India to delay strict new VPN rules by three months

India will give cloud service operators and VPN providers an additional three months to comply with new rules requiring they maintain their customers’ addresses and IP addresses.

The decision relieves firms as many scrambles to follow the new guidelines, and some explore the option of leaving India.

The Indian Computer Emergency Response Team (CERT), the body appointed by the government to protect India’s information infrastructure, said it was extending the enforcement of the new rules to September 25. The rules, unveiled in late April, were set to go into effect on Monday.

CERT announced it was extending the deadline because “additional time” had been sought by the industry players.

Its announcement follows sharp criticism from VPN providers, including ExpressVPN and NordVPN, who announced their intentions to remove local servers in the South Asian nation.

Almost two dozen cybersecurity experts and technologists from India and worldwide sent a joint letter to the Ministry of Electronics and IT and CERT on Monday, calling for the dangerous CERT-In cybersecurity directions not to be implemented.

CERT’s new directions require “virtual private server (VPS) providers, VPN service providers, cloud service providers, virtual asset providers, virtual asset exchange providers, custodian wallet providers, and government organizations” to store customers’ names, IP addresses, email addresses, know-your-customer records and financial transactions for a period of five years.