In a statement the India’s cybersecurity watchdog said, New Delhi will not dilute upcoming cybersecurity rules that require social media, technology companies and cloud service providers to report data breaches swiftly, despite growing industry concerns.
The Indian Computer Emergency Response Team has issued a directive in April asking tech companies to report data breaches within six hours of “noticing such incidents” and to maintain IT and communications logs for six months.
CERT has also mandated cloud service providers, including Amazon and virtual private network (VPN) companies to retain names of their customers and IP addresses for at least five years, even after they stop using the company’s services.
CERT’s directives have raised concerns of a growing compliance and other costs.
In a statement India’s junior IT minister Rajeev Chandrasekhar said, there will be no changes despite the industry worries; tech companies have an obligation to know who is using their services.
In recent years, New Delhi has tightened regulation of Big Tech companies, which have strained trade ties between New Delhi and Washington, despite the latter’s own concern on big tech.
According to CERT, while new rules were required for cybersecurity incidents, the requisite information needed to investigate them should also be readily available from service providers.
The rules come into effect from the July 1, 2022.
NordVPN, one of the world’s largest VPN providers, has said it will remove its servers from India.
“If you don’t want to go by these rules, and if you want to pull out, then frankly … you have to pull out,” said Chandrasekhar.