India's government confirmed on July 3, 2026 that it is drafting a new legal framework to regulate VPN providers, requiring them to open a physical office in the country, appoint a local compliance officer, and store subscriber data - including names, addresses, and IP addresses - for five years. Employees at non-compliant companies could face criminal penalties, including imprisonment.
What India's New 2026 VPN Law Would Require
According to officials cited in Indian press reports, the proposed framework mirrors India's Information Technology Rules, 2021, which already force large social media platforms to appoint a Chief Compliance Officer and a Nodal Contact Person as a direct line to law enforcement. Applied to VPNs, the same model would require providers to:
- Register a local entity and maintain a physical office inside India.
- Appoint a compliance officer who acts as the government's point of contact.
- Retain subscriber records for five years, including full names, addresses, contact details, and IP addresses.
- Hand over logs on request, with individual employees facing criminal liability - including possible imprisonment - for non-compliance.
The 2022 Directive That Providers Simply Ignored
This is not India's first attempt. In 2022, the Indian Computer Emergency Response Team (CERT-In) issued a near-identical directive with an original deadline of June 27, 2022, later pushed to September 25, 2022. The response from the industry's biggest names was blunt: Proton VPN, NordVPN, ExpressVPN, and Surfshark all pulled their physical servers out of India rather than comply, rerouting Indian users through virtual servers based in Singapore and elsewhere. Proton VPN called the directive an "invasive mass surveillance law" and said it had no intention of complying.
Why Officials Say VPN Enforcement Needs to Get Tougher
Indian authorities point to a sharp rise in website-blocking orders as evidence that anonymized traffic is getting harder to police: government agencies issued more than 24,000 blocking orders in 2025, over double the 12,000-plus issued in 2024. Officials argue that a growing share of blocked content stays reachable simply because VPN providers keep no logs to hand over - and, in many cases, keep no servers inside India's jurisdiction at all. Roughly half of India's 800 million internet users are estimated to use a VPN at least occasionally, which officials describe as undermining blocking orders at a national scale.
The timing also follows a real-world stress test of Indian VPN demand. When India blocked Telegram in June 2026 as part of a wider crackdown on encrypted messaging, daily VPN sign-ups spiked and exposed millions of new users to predatory, ad-heavy free VPN apps - a surge regulators are now citing as proof that VPN usage in India has become mainstream enough to require formal oversight.
What Happens If Providers Refuse Again
If history repeats, the most likely outcome is the one India already saw in 2022: rather than open a local office, expose a compliance officer to potential prosecution, and log five years of user activity, major no-log VPN providers would simply withdraw physical infrastructure from India again and keep serving Indian users through servers hosted abroad. That keeps VPN access technically available but pushes the market further toward providers willing to operate in a legal gray zone - often the same low-quality free apps funded by the aggressive advertising Indian users complained about during the Telegram block.
India's VPN market is not new to security incidents that make the case for privacy tools more urgent, not less. A ransomware attack on manufacturer Bajaj Auto in June 2026 showed how exposed corporate VPN infrastructure can be even inside large, well-resourced Indian companies - a reminder that the debate over VPN regulation is unfolding against a backdrop of real breaches, not hypothetical risk.