CERT-In extends deadline for VPN cybersecurity norms till Sept 25


The Indian Computer Emergency Response Team (CERT-In) has announced a new deadline of September 25 to comply with the new directive that makes it mandatory for VPN brands in India to collect and store extensive user data for at least five years, citing objectives like fighting cybercrime and invoking the country’s integrity and sovereignty. September 25 is the new compliance date for micro, small and medium enterprises (MSMEs). Other businesses, which don’t provide VPN or cloud services, will have to comply with the earlier deadline of June 27.

The new deadline comes after VPN providers, including ExpressVPN, NordVPN, and SurfShark, earlier this month decided to remove their servers in India. SurfShark said it operates a “no logs” policy, “So such new requirements go against the core ethos of the company. A VPN is an online privacy tool, and Surfshark was founded to make it as easy to use for the common users as possible,” said the company a blog post.

Rajeev Chandrashekhar, Minister of State for Electronics and Information and Technology, last month told VPN companies they are free to leave India. “If you’re a VPN that wants to hide and be anonymous about those who use VPNs and you don’t want to go by these rules, then if you want to pull out (from the country), frankly, that is the only opportunity you will have. You will have to pull out,” he said.


Please enter your comment!
Please enter your name here