Introduction
Audience: users, agencies, and SaaS founders operating in or serving India.
In April 2022, CERT-In (under MeitY) issued nationwide Cyber Security Directions requiring certain entities—including VPN service providers—to log and retain specific customer and usage data for 5 years and to report specified cyber incidents within 6 hours. These Directions are mandatory under the IT Act and remain in force (check the latest advisories before policy decisions). CERT-IN
Who is Covered?
- Service providers, intermediaries, data centres, body corporates operating in India.
- VPN service providers that provide proxy-like services to the general public.
- Not typically covered: Enterprise/corporate VPNs used internally by organizations (as clarified in CERT-In’s FAQ). CERT-IN
What Must VPN Providers Record? (Illustrative, not exhaustive)
- Subscriber information (e.g., name, address, contact).
- Usage metadata (assigned IPs, timestamps, purpose).
- Retention: Minimum 5 years even after service discontinuation.
- Incident reporting: Report specified cyber incidents to CERT-In within 6 hours.
Review the official Directions/FAQs for the definitive list and definitions. CERT-IN
What This Means for Users & Businesses
- Some global VPNs withdrew physical India servers or offer virtual India locations to navigate compliance requirements—verify current policies before relying on any provider.
- If you operate a consumer VPN service in India, consult counsel and align logging, KYC (where applicable), time sync (NTP), and incident reporting workflows per Directions. (Background reading: compliance explainers.) InfoSec Brigade
Practical Compliance Tips (Agency Perspective)
- Update privacy policies and data retention statements for India users.
- Maintain NTP-synchronized logs, secure storage, and audit trails.
- Create an incident response runbook for the 6-hour reporting window.
- Train support teams on lawful requests handling and escalation paths.
Leave a Reply