Virtual private network service providers that are not ready to comply with the new guidelines have the only option to exit from India, Minister of State for electronics and IT Rajeev Chandrasekhar. ‘There is no opportunity for somebody to say we will not follow the rules and laws of India. If you don’t have the logs, start maintaining the logs. If you are a VPN that wants to hide and be anonymous about those who use its VPN and you don’t want to go by these rules, if you want to pull out, then frankly you have no other opportunity but to pull out,’ he said.

The ministry of electronics and IT has mandated cloud service providers, VPN (Virtual Private Network) firms, data centre companies and virtual private server providers to store users’ data for at least five years. Some of the VPN companies have claimed that the new rule may lead to cyber security loopholes in the system — an argument which was rejected by the minister. Chandrasekhar said that the government is also not going to make any change in the rules on mandating entities to report cyber breach in their system within six hours of learning about it.

The criminality and the cyber incidence, nature, type, shape, form of it are very complex. They have very sinister elements behind it. There are many state actors that are using vulnerability. Those who commit these breaches can move on very quickly. Immediate reporting is fundamental to investigating, forensic analysis, situational awareness of the nature of the incident, he said.