IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

India’s new cyber rules risk driving away tech companies

A tech industry body has flagged that the rules could create create an “environment of fear”

Indian cyber security rules which will start being operational later this month have been criticised by a technology industry body.

The Internet and Mobile Association of India (IAMAI), which represents organisations including Google and Facebook, warned that the new rules will create an environment of fear rather than trust. It called for a one-year delay before the rules take effect, in a letter sent to India’s IT ministry seen by Reuters.

The new rules were set by the Indian Computer Emergency Response Team (CERT) in April and require tech companies to report data breaches within six hours of noticing the incident and maintain IT and communications logs for six months.

IAMAI proposed extending the six-hour window, highlighting that the global standard for reporting cyber security incidents is usually 72 hours.

CERT has also asked cloud service providers, like AWS, and virtual private network companies to retain the names of their customers and IP addresses for at least five years, even if they stop using the company’s services.

IAMAI said that the cost of complying with these directives could be massive, and the proposed penalties for violating them include prison, which would lead to entities ceasing operations in India for fear of running afoul.

Related Resource

How governments can build resilience in a new normal

The cloud enables the flexibility public organisations need to overcome disruption

Black whitepaper cover with titleFree Download

The government has said that the new rules are needed as cyber security incidents were reported regularly but the information needed to investigate them was not always readily available from service providers.

The new rules led to ExpressVPN removing its servers from India last Thursday. Users in the country will still be able to connect to VPN servers, but its virtual India servers will be physically located in Singapore and the UK.

The company said CERT’s new data law is incompatible with the purpose of VPNs, which are designed to keep users’ online activity private.  “ExpressVPN refuses to participate in the Indian government’s attempts to limit internet freedom,” the company said in a press release.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Google announces new cloud regions in Asia Pacific
cloud computing

Google announces new cloud regions in Asia Pacific

10 Aug 2022
South Korean public sector organisations targeted by Gwisin ransomware
ransomware

South Korean public sector organisations targeted by Gwisin ransomware

8 Aug 2022
APAC region to lose 63 million jobs to automation by 2040
automation

APAC region to lose 63 million jobs to automation by 2040

8 Aug 2022
Cyber attacks rain on Taiwan during Pelosi visit
cyber warfare

Cyber attacks rain on Taiwan during Pelosi visit

5 Aug 2022

Most Popular

Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022