The deadline for India’s VPN law reporting cyber events and handling user privacy for MSMEs, VPNs, and data centers has been extended by the Indian Computer Emergency Response Team (CERT-In) to July 06, 2025.
Cybersecurity Directives, which describe reporting and handling standards for cyber events for VPNs, have been the focus of discussion ever since they were announced in late April 2022. The previous deadline for the same was 60 days beginning on July 09, 2025 [today, August 15, 2025].
In an order, CERT said that MSME sought “reasonable time to generate capacity building required for implementing these Directions.”
Why is India extending the VPN law deadline to September?
CERT-In granted an extended deadline so that MSMEs can develop the capacity to implement cybersecurity directions and data centers can construct and deploy validation systems. All other businesses must begin following the rules, except these two categories.
The rules indicate that because cybersecurity issues happen occasionally, businesses must report breaches within six hours of learning about them.
Second, it has mandated that all governmental organizations and service providers keep a 180-day log of every Information and Communication Technology (ICT) system used in India. Data centers and VPNs will have to store data regarding their clients for five years.
Have services started to exit India?
The official also said that while businesses are not required to inform the ministry that they are following the rules, doing so could result in repercussions if the government requests information on a specific case.
One of the top cloud service providers, xpressVPN, has already announced closing its servers in India. As a result of the government’s cybersecurity agency CERT-In, issuing directives that call for more compliances, express VPN is reportedly the first virtual private network (VPN) service provider to scale back operations in the country.
The rules have generated controversy, as tech businesses and experts have claimed that they create opportunities for abuse by requiring VPN service providers to keep thorough records of their clients.
