It covered aspects related to the timeframe for reporting cyber security incidents, maintenance of KYC and transaction information for crypto exchanges and wallets, maintenance of customer details by data centres, cloud services and VPN providers, and maintenance of logs in Indian jurisdiction.
The directions in the circular dated April 28, will become effective in 60 days. The new directions are applicable to service providers, intermediaries such as social media platforms, corporate bodies, data centres and other organisations.
CERT-In is the government-appointed nodal agency tasked with performing cybersecurity-related functions and has issued these directions under section 70B of the Information Technology Act, 2000.
CERT said crypto exchanges and wallets must maintain know your customer (KYC) details and records of financial transactions for five years. All entities must mandatorily enable logs of all their ICT systems and maintain them securely for a rolling period of 180 days.
In its new directions, CERT wants all entities to mandatorily report cyber incidents to it within 6 hours of noticing such incidents or being brought to notice about such incidents. The current rules have no time frame to report the incidents.
Along with it, service providers must maintain information on customers for five years, including valid names, IPs, emails, services, contact details and more.
Market experts said this directive would have multiple implications. The KYC requirement is broad and might impact the operations of cloud service providers, they add.
This request from the government of India is extraordinary when it comes to the preservation of data for a long five years, Anshul Dhir COO and Co-founder EasyFi Network. It shows the government is focussing on preserving users’ privacy.
“The exchanges will have to alter their business models if they want to comply with the new rules,” he added. “However, how the people will react to it, is going to be very sketchy.”
In addition, compromising VPN would also impact Indian businesses which use this technology. The sector is already looking at huge growth and this might be detrimental to the ongoing trajectory.
The customer information sought under this requirement is sensitive and could deter consumers from availing the cloud services, said Kazim Rizvi, Founding Director, The Dialogue, a blockchain think tank.
“As India’s cloud market is growing and we are looking at India to be a global hub of cloud computing, it is imperative that we refrain from placing additional burdens, while at the same time might affect the growth of cloud in India,” he added.