Extension Of Deadline: India’s Breach Notification And Additional Cybersecurity Directions

BACKGROUND

On April 28th, 2022, the Indian Computer Emergency Response Team (“CERT-In”) issued directions under section 70B of the Information Technology Act, 2000, relating to the “information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet” (hereafter, the “Directions”). Our detailed note on the Directions and its requirements may be accessed here.

NEW DEADLINE

On 27th June, 2022, the CERT-In issued a notification (“Notification”) to extend the deadline for compliance with the Directions (a) for micro, small and medium enterprises (hereafter, “MSMEs”), and (b) in respect of the obligations of data centres, virtual private server (VPS) providers, cloud service providers, and virtual private network (VPN) service providers to maintain subscriber information. The deadline for compliance is now 25th September 2022.

The relaxation for MSMEs is a blanket one, and general compliance of the Directions may begin from 25th September 2022. This basis for this relaxation is that MSMEs would require more time to build the capacity to meet the requirements of the directions.

The relaxation for data centres, VPS providers, cloud service providers, and VPN service providers under the Notification is restricted, and is limited to the maintenance of the “validated names of subscribers/customers” and “validated address and contact numbers” as mandated under paragraph v (a) and v (f) of the Directions. These entities need to otherwise be in compliance with the Directions from the original deadline, i.e., commencing from 27th June, 2022.

For any queries, please reach out to our team at Spice Route Legal:

Mathew Chacko, Aadya Misra, Shambhavi Mishra, Ada Shaharabanu, Tanvi Chaturvedi, Vishnu Naduvakkad, Dhruvo Das, Ajeeth Srinivas.