A CERT-In Dominance: Analysing the MeitY’s New Cybersecurity Directions

While India has been awaiting changes to its data protection laws for a few years now, the Ministry of Electronics and Information Technology (MeitY) on April 28, 2022 issued Directions relating to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet.” (CERT-In Directions) under the Information Technology Act, 2000 (IT Act). The CERT-In Directions which will come into effect sixty days from date of issue, set out extensive compliances and reporting requirements for virtually all body corporates in India. While the proposed Data Protection Authority under the Data Protection Bill (DP Bill) is yet to be introduced, the Directions give extensive powers to the Indian Computer Emergency Response Team (CERT-In), making it the primary statutory authority for cyber-laws in India at the moment.

Under the new CERT-In Directions, all service providers, intermediaries, data centres, body corporate and Government organisations are required to mandatorily report specified cyber incidents within 6 hours of noticing such incidents or such incident being brought to their notice. While the existing regulations under the IT Act mandate that cyber incidents be reported “as early as possible”, changing this to 6 hours is likely to be challenging, specifically to assemble an emergency response team and to identify and collect the relevant information for initial reporting.

Article authored by Rupinder Malik and Sriram SL. Please use the below links to read the full article: