Cert-In Defers Enforcement Of VPN Directives Until September 25

There is some relief for VPN providers in the country as the Indian Computer Emergency Response Team (CERT-In) has decided enforce the directives aimed at VPN providers only after September 25.

After considering the requests on the extension of timelines for implementation of the latest cybersecurity directive announced on April 28, Cert-In has decided to provide extension till 25 September 2022.

The new rules for Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers were slated to be enforced from June 27. 

“The matter has been considered by CERT-In and it has been decided to provide extension till 25 September, 2022 to Micro, Small and Medium Enterprises (MSMEs) in order to enable them to build capacity required for the implementation of the Cyber Security Directions. In addition, Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers are also provided with additional time till 25 September, 2022 for implementation of mechanisms relating to the validation aspects of the of subscribers/customers details,” said the Indian government in a press release.

Under the new directives from Cert-In, all the abovementioned entities were required to store user information for a time period of five years and inform the government in case there was a cybersecurity incident within six hours of being in the know such an occurrence.

The directives were widely criticised by the VPN providers in India as the rule impinged on user privacy. The new directives from the government have even prompted big players like NordVPN, Surfshark, ExpressVPN and PureVPN to shut its Indian servers.