Despite rising business worries, India’s government said on Wednesday that it will not amend future cybersecurity guidelines that require social media, technology companies, and cloud service providers to report data breaches quickly.


In April, the Indian Computer Emergency Response Team issued a rule requiring IT firms to disclose data breaches within six hours of “noticing such incidences” and to keep IT and communications records for six months.

They also required cloud service providers like Amazon and virtual private network (VPN) providers to keep client identities and IP addresses for at least five years after they cease using their services.

Industry concerns have been voiced regarding a greater compliance burden and higher expenses as a result of the initiatives.

Despite the concerns, India’s junior IT minister Rajeev Chandrasekhar claimed there will be no adjustments, claiming that IT firms have a responsibility to know who is using their services.

In recent years, India has increased regulation of Big Tech businesses, causing industry backlash and, in certain circumstances, damaging trade ties with New Delhi and Washington.

The new laws, according to New Delhi, are necessary because cybersecurity breaches are often reported, but the information needed to investigate them is not always easily available from service providers.

However, the rules have created significant dissatisfaction. According to a source with firsthand knowledge of the meeting, various social media and internet firm leaders discussed methods to persuade New Delhi to postpone the restrictions.

According to the source, European regulators require data breaches to be notified within 72 hours, but that reporting occurrences in six hours is challenging.

According to Chandrasekhar, India is being generous because certain nations want prompt reporting.

The rules will go into effect at the end of June. NordVPN, one of the world’s major VPN companies, indicated it may remove its servers from India after they were disclosed.

The laws, according to privacy advocates, contravene the purpose of VPN, which is to protect the identities of persons such as whistleblowers from monitoring.

“If you don’t want to follow these criteria and want to withdraw, then plainly… you have to withdraw,” Chandrasekhar told reporters.