An extension on compliance timelines for small and medium-sized enterprises (SMEs), a portal for reporting cybersecurity incidents, a review of the directions 90 days after they go into force were among the things that were discussed in a June 10 meeting between industry stakeholders and government officials on the cybersecurity directions issued by CERT-IN. Rajeev Chandrasekhar, Minister of State for MeitY; Dr. Sanjay Bahl Director General at CERT-IN; Rajendra Kumar, Additional Secretary at MeitY were present at the meeting.
Apart from the aforementioned agenda, the need for issuing subsequent clarifications on the directions, and the burden of the directions on small and medium enterprises were also raised at the meeting. No discussions took place regarding VPNs at the meeting, it is learnt.
The cybersecurity directions notified on April 28, place significant compliance burdens on companies working in India such as requiring cybersecurity incidents to be reported within 6 hours, maintenance of systems logs for 180 days, crypto and VPN companies to store logs of all transactions, etc. They have already been criticized by multiple industry bodies, tech companies, and cybersecurity experts, and have resulted in two VPN providers shutting down their servers in the country.
It will be interesting to see if and how much the ministry further clarifies these directions given that it has already issued a set of FAQs on it earlier this month, even as it has otherwise staunchly defended them.
Never miss out on important developments in tech policy, whether in India or across the world. Sign up for our morning newsletter, with a “Free Read of the Day”, to experience MediaNama in a whole new way.
Concessions granted by MeitY during the meeting
Format and portal for reporting of cybersecurity incidents: At the meeting, MeitY accused industry stakeholders of not wanting to report cybersecurity incidents and said that the directions had been implemented to create a ‘practice of incident reporting.’
“Aapke ghar mein chori hoti hai (Your house is robbed), there is an accident, do you wait for 36 hours-72 hours for it to be reported to the police, or do you tell the police immediately when you come to know about it?” MeitY told industry representatives in response to concerns raised about the 6-hour reporting timeline for cybersecurity incidents, according to a source present at the meeting.
Industry bodies have asked for a 72-hour timeline to report cybersecurity incidents however, according to sources at the meeting, MeitY refused to provide any relaxations there and instead a format for companies to report cybersecurity incidents would be provided and they would explore the possibility of a portal for reporting the same as well.
Clarifications underway on requirement for validated data: Clarifications will be issued by the ministry on the directive’s requirement for data centres, cloud service providers (CSPs), virtual server providers, etc to maintain validated information of their customers, it is learnt.
Industry stakeholders reiterated their earlier concern that CSPs and data centres do not have the capability to provide ‘validated’ information on their customers i.e authenticated information that could be backed by Aadhaar, for example. During the meeting, MeitY said that it would look for a solution for this.
Review on directions 3 months after implementation: At the meeting, officials also said that they would conduct review meetings 90 days after the directions are implemented to address any challenges that the industry might be facing. For context, the directions are said to go into effect towards the end of June.
Relaxation on the timeline for SMEs: For SMEs, MeitY asked representatives to get back to them with the time it could take them to build capacity to comply with the 6-hour timeline, after which the Ministry may extend the deadline for them to abide by the new directions.
Concerns for SMEs raised during the meeting
Legal recognition of the FAQs: Sources said that the government was requested to provide legal recognition to the FAQs so they can be referenced for ensuring compliance, as the directions themselves were broad and vague.
On May 18th, MeitY released a set of FAQs to the directions which clarified some of its requirements, such as allowing companies to store logs outside of India so long as they were made available to the Indian government when needed, exempting corporate VPNs, and so on. FAQs on a policy provide clarity on the government’s stance, approach on a policy, and answer questions raised by stakeholders on it. However, they are not a legal document, i.e., not enforceable in court.
Prohibitive cost of storing logs for SMEs: Concerns were raised about the costs of maintaining logs as per the directions for SMEs. “It is very prohibitive for small and medium-sized enterprises as there is a cost involved, anywhere from $1000 to $2,000 for seven days for 1 terabyte of data and this can be very prohibitive,” a source told MediaNama. Under the directions, entities have to maintain logs of all their ICT systems and maintain them securely for a rolling period of 180 days.
Timeline: Friction between industry and government on cybersecurity directions
7th June: VPN Provider SurfShark announces that it is closing its servers in India.
2nd June: VPN provider ExpressVPN announces that it is removing its servers in India.
“With a recent data law introduced in India requiring all VPN providers to store user information for at least five years, ExpressVPN has made the very straightforward decision to remove our Indian-based VPN servers,” the company announced on June 2
1st June: A submission from a coalition of civil organisations including Internet Freedom Foundation, Access Now, Software Freedom Law Centre, etc. ask for the directions to be withdrawn because of vagueness, lack of public consultation, and so on.
26th May: A coalition of eleven global business and tech associations criticises the rules, saying it was undermining cybersecurity in India, in a letter to CERT-IN.
18th May: MeitY releases the FAQs document on the cybersecurity guidelines.
At the press conference, Chandrashekhar reportedly issues an ultimatum to VPN providers to comply with the directions or leave.
“There is no opportunity for somebody to say we will not follow the laws and rules of India. If you don’t have the logs, start maintaining the logs. If you’re a VPN that wants to hide and be anonymous about those who use VPNs and you don’t want to go by these rules, then if you want to pull out from the country, frankly, that is the only opportunity you will have. You will have to pull out,” minister of state for electronics and IT, Rajeev Chandrasekhar told reporters while releasing frequently asked questions (FAQs) regarding the rules.
9th May: Information Technology Industry council (ITI), an industry body representing the likes of Apple, Amazon, Meta, Google, and Microsoft, write to CERT-IN saying that the rules could have a negative impact on enterprises working in India.
6th May: Multiple VPN providers criticise the rules, calling them worse than those of ‘dictatorships’ like China or Russia, harmful to privacy, and more.
28th April: CERT-IN releases the cybersecurity directions.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
- CERT-In issues new cybersecurity directions for crypto, VPN companies
- Deep Dive: The legality of India’s new cybersecurity directive
- Summary: What the FAQs on the cybersecurity directive say