India: Issued CERT-In Information Security Practices Directive including data localisation requirement

On 28 April 2022, the Indian Computer Emergency Response Team (CERT-In) issued a directive introducing cybersecurity obligations. The directive includes obligations regarding the notification and mitigation of data breaches, data storage and user identification. All providers must store logs of their ICT securely for a rolling period of 180 days within India, which should be disclosed in case of a cyber incident. In addition, providers of data centres, Virtual Private Servers (VPS) providers, Virtual Private Networks (VPN) as well as cloud services must store information on customers for 5 years, including their name, IP address, and e-mail address. Similarly, virtual asset exchange providers and custodian wallet providers must store Know-Your-Customer information and records of financial transactions for five years. The directive will enter into force after 60 days.