Govt Maybe Delaying Cybersecurity Directives Implementation Introduced In April

Government of India (GoI) may be looking to delay the implementation of the cybersecurity directives it had introduced in April this year. It had already deferred the implementation from Jun. 27 to Sept. 25. But there has been no word from the government on the implementation.

After significant feedback from technology companies, MSMEs, SMBs and policy groups, the government might be pondering upon the Cert-In cybersecurity directives before tabling and implementing it much later than its planned date of implementation.

The directives were to be implemented by Jun. 27, 2022. But the government had decided to defer it to Sept. 25 later.

The Indian Computer Emergency Response Team (Cert-In) under the Ministry of Electronics and Information Technology (MeitY) had originally proposed cybersecurity directives that required the VPN providers and cloud service providers to retain information of their users for a minimum duration of five years – even if a user cancelled their registration from the VPN provider.

The stringent guidelines by the GoI had forced the hand of a few privacy-conscious VPN companies, which decidedly shut their Indian servers. Amongst these were companies including ExpressVPN and Surfshark.

“The matter has been considered by CERT-In and it has been decided to provide extension till 25 September, 2022 to Micro, Small and Medium Enterprises (MSMEs) in order to enable them to build capacity required for the implementation of the Cyber Security Directions”, the Indian government had said in its June statement announcing the postponement of implementation.

Prior to GoI's deicision to defer the implementation, it had received suggestions from various bodies including IAMAI, which represents the likes of Facebook, Google and Reliance in the country. But after tabling a meeting with various technology stakeholders, the government had made it clear that the directives would go on the floor as decided after Sept. 25.

Weighing in on the issue earlier this year, Vidhu Nautiyal (co-founder and chief revenue officer, CloudConnect Communications) told BW Businessworld in an interview: “[..] there is undoubtedly a need for a framework to govern cyber-incident reporting, but the reporting timelines and excessive data retention mandates prescribed in the directives may have some concerns regarding the implications in practice and impede effectiveness, while risking online privacy and security.”

But for now, it looks like there could be a further delay in the implementation as the government works on the intricacies of the directives to keep Micro, Small and Medium Enterprises (MSMEs) out of the line of fire, as they would find it hard to allocate necessary resources to adhere to the previously guidelines.

Speaking about the cybersecurity directives to BW Businessworld, Sandip Patel, MD of IBM India/South Asia said, “We actually gave some pointed guidance to the GoI based on our experience with other governments around the world. And it is now being considered before the final bill gets tabled and accepted.”