The Indian Computer Emergency Response Team (CERT-In), under the Ministry of Electronics and Information Technology, has issued stringent internet monitoring regulations from which industry bodies and businesses have sought a reprieve.
The new norms, which came into effect on 28 June, include a six-hour timeline for businesses to report cybersecurity incidents, and require virtual private networks (VPNs) to store data on their users for five years, and disclose them upon demand from the authorities.
Eleven industry bodies from India and abroad, including the US Chamber of Commerce and US-India Business Council, have sent written objections to the CERT-In on the regulations, which they say make it more difficult for companies to do business in India. VPN providers including NordVPN, Surfshark and ExpressVPN have already announced their intention to withdraw servers from India.
