Govt may extend deadline for Cert-In cyber rules by 3 months to help MSMEs

According to Cert-In's guidelines, all enterprises, intermediaries, data centres and govt organisation are required to report any data breach to the government within six hours of becoming aware of it

The government of India is likely to extend the deadline for complying the Indian Computer Emergency Response Team (Cert-In) for the micro, small, and medium enterprises (MSMEs) as well as small and medium enterprises (SMEs) by three months, reported The Economic Times.

Minister of State for Electronics and IT Rajeev Chandrasekhar said to ET, “We are very clear. We will not make SMEs or MSMEs bear the burden of this additional compliance until they are ready.”

According to Cert-In’s guidelines dated April 28, all enterprises, intermediaries, data centres and government organisation are required to report any data breach to the government within six hours of becoming aware of it. 

Cert-In, in its guidelines, has also made it compulsory for the Virtual Private Network (VPN) service providers to maintain and hand it over to the government all the information they had collected as part of the KYC (know-your-customer) rules, as and when required. This directive has led to the exit of several VPN providers from India.

Earlier this year, the Minister of State for Electronics and IT said in a press conference that VPN service providers who are not willing to comply with the guidelines were free to leave. 

The ministry is, however, more flexible to the needs of the SMEs and has extended the compliance deadline for the second time.

According to sources in the IT ministry, while larger companies and VPN providers have complied with the directive, some SMEs and MSMEs are facing problems. A senior government official said that the ministry has been informed several times about the lack of cost-effective human resource in the country along with other requirements such maintaining data for three years which is also adding to their operational cost.