Issue Brief on “India’s New Cybersecurity Directive: To Be or Not To Be?”


As the extended deadline of September 25, 2022, for the implementation of India`s New Cybersecurity Directive by the CERT-In is approaching, the panic in the Indian ICT landscape has started to mount. The Indian tech industry has termed this new directive as a threat to the Digital India Vision and showed immense resistance. However, the government of India has reaffirmed its commitment to the new directive. What is CERT-In? What this new cybersecurity directive is all about? Whether the government of India would enforce this directive or pull it back due to massive resistance and fallout?

What is CERT-In?

The “Indian Computer Emergency Response Team (CERT-In) was appointed by the Central Government as a key cybersecurity agency under section 70B of the Information Technology (IT) Act, 2000.[1] Under sub-section (4) of section 70B,[2] the CERT-In is in charge of the collection, analysis and dissemination of information related to cybersecurity incidents. In addition to issuing alerts and forecasts, the CERT-In is responsible for the coordination and taking of emergency measures to handle cybersecurity incidents. It can also issue “guidelines, advisories, vulnerability notes and whitepapers relating to information security practices, procedures, prevention, response and reporting of cyber incidents.” Under sub-section (6) of section 70B,[3] the CERT-In is authorised to demand information and give directions to the service providers, intermediaries, data centres, body corporate and any other person to carry out its functions.

Read More