This will apply to micro, small, and medium enterprises (MSMEs) as well as small and medium enterprises (SMEs), Minister of State for Electronics and IT Rajeev Chandrasekhar told ET.
“We are very clear. We will not make SMEs or MSMEs bear the burden of this additional compliance until they are ready,” Chandrasekhar said.
The Indian Computer Emergency Response Team (Cert-In)’s April 28 guidelines required all companies, intermediaries, data centres and government organisations to report any data breach to the government within six hours of becoming aware of it.
The guidelines had also mandated Virtual Private Network (VPN) service providers to maintain all the information they had gathered as part of know-your-customer (KYC) rules and hand it over to the government as and when required.
The directive has led to several VPN providers exiting India.
Discover the stories of your interest
On May 18, during a press conference to explain the FAQs on the Cert-In guidelines, Chandrasekhar said VPN service providers that did not want to adhere to the guidelines were “free to leave India”.
The government is, however, more flexible to the needs of the SMEs in adhering to the new directive. This is the second extension in the compliance deadline for SMEs and MSMEs by the ministry.
In June, the ministry decided to provide a breather of 90 days, or until September 25, to all companies after it received representations from SMEs, MSMEs, data centres, VPS, VPN, and cloud service providers that they needed more time to “build capacity”.
Sources in the IT ministry said that though larger companies and VPN providers have complied with the directive, some SMEs and MSMEs have cited a lack of “adequate human resources” to comply with the cybersecurity norms.
“One problem that we have been made aware of several times is that there is a lack of cost-effective human resources in the country,” a senior government official said. “Some of the other requirements, such as maintaining data for three years, is also adding to their operational cost. While it is difficult to relax these norms, we have given additional time and will meet them to figure out a solution.”
On May 18, the IT ministry came out with a set of FAQs on the Cert-In guidelines, during which it clarified certain aspects of how the six-hour norm would work, along with the details that the VPN service providers would have to keep for five years.