The Indian Computer Emergency Response Team now says it plans to give firms an additional three months to comply with the rules - or pull out of the country altogether.
The move comes following strong pushback, not only from the VPN providers and cloud service operators themselves, but also from cybersecurity experts and privacy advocates.to CERT-IN and the Ministry of Electronics and IT yesterday, more than 20 people called for the introduction of the requirement to be delayed.
"We are deeply concerned by the Directions issued by CERT-In on April 28, 2022, and urge you to please defer their implementation, and initiate a process of in-depth public consultation aimed at modifying the Directions with inputs from all stakeholders and experts," they write. "It is crucial that CERT-In and MeitY ensure that the regulations advance systemic and user-centric approaches to cybersecurity, focusing on effective cyber incident response — which is also the specific, limited rulemaking power given to CERT-In by the Indian Parliament in this section of the Information Technology Act."
The rules require providers to collect and store names, email addresses and phone numbers, along with the customer's IP address. They will also have to record the period of hire - using the timestamp used at registration - the customer's reason for using the service, and their 'ownership pattern.