wordpress blog stats
Connect with us

Hi, what are you looking for?

Cybersecurity directive applies to foreign companies as well, IT Ministry clarifies

It also elaborated on what type of logs should be kept.

The Indian government clarified that its cybersecurity directive applies not just to Indian companies but also to foreign companies catering to Indian users. In a FAQs document on the new directive, the Ministry of Electronics and Information Technology (MeitY) addressed multiple questions pertaining to the applicability of the directive to foreign entities.

The Indian Computer Emergency Response Team (CERT-In), which is the government-appointed nodal agency tasked with performing cybersecurity-related functions in the country, on April 28 issued the directions covering aspects related to the timeframe for reporting cybersecurity incidents, synchronisation of system clocks, maintenance of logs for 180 days, maintenance of KYC and transaction information for crypto exchanges, and maintenance of customer information for VPN providers. Cybersecurity experts spared no time in criticising these new directions and tech companies have argued that these directions go against cybersecurity rather than improve it.

While the directive poses a significant compliance burden to all companies, it’s most burdening on foreign companies because they are required to appoint separate staff and set up/hire additional infrastructure in India to adhere to these directions.

What did the government clarify in its FAQs document?

  • IT Act applies to foreign companies: In response to a question on whether the cybersecurity directions apply only to Indian companies or also to foreign firms that serve Indian customers, MeitY referred to the Section 75 of the Information Technology Act, 2000, which states that the provisions of the IT Act apply to foreign entities as well. Since the cybersecurity directive was issued under Section 70B of the IT Act, this foreign applicability extends to the directive as well.
  • Point of Contact should be appointed by foreign companies: The government clarified that any foreign company offering services to the users in India should designate a Point of Contact to liaise with CERT-In regardless of whether or not the company has a physical presence in India. As per the rules, information relating to the Point of Contact should be sent to CERT-In and must contain a name, designation, organisation name, office address, email ID, mobile number, office phone, and office fax. All communications from CERT-In seeking information and providing directions for compliance will be sent to the said Point of Contact.
  • Logs of foreign service providers should be maintained: In response to a question on whether companies need to store logs of foreign service providers and foreign part of financial transactions in India, MeitY responded that any service provider offering services to the users in the country need to enable and maintain logs and records of financial transactions in Indian jurisdiction. This is, however, not a new requirement, as the Reserve Bank of India already requires it.
  • Foreign privacy laws may take precedence when it comes to personal data: Experts had pointed out that the new directive can put companies in conflict with privacy laws abroad. In response to a question on what should an organization do if the logs contain personally identifiable information (PII) of data subjects of a foreign data protection regime such as GDPR, MeitY said that “the requirements on the part of service providers, intermediaries and body corporate in respect of the protection of confidentiality of the customer data prior to the issuance of these Cyber Security Directions of 28.04.2022 are in force and does not change.” While this is not a straightforward answer, it seems to indicate that privacy laws of other countries will take precedence as far as personal data is concerned.
  • Storing copies of logs abroad is allowed: While the directive requires logs to be maintained within Indian Jurisdiction, the government is not stopping companies from maintaining a copy abroad as well. “The logs may be stored outside India also as long as the obligation to produce logs to CERT-In is adhered to by the entities in a reasonable time,” MeitY said.
  • Crypto services not located in India but serving Indians must also comply: In response to a question on whether the directive is applicable to virtual asset service providers, virtual asset exchange providers and custodian wallet providers not located in India but catering to Indian users, MeitY responded that the directive is applicable to any entity when it comes to cyber incidents and cybersecurity incidents.

Update (19 May, 1:51 pm): Updated section on logs of financial transactions to clarify that it is not a new requirement as the RBI already requires it.

Also Read:

Have something to add? Post your comment and gift someone a MediaNama subscription.

Advertisement. Scroll to continue reading.
Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



The Delhi High Court should quash the government's order to block Tanul Thakur's website in light of the Shreya Singhal verdict by the Supreme...


Releasing the policy is akin to putting the proverbial 'cart before the horse'.


The industry's growth is being weighed down by taxation and legal uncertainty.


Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.


Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ