Nearly four months after the Indian Computer Emergency Response Team's (CERT-In) cybersecurity directions went into effect, the industry is still unsure about its compliance requirements, facing a difficult task in building capability and scaling up its infrastructure, etc.
Now, a document related to the CERT-In directions, which was supposed to streamline issues for the industry, has become a cause of concern for the industry.
Why?
NASSCOM-DSCI warned the Ministry of Electronics and Information Technology a few weeks ago that if the industry adheres to the clarifications provided in the frequently asked questions (FAQ) document of CERT-In's cybersecurity directions, it risks non-compliance.
The FAQ in question refers to a document released by the CERT-In in May to provide more clarity to the industry regarding the April 28 cybersecurity directions, which have added additional compliance requirements for all types of corporate bodies.
"Given that FAQs are not recognised by the law or the CERT-In as a document that can be legally recognised as a basis for compliance, industry risks non-compliance even if it adheres to the FAQ," NASSCOM said in a summary of the letter.
The industry body, representing over 3,000 companies, also stated that the FAQs have ‘created scope for undue frictions to arise in commercial relationships’.
“Even if the industry decides to rely on the FAQs, the global clients of the industry placed (sic) in a situation where they would be forced to question the industry as to the legal position of the FAQ and doubt the reliability of the compliance status,” the body said while explaining their reasoning more.
This comes at a time when the CERT-In directives are being challenged in the Delhi High Court by SnTHostings, a Pune-based virtual private network (VPN) service provider.
The Delhi High Court issued a notice to the Union Government on September 28 while hearing the petition, which argued that the CERT-In directions were unconstitutional and violated citizens' privacy.
Since its introduction on April 28, it has been scrutinised by various sectors of the industry due to its requirements, which include retaining information and communications technology logs for 180 days, reporting cybersecurity incidents within 6 hours, and requiring service providers such as VPNs to maintain customer information for five years, among others.
In May, the government issued the FAQ document in an attempt to clarify requirements such as the one requiring VPNs to maintain customer information.
The government stated in the FAQ that 'enterprise/corporate VPNs' will be exempt from the CERT-In directions. NASSCOM requested more clarity in this regard in a recent representation.
In addition to the FAQ document issue, the industry body also voiced concerns about the requirement to designate a point of contact (POC) in all forms of corporate bodies for communication with the CERT-In.
“We requested that it be clarified that the POCs can be foreign nationals, so that appointments are not on location but on information security capabilities,” the body said.
It also requested more clarification on the requirement to 'validate' subscriber details, as well as the time period for collecting and storing information such as customer information, IP addresses, and so on.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
