Executive Summary
The CERT-In (Indian Computer Emergency Response Team) Directions issued on April 28, 2022 impose extensive cybersecurity obligations on VPN service providers, data centers, cloud service providers, and other digital intermediaries:
- Effective date: June 27, 2022 (later extended for some provisions)
- Covered entities: VPNs, data centers, cloud providers, VPS, virtual asset exchanges
- KYC requirements: Collect and verify customer information
- Data retention: 5 years (even after contract ends)
- Incident reporting: Within 6 hours to CERT-In
- Synchronization: NTP synchronization of ICT systems
- Penalties: Under IT Act for non-compliance
- Privacy concerns: Significant controversy over user data collection
This guide examines CERT-In obligations and compliance strategies for VPN and service providers.
1. Statutory Framework
Legal Basis
| Source |
Authority |
| IT Act Section 70B(6) |
CERT-In powers to issue directions |
| Directions April 2022 |
Cybersecurity measures |
| Amendment June 2022 |
Clarifications on scope |
Covered Entities ("Service Providers")
| Category |
Examples |
| VPN service providers |
NordVPN, ExpressVPN, ProtonVPN |
| Virtual private server (VPS) |
DigitalOcean, Linode, AWS EC2 |
| Data centers |
Hosting providers, colocation facilities |
| Cloud service providers |
AWS, Azure, GCP, domestic clouds |
| Virtual asset service providers |
Crypto exchanges, wallets |
| Virtual asset exchange providers |
WazirX, CoinDCX, Binance India |
| Custodian wallet providers |
Crypto custody services |
Exemptions
| Entity |
Status |
| Government entities |
Exempt from some provisions |
| End-users |
Not covered (only service providers) |
| ISPs |
Subject to separate regulations |
| Data Point |
Specification |
| Name |
Validated against ID proof |
| Email/phone |
Verified contact details |
| IP address |
Allocated to/registered by customer |
| Timestamps |
Registration, usage period |
| IP assignments |
IP allocated/used during subscription |
| Ownership pattern |
For entities, shareholders/partners/founders |
| Purpose |
Reason for hiring service |
| Contact address |
Validated address |
Validation Requirements
| Type of Customer |
Validation Method |
| Individuals |
Government ID (Aadhaar, PAN, Passport) |
| Organizations |
Registration certificate, GST |
| Foreign entities |
Passport, business registration |
Purpose of KYC
| Objective |
Rationale |
| Law enforcement |
Enable user identification |
| Cybercrime investigation |
Trace perpetrators |
| National security |
Monitor threats |
| Accountability |
Prevent anonymous misuse |
3. Data Retention Obligations
5-Year Retention Mandate
| Data Category |
Retention Period |
| Customer KYC |
5 years after cancellation/withdrawal |
| IP logs |
5 years after cancellation/withdrawal |
| Usage timestamps |
5 years after cancellation/withdrawal |
| Financial records |
5 years after cancellation/withdrawal |
What Must Be Retained
| Information |
Details |
| Registration data |
All KYC information |
| Connection logs |
Login/logout timestamps |
| IP allocations |
Which IP to which user when |
| Payment records |
Transaction details |
| Service period |
Start and end dates |
Storage Requirements
| Requirement |
Specification |
| Security |
Encrypted and access-controlled |
| Integrity |
Tamper-proof storage |
| Availability |
Readily accessible for law enforcement |
| Location |
Preferably in India |
4. Incident Reporting to CERT-In
6-Hour Reporting Timeline
| Incident Category |
Reporting Required |
| Cyber security incidents |
Within 6 hours |
| Malware attacks |
Within 6 hours |
| Unauthorized access |
Within 6 hours |
| Data breaches |
Within 6 hours |
| Website defacement |
Within 6 hours |
| DDoS attacks |
Within 6 hours |
| Ransomware |
Within 6 hours |
Reportable Incidents (20+ Categories)
| Category |
Examples |
| Targeted scanning |
Port scanning, vulnerability probing |
| Compromise |
System/network compromise |
| Unauthorized access |
Intrusion, privilege escalation |
| Data leak |
Exposure of sensitive data |
| Malicious code |
Virus, worm, trojan, ransomware |
| Identity theft |
Credentials compromised |
| Denial of service |
DDoS, resource exhaustion |
| Phishing |
Deceptive emails/websites |
| Website defacement |
Unauthorized modification |
| Cryptojacking |
Unauthorized mining |
| Field |
Details |
| Incident type |
Category from 20+ types |
| Date/time |
When incident occurred/detected |
| Systems affected |
Infrastructure impacted |
| Indicators of compromise |
IP addresses, domains, hashes |
| Actions taken |
Containment, remediation |
| Impact |
Users/services affected |
Reporting Portal
| Detail |
Information |
| Portal |
https://nciipc.gov.in (CERT-In portal) |
| Format |
Prescribed incident report format |
| Authentication |
Registered entity credentials |
5. NTP Synchronization Requirement
Clock Synchronization Mandate
| Requirement |
Specification |
| All ICT systems |
Must synchronize with NTP |
| Source |
Network Time Protocol servers |
| Purpose |
Accurate timestamps for forensics |
| Accuracy |
Coordinated Universal Time (UTC) |
Connected System Logs
| Log Type |
Requirement |
| System logs |
Accurate timestamps |
| Connection logs |
Precise time records |
| Transaction logs |
Synchronized timing |
| Audit logs |
Time-stamped events |
6. Impact on VPN Services
Business Model Challenges
| VPN Promise |
CERT-In Requirement |
Conflict |
| No-logs policy |
Maintain logs for 5 years |
Direct conflict |
| Anonymity |
Collect and verify KYC |
Direct conflict |
| Privacy |
Share data with government |
Direct conflict |
| Global service |
India-specific data retention |
Compliance burden |
VPN Provider Responses
| Provider |
Response |
| ExpressVPN |
Shut down India servers |
| NordVPN |
Removed India servers |
| Surfshark |
Shut down India servers |
| ProtonVPN |
Removed physical servers, offered virtual servers |
| Domestic VPNs |
Compliance or exit |
Virtual Servers
| Aspect |
Description |
| Physical location |
Servers outside India |
| Virtual location |
Appear to be in India (IP routing) |
| Compliance |
Avoid data retention requirements |
| Speed/latency |
May be slower |
7. Impact on Cloud and Data Centers
Cloud Service Providers
| Obligation |
Implementation |
| Customer KYC |
Validate all cloud customers |
| Usage logs |
Track resource consumption, IPs |
| 5-year retention |
Store even after account closure |
| Incident reporting |
Monitor and report within 6 hours |
Data Center Compliance
| Aspect |
Requirement |
| Colocation customers |
Full KYC of all customers |
| Rack-level tracking |
Who uses which infrastructure |
| Access logs |
Entry/exit records |
| Network monitoring |
Detect and report incidents |
8. Virtual Asset Providers
Crypto Exchange Obligations
| Requirement |
Specification |
| KYC |
Full customer identification |
| Transaction logs |
All buy/sell/transfer records |
| Wallet addresses |
Link to customer identities |
| 5-year retention |
Even after account closure |
| Incident reporting |
Hacks, breaches within 6 hours |
Custodian Wallet Providers
| Obligation |
Details |
| Customer data |
Identity verification |
| Private key management |
Secure storage with logs |
| Transaction tracking |
All movements recorded |
| Reporting |
Security incidents to CERT-In |
9. Privacy and Legal Concerns
Constitutional Challenges
| Concern |
Argument |
| Right to privacy |
Article 21 violation |
| Proportionality |
5 years excessive |
| Surveillance |
Chilling effect on expression |
| Data security |
Centralized honeypot risk |
Industry Concerns
| Issue |
Impact |
| Business viability |
Cost of compliance |
| User trust |
Loss of privacy promise |
| Competitive disadvantage |
Foreign providers exit |
| Innovation |
Chilling effect on startups |
No Active Legal Challenge (as of 2024)
| Status |
Details |
| No PIL filed |
No public interest litigation challenging Directions |
| Industry compliance |
Most providers complying or exiting |
| Government stance |
National security justification |
10. Penalties for Non-Compliance
IT Act Penalties
| Provision |
Penalty |
| Section 70B(7) |
Imprisonment up to 1 year + fine up to Rs. 1 lakh (non-compliance with CERT-In directions) |
Other Consequences
| Impact |
Description |
| Service shutdown |
Government may block non-compliant services |
| Criminal prosecution |
Under IT Act |
| Civil liability |
Damages for breaches |
| Reputation damage |
Loss of user trust |
11. Compliance Strategies
For VPN Providers
| Strategy |
Implementation |
| Full compliance |
Collect KYC, maintain logs, report incidents |
| Exit India |
Shut down India servers (ExpressVPN approach) |
| Virtual servers |
Route through foreign servers |
| No India entity |
Operate without India presence |
For Cloud/Data Centers
| Strategy |
Implementation |
| Automated KYC |
Integrate ID verification APIs |
| Log management |
Centralized logging with 5-year retention |
| SIEM integration |
Real-time incident detection |
| Compliance team |
Dedicated CERT-In reporting function |
For Crypto Exchanges
| Strategy |
Implementation |
| Enhanced KYC |
Beyond basic requirements |
| Blockchain monitoring |
Track suspicious transactions |
| Incident response |
6-hour reporting SLA |
| Data security |
Encrypted storage with access controls |
12. International Comparison
Global VPN Regulations
| Country |
Approach |
| India |
Mandatory KYC + 5-year logs |
| Russia |
Banned non-registered VPNs |
| China |
Only government-approved VPNs |
| UAE |
VPNs legal but monitored |
| EU |
No mandatory logging (privacy-focused) |
| US |
No federal VPN regulations |
India's Approach: Unique
| Aspect |
India's Position |
| Strictness |
Among world's strictest |
| Privacy |
Security prioritized over privacy |
| Effectiveness |
Debated - providers can exit |
13. Practical Compliance Steps
Phase 1: KYC Implementation (Months 1-3)
Phase 2: Data Retention Setup (Months 3-6)
Phase 3: Incident Reporting (Months 6-9)
Phase 4: Ongoing Compliance (Continuous)
14. Key Takeaways for Practitioners
6-Hour Reporting: Cybersecurity incidents must be reported to CERT-In within 6 hours.
5-Year Retention: Customer KYC and usage logs must be retained for 5 years after service termination.
VPN KYC Mandatory: VPN providers must collect and verify customer identity - conflicts with no-logs policy.
Global VPN Exodus: Major international VPN providers shut down India servers rather than comply.
Cloud and Data Centers Covered: All digital service providers, not just VPNs, must comply.
Crypto Exchanges Included: Virtual asset providers subject to same obligations.
NTP Synchronization: All ICT systems must have accurate timestamps for forensic purposes.
Limited Penalties: Only 1 year imprisonment + Rs. 1 lakh fine, but service shutdown possible.
Conclusion
CERT-In Directions of April 2022 represent India's comprehensive approach to cybersecurity accountability, imposing significant obligations on VPN providers, cloud services, data centers, and crypto platforms. The mandatory KYC collection, 5-year data retention, and 6-hour incident reporting requirements prioritize national security and law enforcement capabilities over user privacy and anonymity. The global VPN provider exodus demonstrates the tension between privacy-centric business models and regulatory compliance. Organizations must carefully evaluate compliance strategies, balancing legal obligations, business viability, and user expectations.
