What's the news: The Indian government is considering a 90-day extension to the deadline for complying with the cybersecurity directions issued by the Computer Emergency Response Team (CERT-IN), the Economic Times reported. Like the previous extension, this one will also apply only to micro, small, and medium enterprises (MSMEs) as well as small and medium enterprises (SMEs), the report stated. "We are very clear. We will not make SMEs or MSMEs bear the burden of this additional compliance until they are ready." — Minister of State for Electronics and IT Rajeev Chandrasekhar told ET. Why does this matter: The cybersecurity directions, which were announced in April, contain some onerous obligations that apply to all entities that have computer systems. For example, companies have to report cybersecurity incidents within 6 hours, maintain 180 days of logs, synchronise their time to the servers provided by the government, and some entities like VPN providers have to maintain detailed information about their customers for over five years. Companies and trade bodies have not only asked for more time to comply with these directions but to also remove some of the provisions that pose an unnecessary burden to businesses. Already two weeks past the deadline: The CERT-In directions went into effect on June 28 for large entities and on September 26 for SMEs and MSMEs. It is not clear how non-compliance over the last two weeks will be seen by the government. For example, if a small business had suffered a breach sometime in the last two weeks and hasn't yet…
