On an inkling that the Ministry of Electronics and Information Technology (MeitY) may give small and medium enterprises (SMEs) some support in complying with the new cybersecurity rules, SMEs have sought 300 days to comply with the new norms. The directions come into force on June 28.
The new cybersecurity directions, released on April 28 by the Indian Computer Emergency Response Team (CERT-In), brings in additional compliance requirements for all body corporates whose users are in India. These requirements have been termed as cumbersome and which will make it difficult for companies to do business in India. The requirements also led VPNs such as ExpressVPN, Surfshark and NordVPn to pull their servers from the country.
In a meeting held on June 10, it was pointed out to the ministry that SMEs will face additional burden in complying with the directions, and the ministry had said that it will consider ‘support’ to such companies. At the meeting, the ministry had also asked for suggestions for a reasonable time frame for SMEs to comply with CERT-In’s directions.
Based on these instructions, Rootconf, a community on cloud, infrastructure, security and site reliability, held a meeting with SME representatives on June 14. “SME representatives said that 300 days from 28 June 2022 is a reasonable time frame for complying with CERT-In’s directions,” the submission made by Rootconf on behalf of the SMEs, said.
The following are the submissions made by the SMEs to the Ministry.
In the submission reviewed by Moneycontrol, SMEs said that they would want more clarity on logging data, such as exact data logging requirements, and also on the number of days that data is to be stored. SMEs reasoned that the logging costs increase exponentially with time as it requires hiring of external services.
It also asked MeitY to create a “Good Samaritan” framework for individuals who report incidents. The SMEs also want to do away with the requirement of reporting cybersecurity incidents for every targeted scan.
“This will help cull the costs of compliance, as targeted scans happen very frequently. More specifically, reporting on DDoS attacks should be required even if systems are not impacted whereas, DoS attacks should be reported only if systems are impacted,” the submission read.
Additionally, SMEs also want ‘parity in compliance requests for both foreign and Indian companies’.
“Typically the ask for data from Indian companies is much higher than when dealing with foreign companies,” it read.
The SMEs requested MeitY to organise more training and capacity building for law enforcement officers.“Build knowledge around data access and sharing that are stipulated in the current sharing regulations. For example, intermediary rules need to be better clarified so that Service Providers are not under direct investigation for abuse of their platform by third party users,” it read.
Companies also requested introduction of a certification-like approach for compliance. This, they said, would help organisations implement the requirements in a more structured manner.
For customer validation, SMEs have sought Aadhaar-based customer validation via services, such as digio.in and bureau.id, which do not collect a copy of Aadhaar, but use it for name and address verification, or Aadhaar signatures through separate One-Time Passwords (OTPs).
Apart from that, they also requested vetting of third-party identity validation providers outside of India to facilitate identity and address validation of foreign companies and nationals.