The Ministry of Electronics and Information Technology (MeitY) on May 18 released a Frequently Asked Questions (FAQs) document "to explain the nuances" of the cybersecurity directive issued by CERT-In, which has received strong pushback from cybersecurity experts for being ill-advised, impractical, unclear, and overly burdensome on companies. The FAQs attempt to address some of the concerns, but they also introduce some new concerns. What is the cybersecurity directive? The Indian Computer Emergency Response Team (CERT-In), which falls under MeitY, is the government-appointed nodal agency tasked with performing cybersecurity-related functions in the country. On April 28, the agency issued a new directive covering aspects related to the timeframe for reporting cybersecurity incidents, synchronisation of system clocks, maintenance of logs, maintenance of KYC and transaction information for crypto exchanges, and maintenance of detailed customer information for VPN, cloud service, data centre providers. What aspects do the FAQs attempt to clarify? Key points Logs can be stored abroad: "The logs may be stored outside India also as long as the obligation to produce logs to CERT-In is adhered to by the entities in a reasonable time," the FAQs state. This is a confusing and contradictory statement because it goes directly against the directive which states that the logs "shall be maintained in Indian jurisdiction." Exceptions to syncing time with NPL, NIC servers: One of the most controversial provisions of the directive was the requirement for companies to sync their system clocks with the time provided by the National Informatics Centre (NIC) or the National Physical Laboratory (NPL). The government has now clarified…
