wordpress blog stats
Connect with us

Hi, what are you looking for?

RTI: No details on how many entities have complied with CERT-In’s cybersecurity directions

Only 1227 entities registered or updated their point of contact with India’s cybersecurity agency between 28.06.2022 and 31.01.2023

India’s cybersecurity agency has no information on how many entities have complied with the cybersecurity directions it issued last year, a Right to Information (RTI) response received by MediaNama on March 6 revealed.

“The [cybersecurity] directions do not envisage explicit submission of compliance of these directions by entities per se except information on Point of Contact and reporting of incidents as and when occurred as prescribed. CERT-In, in general, has not sought status of compliance from all the entities,” the Indian Computer Emergency Response Team (CERT-In) stated.

The cybersecurity directions issued by CERT-In in April 2022 require companies to report cybersecurity incidents within 6 hours, maintain system logs for 180 days, maintain KYC and transaction information of customers if they are crypto exchanges, maintain detailed customer information if they are VPN, cloud service, or data centre providers, synchronise their system clocks with government time servers, and share a point of contact with CERT-In.

STAY ON TOP OF TECH POLICY: Our daily newsletter with top stories from MediaNama and around the world, delivered to your inbox before 9 AM. Click here to sign up today!

With regards to these directions, MediaNama filed an RTI request with CERT-In asking the following questions: 

Advertisement. Scroll to continue reading.
  1. Has CERT-In sought compliance status with regard to the directions from service providers, intermediaries, and body corporates? If yes:
    1. How many MSMEs [Micro, Small & Medium Enterprises] have complied with all the directions outlined in the rules? How many entities in total have complied with the directions?
    2. Please share a copy of the notices sent to the applicable entities.
    3. Please share any non-confidential versions of responses received from the entities.
  2. How many entities have submitted point of contact information to CERT-In? How many of these are MSMEs?

For the first question, CERT-In responded (as above) stating that it has no information on compliance status. As for the second question, CERT-In responded by saying that 1227 entities registered or updated their point of contact with CERT-In between 28.06.2022 and 31.01.2023. However, “CERT-In has not made any categorisation in respect of Point of Contact information in respect of MSME, hence, no such information is available,” the agency replied in response to the second part of the question.

When compared to the total number of entities that are required to submit a point of contact information to CERT-In, which is basically any entity with a computer and an internet connection, the 1227 figure is minuscule. For context, there are over 14 lakh registered active companies in India and it’s not unreasonable to assume that most of them have computer systems.

Why does this matter: When the cybersecurity directions were issued last year, we criticised them for being onerous to companies and also infeasible for a lot of companies to comply with. We also pointed out that CERT-In will have a hard time tracking compliance as it might not have enough resources to do so (links to our past coverage are below). The fact that only 1000-odd entities have updated their point of contact information with CERT-In, which is probably the easiest requirement under the directions, raises questions about where entities really stand in terms of compliance with the cybersecurity directions. Or are these directions a futile exercise?

Only 15 entities reported cybersecurity incidents within 6 hours: CERT-In also revealed that only 15 entities reported cybersecurity incidents within the stipulated 6-hour timeline. We have covered this in more detail here.

What’s wrong with the cybersecurity directions: For more on why we think the cybersecurity directions are misguided, find our past coverage under the tag Cybersecurity Directions 2022, or here are a few selected criticisms of the directions:

  • Why India’s New Cybersecurity Directive Is A Bad Joke [read]
  • India’s Cybersecurity Directive Goes Against Security, Tech Companies Argue  [read]
  • Global Coalition Criticises India’s Cybersecurity Directive  [read]
  • How India Can Improve Its Cybersecurity Directions #NAMA  [read]
  • Why India Should Not (Yet) Mandate Companies To Adopt A Specific Time Source [read]
  • Deep Dive: The Legality Of India’s New Cybersecurity Directive  [read]
  • “You Don’t Need To Have A Blanket Law That Treats Everyone As A Criminal”, Says Dr Joe Hall Of Internet Society On India’s Cybersecurity Directions  [read]
  • Impact Of India’s Cybersecurity Directions On The Global Internet  [read]
  • Why An Indian VPN Provider Is Suing The Government Over The New Cybersecurity Rules  [read]
  • VPN Providers Call India’s New Rules Worse Than China, Russia  [read]

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Advertisement. Scroll to continue reading.
Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Is it safe to consider all "publicly available data" as public?


PhonePe launched an e-commerce buyer app for ONDC called Pincode. We, however, believe that it should also launch a seller app.


Amazon announced that it will integrate its logistics network and SmartCommerce services with the Open Network for Digital Commerce (ONDC).


India's smartphone operating system BharOS has received much buzz in the media lately, but does it really merit this attention?


After using the Mapples app as his default navigation app for a week, Sarvesh draws a comparison between Google Maps and Mapples

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ