New VPN Guidelines: The Indian Computer Emergency Response Team (CERT-In), which issued a recent order requiring providers of virtual private networks (VPNs) to register with the government and store user information, has decided to extend the time for compliance with the order. The revised date of September 25 that has been announced as the new deadline for the adoption of the new guidelines has been set by CERT-In.
In the past, India’s Ministry of Electronics and Information Technology (MeitY) has mandated that virtual private network (VPN) service providers gather and keep customer information for a minimum of five years. The order was issued with the intention of coordinating the actions and emergency measures that are taken in response to occurrences involving cyber security.
In addition, cloud service providers, virtual private server (VPS) providers, and data centres were required to register with the government and keep accurate information about their services for at least five years “as mandated by the law after any cancellation or the registration as the case may be.” The information gathered comprises the physical address of the user, as well as their IP address and their usage trends.
Also Read: Windows 11 bugs you need to know about
As a result of requests from affected businesses for additional time, the government ministry has decided to delay the execution of its new directive. The CERT-in has also announced that it would be extending the deadline in order to allow Micro, Small, and Medium Enterprises (MSMEs) with an appropriate amount of time to produce the capacity building that is necessary for the execution of these guidelines.
Beginning on September 25, 2022, the new cyber security directives that were issued on April 28, 2022, in accordance with subsection (6) of section 70B of the Information Technology Act, 2000, will become operational.
The CERT-In has also requested that the companies in question supply additional information regarding their users. This information includes “the valid names of subscribers, period of subscribing to the service, IPs allotted to and being used, email address and IP address as well as the accurate time recorded during the registration, purpose of subscribing, validated address and contact numbers, and ownership pattern of the subscribers signing into the service.”
In addition to this, all private and public organisations, such as internet service providers, social media platforms, data centres, and the like, are required to report any incidents of a breach in cybersecurity to it within six hours of discovering them. This obligation applies to all government agencies as well.