India: Postponed implementation for MSMEs of CERT-In's Information Security Practices Directive including data localisation requirement

On 27 June 2022, the Ministry of Electronics and Information Technology announced that the implementation of the Indian Computer Emergency Response Team (CERT-In) "relating to information security practices, procedure, prevention, response and reporting of cyber incidents" would be postponed for Micro, Small & Medium Enterprises (MSMEs), until 25 September 2022. The directive introduces obligations regarding the notification and mitigation of data breaches, data storage and user identification. Regarding data storage, all providers must store logs of their ICT securely for a rolling period of 180 days within India, which should be disclosed in case of a cyber incident. In addition, providers of data centres, Virtual Private Servers (VPS) providers, Virtual Private Networks (VPN) as well as cloud services must store information on customers for 5 years, including their name, IP address, and e-mail address. Similarly, virtual asset exchange providers and custodian wallet providers must store Know-Your-Customer information and records of financial transactions for five years.