The Indian Ministry of Electronics and Information Technology (MeitY) has notified that henceforth, it shall give preferential treatment to Indian companies
in the procurement of cybersecurity products, including both hardware and software solutions used in its IT projects across all departments.
“Preference shall be provided by all procuring entities to domestically manufactured/ produced cybersecurity products as per the order,” says the notification published on the official website of the ministry. The mandate under the notification would be applicable to all government departments and ministries at the center and state levels.
The announcement has been made in regard to the ‘Make in India’ program of the government to promote the manufacturing of locally-made products and services. “The Government has issued public procurement order to encourage 'Make in India’ and to promote manufacturing and production of goods and services in India with a view to enhancing income and employment,” declares the notification.
· Businesses incorporated and registered in India under the applicable acts for corporations
· For products or services above 10 crore rupees, a company should provide certification from a statutory auditor to prove that it meets the definition of ‘local supplier’
· The company should demonstrate ownership of the intellectual property associated with the product
· It should prove ownership rights such as trademarks and logos
As per the notification, local suppliers are defined as businesses incorporated and registered in India under the applicable acts for companies. In addition, at the time of bidding for products or services above 10 crore rupees, a company shall have to provide certification from a statutory auditor to prove that it meets the definition of ‘local supplier’. The company also has to demonstrate ownership of the intellectual property associated with the product, in addition to other applicable ownership rights such as trademarks and logos.
All cyber security products and services, including hardware and software for “maintaining confidentiality, availability and integrity of information by protecting computing devices, infrastructure, programs, data from attack, damage, or unauthorized access,” are covered under the notification, including advanced authentication, GRC (Governance Risk Compliance), security analytics, DoS and DDoS protection, cloud security, big data analytics, antivirus/mobile data protection, firewalls, end-point security, identity management, and digital payments.
But it is to be noted that resellers, dealers, distributors and support service agencies of foreign-developed products and services who have limited rights to a product's intellectual property, are exempted from the tentative mandate as mentioned in the notification.
Experts have commended the move, saying it will help in protecting the government’s sensitive data from leaking outside, as well as lead to a better cybersecurity ecosystem.
“After this move, more and more incentive will be given to foreign companies to register as an Indian company and develop security products here itself for pitching them to the government,” said cyber law expert Pavan Duggal. “This notification gives a tremendous boost to the cyber security market in India and will help in the growth of a sound information security ecosystem within the government.”
Another renowned cybersecurity expert and lawyer in the country, Prashant Mali also spoke positively of the move. “The mandate will prevent sensitive data being illegally accessed from outside the country or being sold by the state-sponsored companies of different foreign countries. This was a serious concern and a grey area, and now this gets addressed,” told Mali.