (CERT-In). Companies use VPN services to allow employees to connect to the office network and access company files from outside of the office premises. This clarification will be a relief to a large number of these companies who had been left wondering how they can comply with the new directive. What are the rules for VPN providers? The new directions issued by CERT-In on April 28 contain provisions that extend beyond VPN providers, and cybersecurity experts have spared no time in criticising them for a long list of reasons. However, the provisions pertaining to VPN providers have garnered extra attention because the proposal by CERT goes against the very selling point of VPN companies: privacy. Starting 28 June 2022, VPN providers are required to: Maintain detailed customer information: Data Centres, Virtual Private Server (VPS) providers, cloud service providers, and Virtual Private Network Service (VPN Service) providers, are required to register the following accurate information about…
