India pushes ahead with its strict VPN and breach disclosure rules despite concerns

India is pushing ahead with its new cybersecurity rules that will require cloud service providers to maintain names of their customers and suggest firms that don't wish to comply to pull out of the world's second largest internet market.

The Indian Computer Emergency Response Team clarified that virtual private server (VPS) providers, cloud service providers, VPN service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers and government organisation shall follow.

The new rules, which were unveiled late last month, won't apply to corporate and enterprise VPNs, according to the government agency.

New Delhi is not relaxing the rule that requires firms to report security incidents within six hours.

The junior IT minister of India said on Wednesday that India was giving firms six hours of time to report security incidents, pointing to nations such as Indonesia and Singapore.

If you look at precedence all around the world, you will see that cybersecurity is a very complex issue, where situational awareness of multiple incidents allow us to understand the larger force behind it.

India's new cybersecurity rules have raised concerns from several providers. If no other options are left, NordVPN may remove its services from India.

The new Indian regulations are an assault on privacy and threaten to put citizens under a microscope. We are committed to our no-logs policy.

Chandrasekhar said that providers who want to hide who uses their services will have to pull out.

The new directions were vague and undermined user privacy and information security according to the Internet Freedom Foundation.

Some of the changes have been justified.

There has been a lot of pressure on CERT-In with large scale data breeches being reported across India. CERT-In never acted on most of the reports that were denied by the companies, according to a researcher.

BigBasket, an online grocery store in India, had an alleged data breach that spilled the names, addresses and phone numbers of 20 million users. Many users confirmed that the data that was circulating looked legit, as they were able to find their own details in the data dump. BigBasket is tight-lipped on the subject.