Written By Shubham Arora
Published By: Shubham Arora | Published: Jul 03, 2026, 04:05 PM (IST)
India is considering a new compliance framework that could require VPN providers to establish a local presence and appoint compliance officers.
The government is looking at bringing a new legal framework for Virtual Private Network (VPN) providers in India. If the proposal goes ahead, VPN companies could have to follow stricter compliance rules than they do today. The move comes as authorities are trying to tackle the growing use of VPNs to access blocked apps, websites and other online content that is unavailable within the country. Also Read: Telegram, Signal get govt notice over Username Feature after WhatsApp
According to reports, VPN providers may also be asked to set up a presence in India and appoint compliance officials who can coordinate with government agencies whenever required. Discussions are still underway, and the government has not announced any final decision so far. Also Read: Digital India completes 11 years: PM Modi highlights AI, startups and digital growth
One of the biggest changes being considered is the requirement for VPN companies to have an office or authorised representative in India. They may also have to appoint compliance officers responsible for responding to lawful requests from enforcement agencies and the Indian Computer Emergency Response Team (CERT-In). Also Read: OpenAI makes a big India bet, hires former Uber India chief to lead operations
The proposed rules are said to be on the lines of the framework already followed by major social media platforms under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. Under those rules, platforms are required to appoint officials for compliance, grievance redressal and coordination with law enforcement agencies.
Government officials said that similar requirements could improve accountability among VPN providers, particularly those serving Indian users while operating from outside the country. Reports also suggest that penalties, including possible legal action against local representatives in cases of non-compliance, are being discussed.
The discussions come against the backdrop of CERT-In’s 2022 directions for VPN providers. Those rules required VPN companies, cloud service providers, virtual private server (VPS) providers and data centres to collect and retain subscriber information for at least five years, even after a customer stopped using the service.
The information includes names, email addresses, contact numbers, physical addresses, IP addresses, the duration of service usage and the purpose for using the service. Authorities can seek these records during lawful investigations related to cyber incidents.
According to officials quoted in the reports, the existing framework has not delivered the expected results because several major VPN providers chose not to comply with the requirements. Instead, companies such as Proton VPN, ExpressVPN, NordVPN and Surfshark removed their physical servers from India and continued serving Indian users through servers located in countries such as Singapore.
VPN usage once again came into the spotlight after the government temporarily restricted Telegram ahead of the NEET-UG re-test over concerns related to fake question papers and exam scams.
Soon after the restriction, VPN providers reported a sharp increase in demand from India. Proton VPN said registrations from the country jumped by more than 120 percent. The company’s General Manager, David Peterson, had shared the figures publicly before his post, and later his account, were blocked in India.
Officials say one of the government’s concerns is that VPN services allow users to continue accessing apps and content that have been blocked within India by routing internet traffic through servers located in other countries.
The proposal is expected to revive the debate around online privacy. When the 2022 CERT-In directions were introduced, several VPN companies argued that storing user information conflicted with their “no-logs” policies, which are designed to avoid retaining customer browsing data.
Government officials, however, have maintained that the objective is not to monitor ordinary users.