VPNs are not banned in India, but CERT-In's 2022 directive requires all VPN providers with servers in India to store user data for a minimum of five years.
Another recent escalation came in April 2026, when MeitY ordered VPN providers to actively block access to banned gambling and prediction-market platforms.
Major providers including ExpressVPN, NordVPN, Surfshark, and PIA have responded to the 2022 data-logging rules by removing their physical servers from India entirely.
India's relationship with virtual private networks, software tools that encrypt internet traffic and hide user activity from internet service providers, has never been comfortable. But in the past four years, that discomfort has hardened into a structured regulatory framework that has lead to the questions: are VPNs still worth using, and could they be banned entirely?
The short answer is that an outright national ban remains unlikely. The longer answer is more complicated, and considerably less reassuring for the Indian internet users who now use a VPN.
What New Rules Is The Government Considering?
Media reports state that the government is looking at further tightening up the VPN ecosystem in India. New measures under consideration include the appointment of compliance officers who will be responsible to requests from law enforcement agencies.
The changes are in addition to the shift that came in April 2022, when India's Computer Emergency Response Team (CERT-In) issued a sweeping cybersecurity directive requiring VPN providers, data centres, cloud platforms, and crypto exchanges to collect and store extensive user data. Under those rules, VPN providers must retain user names, email IDs, IP addresses, usage patterns, and other identifying details for a minimum of five years, even after a customer cancels their subscription or deletes their account.
Will VPN Companies Need Offices In India?
Not explicitly — but the VPN providers will need to have a compliant presence if they operate servers in India. Providers must designate a Point of Contact for Indian law enforcement inquiries, maintain the required data logs on a system accessible to CERT-In, and report cybersecurity incidents within six hours of detection. For providers whose entire business model is built around not retaining user logs, this amounts to the same thing: comply or get out.
Most major providers chose to pull out. ExpressVPN was among the first to remove its physical servers from India, followed by NordVPN, Surfshark, IPVanish, and Private Internet Access. These providers now serve Indian users through 'virtual India servers' — physical machines located in Singapore, the UK, or the Netherlands that assign users an Indian IP address while keeping the data outside Indian regulatory jurisdiction. The arrangement allows providers to maintain their no-logs policies while continuing to offer Indian users functional service.
Can People Still Legally Use VPNs?
Yes. There is no law in India that makes it illegal for an individual to use a VPN. The Government of India's own email security policy recommends using a VPN or OTP for sensitive official access, and CERT-In's own guidance recommends VPN-based remote access with multi-factor authentication. The legal risk for users lies not in using a VPN but in what they do through one.
Accessing services subject to active government bans — TikTok, Polymarket, unlicensed gambling sites — through a VPN occupies a legal grey area. The IT Act's blocking orders under Section 69A are legally binding, and deliberately circumventing them could theoretically attract penalties. In practice, enforcement has focused on platforms, ISPs, and providers rather than individual users.
Why Is The Government Concerned About VPN Usage?
India's government has expressed three concerns. The first is cybercrime: VPNs allow criminals to mask their identities when conducting fraud, phishing, or accessing the dark web.
The second is platform compliance. When ISCIS blocks a website or app at the ISP level, a VPN user can route around the block entirely, rendering the government's content regulation meaningless. The rapid growth of Indian VPN usage has made this evasion widespread.
The third is national security. The use of VPN tools to circumvent lawful cyber restrictions and access prohibited applications is deemed a security risk.
Which Global VPN Companies Could Be Affected?
The companies most exposed to India's regulatory framework are those that still maintain or plan to maintain physical servers in India: providers who have not yet removed their infrastructure and are therefore technically obligated to comply with the CERT-In data-logging rules. Several mid-tier providers, particularly those with less transparent privacy records, remain in this category.
For the major international providers, ExpressVPN, NordVPN, Surfshark, ProtonVPN, CyberGhost, PIA, the physical server exit strategy has largely insulated them from the data-logging rule.
But the MeitY's new 2026 directive targeting gambling-site access introduces a different kind of pressure: it asks VPN providers to become active enforcers of India's content rules, regardless of where their servers are physically located. Complying would mean VPN providers must inspect and selectively block user traffic, the antithesis of what a privacy-focused VPN is designed to do.




























