The Indian Computer Emergency Response Team (CERT-in), which falls under the Ministry of Electronics and Information Technology, issued a new directive on Thursday, forcing crypto exchanges, virtual private network (VPN) providers and data centers to store a wide range of user data for up to five years.

Under the newly issued directive, crypto exchanges operating in India will be required to store customers’ names, ownership patterns, contact information and various other data.

Crypto exchanges and VPN services providers are also required to report any cyber incident within six hours of its occurrence and must hand over the collected data to the authorities upon order. The official directive read:

“When required by order/direction of CERT-In, for the purposes of cyber incident response, protective and preventive actions related to cyber incidents, the service provider/intermediary/data center/body corporate is mandated to take action or provide information or any such assistance to CERT-In.”

The new directives will come into force on June 22, which may force many VPN service providers and privacy-focused crypto platforms that don’t collect or store critical user data to shut their operations.

Related: Brain drain: India’s crypto tax forces budding crypto projects to move

CERT-in claims the new directives are intended to help them take action against cyber crimes within six hours, however, the range of data they are asking platforms to store and hand over has raised eyebrows owing to privacy concerns among users. One user wrote:

“Our government wants to control the…