India’s New cybersecurity rules have been criticized by the international community


According to the groups, the new rules are unreasonable, burdensome and unable to increase India’s cybersecurity. Moreover, the rules can damage the country’s economy. According to the rules, operators of data centers, cloud services and VPNs are required to register and store for 5 years the names of customers, dates of use of services and IP addresses of users. Also, companies must report more than 20 types of cyber incidents within 6 hours after detection. Incidents also include “malicious/suspicious actions”, but the line between them is not specified.

In addition to the Indian media, 11 instances expressed their objections to the new rules to the Indian Computer Emergency Response Center (CERT-In), including:

  • Information Technology Industry Council (ITI);
  • United States Chamber of Commerce (USCC);
  • British Technology Industry Trade Association (techUK);
  • Business Council of the USA and India (US-India Business Council, USIBC);

The groups’ objections include the following arguments:

  • The 6-hour report is unreasonable and not required by other countries;
  • Storing customer data poses a security risk;
  • Some of the required data is confidential;
  • The rules require data storage in the jurisdiction of India, but
    offshore storage is acceptable in the FAQ, if it does not interfere with Indian investigators. Inconsistency of the rules leads to confusion.

According to the letter, the rules will make it difficult to do business in India, put the country in conflict with allies and lead to high consumer spending. Also, Indian Minister of Skills Development and Entrepreneurship, Electronics and IT Technologies Rajiv Chandrasekhar said that VPN providers who do not like the rules can leave the country.

Start a discussion …