Digital Policy Alert logo

India: Postponed implementation for MSMEs of CERT-In's Information Security Practices Directive including cybersecurity measures

Policy overview

Description

Postponed implementation for MSMEs of CERT-In's Information Security Practices Directive including cybersecurity measures

On 27 June 2022, the Ministry of Electronics and Information Technology announced that the implementation of the Indian Computer Emergency Response Team (CERT-In) "relating to information security practices, procedure, prevention, response and reporting of cyber incidents" would be postponed for Micro, Small & Medium Enterprises (MSMEs), until 25 September 2022. The directive introduces obligations regarding the notification and mitigation of data breaches, data storage and user identification. Regarding data breaches, all service providers, intermediaries and data centres must report cyber incidents within 6 hours of noticing or being notified of a breach, and must implement protective and preventive actions mandated by CERT-In.

Original source

Scope

Policy Area
Data governance
Policy Instrument
Cybersecurity regulation
Regulated Economic Activity
cross-cutting
Implementation Level
national
Government Branch
executive
Government Body
central government

Complete timeline of this policy change

Hide details
2022-04-28
adopted

On 28 April 2022, the Indian Computer Emergency Response Team (CERT-In) issued a directive introduc…

2022-06-27
in grace period

On 27 June 2022, the directive by the Indian Computer Emergency Response Team (CERT-In) "relating t…

2022-06-27
adopted

On 27 June 2022, the Ministry of Electronics and Information Technology announced that the implemen…

2022-09-25
in force

On 25 September 2022, the Indian Computer Emergency Response Team (CERT-In) "relating to informatio…

Key regulatory dimensions

Regulated subjects

The businesses, government agencies or individuals affected by this policy or regulatory change.
producer / supplier
1
Type Private organisation
Economic activity cross-cutting
Category All

Policy change by business practice

The detailed activities within the scope of this policy or regulatory change.
data (any form): storage (any form)
Regulatory tool
Common standard adherence
Data storage/retention obligation
Definition of oversight agency jurisdiction
Detective security requirement
Recordkeeping requirement
Regulator cooperation requirements
Regulator notification requirement
Responsive security requirement
Sanctions
Regulated subjects
1
data (any form): data collection
Regulatory tool
Common standard adherence
Data storage/retention obligation
Definition of oversight agency jurisdiction
Detective security requirement
Recordkeeping requirement
Regulator cooperation requirements
Regulator notification requirement
Responsive security requirement
Sanctions
Regulated subjects
1
cloud infrastructure: operate
Regulatory tool
Common standard adherence
Data storage/retention obligation
Definition of oversight agency jurisdiction
Detective security requirement
Recordkeeping requirement
Regulator cooperation requirements
Regulator notification requirement
Responsive security requirement
Sanctions
Regulated subjects
1
financial and related services: operate
Regulatory tool
Common standard adherence
Data storage/retention obligation
Definition of oversight agency jurisdiction
Detective security requirement
Recordkeeping requirement
Regulator cooperation requirements
Regulator notification requirement
Responsive security requirement
Sanctions
Regulated subjects
1

Policy change by business practice

The detailed activities within the scope of this policy or regulatory change.

data (any form): storage (any form)

data (any form): data collection

cloud infrastructure: operate

financial and related services: operate