MeitY unlikely to relent on six-hour rule of Cert-In despite pushback from industry

New Delhi: The Ministry of Electronics and Information Technology (MeitY) is unlikely to relent on the six-hour cybersecurity incident reporting norm but will provide some relaxation to small companies on the June 28 deadline for following Indian Computer Emergency Response Team’s April 28 guidelines on cybersecurity, sources told ET.

The decision of the ministry was conveyed to the industry as well as other stakeholders on Friday at a roundtable meeting chaired by Minister of State for Information Technology Rajeev Chandrasekhar.

“The six-hour reporting rule stays and that is definite. There would be no relaxation on the June 28 deadline as far as the bigger companies are concerned. The ministry, however, said that for smaller companies, it would give some relaxation on a case-to-case basis after examining their application,” an industry executive who attended the meeting said.

The meeting on Friday, which lasted for around 3 hours, saw about 25 executives from virtual private network (VPN) service providers, technology companies, policy groups and other experts present to discuss Cert In’s latest guidelines on cybersecurity.

The ministry would also provide an application interface of sorts where companies can report the cybersecurity incidents that occur within their networks instead of mailing it to Cert In, sources said.

“By and large, most companies have said that they will adhere to the guidelines. It is just a matter of some administrative chinks that remain to be ironed out. We are working on more directives and FAQs (frequently asked questions) to make our guidelines clearer,” a senior government official said.

The government has also assured stakeholders that it would meet the industry again within 90 days to assess the situation and review the progress regarding the directives, sources said.

The Friday meeting comes just days after two VPN companies, Surfshark and ExpressVPN, decided to stop their services in India after the government asked them to store the logs of clients, along with details such as name, address and the purpose for which the VPN service was used.

Despite the pushback from the industry and the two VPN companies logging out of India, the government has remained firm on its stance. Chandrasekhar had while releasing a set of frequently asked questions on the new guidelines, said that companies which did not wish to adhere to the Cert In guidelines were free to leave India.

Stay on top of technology and startup news that matters. Subscribe to our daily newsletter for the latest and must-read tech news, delivered straight to your inbox.