The Ministry of Electronics and Information Technology is mulling over possible ‘considerations’ and ‘support’ that can be extended toward micro, small and medium enterprises (MSMEs) and startups to comply with the April 29 directions of the Indian Computer Emergency Response Team (CERT-In).
According to sources, this and other issues pertaining to the CERT-In directions were discussed during a meeting Minister of State in MeitY Rajeev Chandrasekhar held with representatives of industry bodies on Friday.
The CERT-In directions bring in additional compliance requirements for all body corporate that cater to Indian citizens. Some of the provisions of reporting cybersecurity incidents within 6 hours, logging requirements, preserving logs, and so on, have raised concerns among major companies across the world.
Met industry leaders n stakeholders who had doubts abt the recently issued #Cybersecurity directions & explained thm abt #Govt ‘s approach twrds an Open,Safe & Trusted and Accountable #internet
Encouraged thm to partner with Govt to create Safe Internet#DigitalIndia #OSTA pic.twitter.com/jTat60Vi7G— Rajeev Chandrasekhar (@Rajeev_GoI) June 10, 2022
In fact, citing the logging requirement of the directions, Canada-based VPN Surfshark and British Islands-based ExpressVPN has pulled their servers from India. As per the logging requirements, service providers have to store information such as customer names, and IP addresses of their customers for a time period.
In the meeting, which was reportedly held in response to representations made by several trade bodies and tech policy groups on the directions, it was pointed out that MSMEs and startups may not have the required infrastructure for many of the requirements of the CERT-In directions including reporting of cybersecurity incidents.
"The rules cannot be same for MSMEs and established businesses. The minister said that they can look certain into considerations for msmes and startups, which will be evaluated," Kanishk Gaur, founder of India Future Foundation told Moneycontrol. Gaur was one of the attendees in the meeting.
In terms of leeway, the creation of a portal that would automate the cybersecurity reporting mechanism for MSMEs or startups was also discussed. "The aim is to simplify the reporting mechanism for MSMEs and startups," Gaur said.
During the meeting, clarifications were also provided to industry members on how to classify a cybersecurity incident and when to report it. The minister reportedly clarified that once one classifies any incident as a cybersecurity incident, the reporting has to be done.
Apart from that, the ministry plans to take up awareness campaigns regarding the CERT-In directions, and in the following days, sources said, it plans to reach out to Chief Information Officers, and Chief Technical Officers of companies in this regard.
Ever since the directions were brought in by the CERT-In on April 29, it has received criticism from civil society bodies, trade and industry bodies representing big corporations, and so on. Recently, 11 trade bodies wrote to CERT-In requesting that the implementation of the directions be delayed from June 27. The Software Alliance, a trade body representing Microsoft, AWS and others also wrote to MeitY requesting the same.
