India is pushing ahead with its new cybersecurity rules that will require cloud service providers and VPN operators to maintain names of their customers and their IP addresses despite many players threatening to leave the world’s second largest internet market over the new guidelines.
The Indian Computer Emergency Response Team clarified (PDF) on Wednesday that “service providers, intermediaries, data centres, body corporate, virtual private server (VPS) providers, cloud service providers, VPN service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers and government organisations” shall follow the directive, called Cyber Security Directions, which was unveiled late last month.
The new rules won’t be applicable to corporate and enterprise VPNs, the government agency clarified.
New Delhi is also not relaxing a new rule that will mandates firms to report incidents of security incidents and data breaches within six hours of noticing such cases.
Rajeev Chandrasekhar, the junior IT minister of India, told reporters on Wednesday that six hours was ample enough time for firms to report security incidents as any further delays risk losing the attackers who move very swiftly.
Several VPN providers have expressed worries about India’s new cybersecurity rules. NordVPN, one of the most popular VPN operators, said earlier that it “may remove” its services from India if “no other options are left.”
Other service providers, including ExpressVPN and ProtonVPN, have also shared their concerns, adding that they may choose to not comply.
This is a developing story. More to follow…