After tabling a meeting with representatives from technology companies, VPN companies, policy groups and experts to discuss the CERT-In guidelines, MeitY has said that it would go forward with the six-hour cybersecurity incident reporting mandate
The Ministry of Electronics and Information Technology (MeitY) has decided to go forward with the cybersecurity incident reporting norm. The directive which will be enforced from June 27 and will require companies to report cybersecurity incidents within six hours of them happening.
After tabling a meeting with representatives from VPN companies, technology companies, policy groups and experts to discuss the CERT-In guidelines, MeitY has said that it would go forward with the six-hour cybersecurity incident reporting mandate. But the Ministry will be making an exception for some smaller companies and extend its deadline of June 27.
The meeting was called after two major VPN companies decided to shut their servers in India, citing unreasonable directives around data storage which potentially impinges on user privacy.
Many VPN providers were hoping for a better outcome from the meeting. Providers such as NordVPN had also criticised the move from the Indian government, prior to ExpressVPN and Surshark shutting their Indian servers.
Now, companies across the country have no choice but to set up systems to comply with the government directive that will go online on June 27.
The government might also introduce a portal where the cybersecurity incidents will have to be reported.