With many virtual private server (VPS) providers deciding to shut their servers in India, and enterprises requesting more time to understand the new cyber security directions, the Indian Computer Emergency Response Team (CERT-In) on Tuesday extended till September 25 the deadline to build capacity required for the new norms.

The earlier deadline was June 27 (Monday). The CERT-In’s norm requires all VPN service providers to store user data for five years. VPN service providers such as ExpressVPN, Surfshark and Panama-based NordVPN had announced that they would remove their servers from India.

CERT-In had, on April 28, issued directions relating to information security practices under the Information Technology Act, to promote an open, safe, trusted and accountable Internet in the country.

“The Ministry of Electronics and IT (MeitY) and CERT-In are in receipt of requests for the extension of timelines for implementation of these Cyber Security Directions in respect of micro, small and medium enterprises (MSMEs). Further, additional time has been sought for implementation of the mechanism for validation of subscribers/ customers by data centres, virtual private server (VPS) providers, cloud service providers and VPN service providers,” MeitY said in a statement.

CERT-In serves as the national agency for cyber security in the country. It analyses cyber threats and handles cyber incidents tracked and reported to it.

In response to general queries received by CERT-In, a document with a set of frequently asked questions (FAQs) was also released by Rajeev Chandrasekhar, Minister of State for Electronics & Information Technology & Skill Development and Entrepreneurship on May 18, to enable better understanding of stakeholders as well as to promote an open, safe and trusted and accountable Internet in the country.

“The matter has been considered by CERT-In and it has been decided to provide extension till September 25 to MSMEs, in order to enable them to build capacity required for the implementation of the cyber security directions. In addition, data centres, VPS providers, cloud service providers and VPN Service providers are also provided with additional time till September 25, for implementation of mechanisms relating to validation of subscribers/ customers details,” it added.