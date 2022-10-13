Ease of Doing Business for MSMEs: The union government may extend the deadline to comply with its cyber security directives by three months making it applicable for micro, small, and medium enterprises (MSMEs) as well as small and medium enterprises (SMEs), Minister of State for Electronics and Information Technology Rajeev Chandrasekhar told Economic Times (ET).

“We are very clear. We will not make SMEs or MSMEs bear the burden of this additional compliance until they are ready,” the minister said.

The guidelines released by the Indian Computer Emergency Response Team (Cert-In) on April 28 guidelines required all companies, intermediaries, data centres and government organisations to report any data breach to the government within six hours of becoming aware of it.

It had also mandated Virtual Private Network (VPN) service providers to maintain all the information they had gathered as part of know-your-customer (KYC) rules and provide it to the government as and when required. However, the directive has led to several VPN providers exiting India.

Earlier on May 18, in a press conference to explain the FAQs on the Cert-In guidelines, Chandrasekhar said VPN service providers that did not want to adhere to the guidelines were “free to leave India”.

As a relief to the SMEs, the government is more flexible for these units as far as adherence to new directive is concerned, reported Economic Times. This is the second time MSMEs are getting extension in the compliance deadline by the ministry.

The ministry in the month of June allowed a breather of 90 days, or until September 25, to all companies after it received representations from SMEs, MSMEs, data centres, VPS, VPN, and cloud service providers that they required more time to “build capacity”.

Sources in the IT ministry informed that though larger companies and VPN providers have complied with the directive, some MSMEs have cited a lack of “adequate human resources” to comply with the cybersecurity norms, the report said.

“One problem that we have been made aware of several times is that there is a lack of cost-effective human resources in the country,” a senior government official said.

The official mentioned, “Some of the other requirements, such as maintaining data for three years, are also adding to their operational cost. While it is difficult to relax these norms, we have given additional time and will meet them to figure out a solution.”

The IT ministry came out with some FAQs on the Cert-In guidelines on May 18, during which it made clear that particular aspects of how the six-hour norm would work, along with the details that the VPN service providers would have to keep for five years.