India: Entry into force with grace period of CERT-In's Information Security Practices Directive including data localisation requirement

On 27 June 2022, the directive by the Indian Computer Emergency Response Team (CERT-In) "relating to information security practices, procedure, prevention, response and reporting of cyber incidents" enters into force. The directive introduces obligations regarding the notification and mitigation of data breaches, data storage and user identification. Regarding data storage, all providers must store logs of their ICT securely for a rolling period of 180 days within India, which should be disclosed in case of a cyber incident. In addition, providers of data centres, Virtual Private Servers (VPS) providers, Virtual Private Networks (VPN) as well as cloud services must store information on customers for 5 years, including their name, IP address, and e-mail address. Similarly, virtual asset exchange providers and custodian wallet providers must store Know-Your-Customer information and records of financial transactions for five years.