India delays strict new VPN rules by 3 months

India will give cloud service operators an additional three months to comply with new rules that require them to maintain names and addresses of their customers, giving some relief to firms as many scramble to follow the new guidelines and some consider leaving the South Asian market.

The Indian Computer Emergency Response Team said it is extending the enforcement of the new rules to September 25. The rules went into effect on Monday.

CERT said it was extending the deadline because industry players wanted more time.

It's announcement comes after a lot of criticism from providers who said they would remove local server in the country.

Nearly two dozen cybersecurity experts and technologists from India and across the world sent a joint letter to CERT and Ministry of Electronics and IT on Monday, calling for the "dangerous CERT- In cybersecurity directions" to not be implemented.

Cyber security and online privacy will be weakened by the directions. We are aware of the need for a framework to govern cyber incident reporting, but the reporting timelines and excessive data retention mandates prescribed in the Directions will have negative implications in practice and impede effectiveness.

CERT requires virtual private server (VPS) providers, cloud service providers, VPNs service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers and government organisation to store customers' names, email addresses, IP addresses, know-your-customer

India's lawmakers have made it clear that they will not relax the new rules.

In a press conference last month, the junior IT minister of India said that providers who want to hide who uses their services will have to leave the country. There will be no public consultation on these rules.

Firms are required to report security issues such as data breeches within six hours. Chandrasekhar said last month that India was being generous in giving firms six hours of time to report security incidents, pointing to nations such as Indonesia and Singapore.