Moneycontrol PRO
you are here: HomeNewsBusiness

Cybersecurity directions: CERT-In extends compliance deadline for MSMEs to September 25

CERT-In also delayed till September 25 the implementation of the direction that required service providers to store names of customers, address and their contact numbers for five years or more

June 27, 2022 / 10:30 PM IST

The Indian Computer Emergency Response Team (CERT-In) has extended the deadline for micro, small and medium enterprises (MSMEs) to comply with its April 28 cybersecurity directions to September 25. For others, the directions became effective on June 27.

These directions come after a recent consultation was taken up by the Ministry of Electronics and Information Technology in relation to specific requirements of the directions and compliance. In the meeting, the ministry had said it was open to providing "support" to startups and small companies to comply with the directions.

“The extension of timelines for implementation of these Cyber Security Directions of 28th April, 2022 have been urged in respect of Micro, Small and Medium Enterprises (MSMEs) for providing reasonable time for generating capacity building required for implementation of these Directions…,” the direction issued by CERT-In on June 27 read.

Apart from this, CERT-In also delayed the implementation of the directions that required service providers to store ‘validated names of subscribers/customers hiring the services’ and “validated address and contact numbers” for a period of five years or more.

The agency directed data centres, virtual private server (VPS) providers, cloud service providers and VPN providers that this specific aspects of the direction will become effective on September 25.


The April 28 directions issued by the Indian Computer Emergency Response Team (CERT-In) require service providers to maintain logs of all information and communication technologies (ICT) system for a period of 180 days. They also have to register and maintain personal information of subscribers for five years or longer and provide this data to CERT-In if demanded in case of a cybersecurity incident.

The logging requirements have been a sore point for VPN service providers, who have claimed that the directions go against the ‘nature of VPNs’ and that it would compromise their customers’ privacy.  In protest against these directions, Express VPN, NordVPN and Surfshark have said they will remove their servers from India.

The norms have also been widely criticised in the other quarters of the industry. Lobby groups and trade bodies representing major companies such as Google, Microsoft wrote to MeitY earlier, seeking modifications and a delay in the implementation of these rules.
Aihik Sur covers tech policy, drones, space tech among other beats at Moneycontrol
first published: Jun 27, 2022 10:30 pm
ISO 27001 - BSI Assurance Mark