India’s new directive to report cyber-attacks within six hours and store user logs for five years will make it difficult for companies to do business in the country, with 11 international agencies, counting tech giants such as Google, Facebook and Hewlett-Packard one of its members.

International bodies have expressed concern that the written directive will adversely affect the cybersecurity of organisations operating in India and create a cybersecurity disconnect across jurisdictions, thereby undermining the security of India and its allies in the Quad, Europe and elsewhere.

Global bodies that have jointly expressed concern include the Information Technology Industry Council (ITI), Asian Securities Industry and Financial Markets Association (ASIFMA), Banking Policy Institute, BSA-Software Alliance, Cyber Risk Reduction Alliance (CR2), Cyber Security Alliance, Digital Europe, techUK, American Chamber of Commerce, US-India Business Council and US-India Strategic Partnership Forum.

The new directive, issued April 28, requires companies to report any cyber breaches to CERT-In within six hours of discovering them.

It obliges data centre, virtual private server (VPS) providers, cloud service providers and virtual private network (VPN) service providers to verify and maintain customer names and customer names employing services, hiring times, customer ownership patterns, etc., records for five years or more mandatory by law.

According to the directive, IT companies must keep all information and financial transaction records obtained as part of Know Your Customer (KYC) for five years to ensure cybersecurity in citizen payments and financial markets.
International bodies have raised concerns about the 6-hour timetable imposed by cyber incident reporting and have called for it to be extended to 72 hours.

International agencies say their member companies operate advanced security infrastructures with high-quality internal incident management procedures that will result in more efficient and flexible than government mandates from third-party systems unfamiliar to CERT-In the response.