New Directions on Cyber Security Practices in India will impact Crypto-entities, VPN providers and data privacy of users

The Indian Computer Emergency Response Team (“CERT-In”) has issued key directives dated April 28, 2022 (“Directions”) under the Information Technology Act, 2000 (“IT Act”) relating to “information security practices, procedure, prevention, response and reporting of cyber incidents”, which aim to strengthen cyber security practices in India.

CERT-In is the national nodal agency (under the Ministry of Electronics and Information Technology, Government of India) in charge of analyzing, investigating and handling threats in cyber-space, including cyber incidents which are reported to it. CERT-In has noted (in the Directions) that often times, however, the primary information it requires to carry out its functions is non-available or not readily available.

As a result, under the Directions, CERT-In has set out various requirements to be followed by “service providers, intermediaries, data centres, body corporate and Government organisations”inter-alia relating to: synchronization of ICT systems clocks; reporting of cyber incidents within six hours of noticing (or being brought to notice of) such incidents; requirement to take action or provide information or assistance (in the format and within the timeframe) as may be required by CERT-In; and in relation, the designation of a Point of Contact (“PoC”) to communicate with CERT-In.

Notably, CERT-In has specified the cyber incidents required to be reported to it (as well as the method and format of their reporting) under the Directions. Interestingly these include: Malicious code attacks such as spreading of virus/worm/trojan/bots/ spyware/ransomware/cryptominers; Attacks or incident affecting digital payment systems; and Attacks or malicious/suspicious activities affecting systems/ servers/ networks/ software/ applications related to big data, block chain, virtual assets, virtual asset exchanges, custodian wallets, robotics, 3d and 4d printing, additive manufacturing, drones.

CERT-In has also specified the format in which the updated information of the PoC is to be provided to it from time to time. Importantly, the Directions are required to be followed by, and specifically set out requirements for, entities dealing in cryptocurrency and service providers such as Virtual Private Server (“VPS”) providers, Virtual Private Network (“VPN”) providers. The following specific requirements (pertaining to data storage) are to be followed under the Directions:

• All service providers, intermediaries, data centers, body corporates and Government organizations are to enable logs of their ICT systems and to maintain them for a period of one-hundred and eighty days. Indian jurisdiction will maintain the same.


• Data centers, VPS providers, cloud service providers and VPN providers to register certain information (including validated names of subscribers/validated address/contact numbers etc.) for a period of five years (or longer); and


• Virtual asset service providers, virtual asset exchange providers and custodian wallet providers to maintain all information obtained as Know Your Customer (KYC) and records of financial transactions (including information relating to the identification of the relevant parties, such as IP addresses, timestamps and time zones, transaction ID and amount, public keys, addresses or accounts involved etc.) for a period of five years.

CERT-In has broadly specified the KYC procedures to be referenced by the relevant entities under the Directions. In view of the above, it may be readily inferred that the Directions will not just impact the relevant entities but also Indian citizens and any users or persons dealing with or availing services from such entities, particularly in terms of privacy and security of users and possibility of data breaches. The Directions will come in effect within sixty days (from the date of issue) leaving a short window of time for all relevant entities to ensure they are compliant with all requirements thereunder. It is also pertinent to note that non-compliance with the Directions could lead to punitive action under the IT Act.