India Drafts Law Forcing VPNs to Store User Logs for 5 Years

07.07.2026 5
India Drafts Law Forcing VPNs to Store User Logs for 5 Years

India's government confirmed on July 3, 2026 that it is drafting a new legal framework to regulate VPN providers, requiring them to open a physical office in the country, appoint a local compliance officer, and store subscriber data - including names, addresses, and IP addresses - for five years. Employees at non-compliant companies could face criminal penalties, including imprisonment.

What India's New 2026 VPN Law Would Require

According to officials cited in Indian press reports, the proposed framework mirrors India's Information Technology Rules, 2021, which already force large social media platforms to appoint a Chief Compliance Officer and a Nodal Contact Person as a direct line to law enforcement. Applied to VPNs, the same model would require providers to:

  • Register a local entity and maintain a physical office inside India.
  • Appoint a compliance officer who acts as the government's point of contact.
  • Retain subscriber records for five years, including full names, addresses, contact details, and IP addresses.
  • Hand over logs on request, with individual employees facing criminal liability - including possible imprisonment - for non-compliance.

The 2022 Directive That Providers Simply Ignored

This is not India's first attempt. In 2022, the Indian Computer Emergency Response Team (CERT-In) issued a near-identical directive with an original deadline of June 27, 2022, later pushed to September 25, 2022. The response from the industry's biggest names was blunt: Proton VPN, NordVPN, ExpressVPN, and Surfshark all pulled their physical servers out of India rather than comply, rerouting Indian users through virtual servers based in Singapore and elsewhere. Proton VPN called the directive an "invasive mass surveillance law" and said it had no intention of complying.

Important: a senior government official said this history is exactly why the new draft is tougher, arguing that the 2022 CERT-In directives "have not managed to rein in these companies as they have simply refused to comply." The new proposal is designed to close that loophole by attaching criminal liability to individual compliance officers rather than only the corporate entity.

Why Officials Say VPN Enforcement Needs to Get Tougher

Indian authorities point to a sharp rise in website-blocking orders as evidence that anonymized traffic is getting harder to police: government agencies issued more than 24,000 blocking orders in 2025, over double the 12,000-plus issued in 2024. Officials argue that a growing share of blocked content stays reachable simply because VPN providers keep no logs to hand over - and, in many cases, keep no servers inside India's jurisdiction at all. Roughly half of India's 800 million internet users are estimated to use a VPN at least occasionally, which officials describe as undermining blocking orders at a national scale.

The timing also follows a real-world stress test of Indian VPN demand. When India blocked Telegram in June 2026 as part of a wider crackdown on encrypted messaging, daily VPN sign-ups spiked and exposed millions of new users to predatory, ad-heavy free VPN apps - a surge regulators are now citing as proof that VPN usage in India has become mainstream enough to require formal oversight.

What Happens If Providers Refuse Again

If history repeats, the most likely outcome is the one India already saw in 2022: rather than open a local office, expose a compliance officer to potential prosecution, and log five years of user activity, major no-log VPN providers would simply withdraw physical infrastructure from India again and keep serving Indian users through servers hosted abroad. That keeps VPN access technically available but pushes the market further toward providers willing to operate in a legal gray zone - often the same low-quality free apps funded by the aggressive advertising Indian users complained about during the Telegram block.

India's VPN market is not new to security incidents that make the case for privacy tools more urgent, not less. A ransomware attack on manufacturer Bajaj Auto in June 2026 showed how exposed corporate VPN infrastructure can be even inside large, well-resourced Indian companies - a reminder that the debate over VPN regulation is unfolding against a backdrop of real breaches, not hypothetical risk.

Conclusion: India's draft VPN law would be one of the most aggressive data-retention regimes for VPN providers anywhere in the world, backed by the threat of individual criminal liability rather than just corporate fines. Whether it succeeds where the 2022 CERT-In directive failed will likely come down to the same question as before: will major providers comply, or will they simply leave India's physical infrastructure behind again and keep serving the country from abroad.
Tags: cybersecurity security vpn privacy india digital rights surveillance legislation

Read also