India’s government, officials confirmed on July 3, 2026, is developing a comprehensive legal framework to regulate VPN providers, building on a 2022 CERT-In data-retention directive officials say providers ignored.
Quick Summary – TLDR:
- India is drafting rules that would require VPN companies to open physical offices in India and appoint local compliance officers as government liaisons.
- Providers would need to keep subscriber records, including names, addresses, contact details, and IP addresses, for five years, per NDTV.
- Non-compliant employees could face criminal penalties, including imprisonment, under the proposed rules.
- The government issued more than 24,000 content-blocking orders in 2025, up from more than 12,000 in 2024.
- Daily Proton VPN sign-ups from India jumped 120% during a temporary block of Telegram.
What Happened?
The Indian government is developing a comprehensive legal framework to regulate VPN providers, building on the 2022 Cert-In directive that mandated customer data storage, according to Indian Express, which first reported the plan. The proposal reported here goes well beyond that 2022 order in scope.
Under the draft framework, VPN operators would face requirements to establish physical offices within India, appoint local compliance officers to coordinate with authorities, and face potential criminal penalties, including imprisonment for non-compliant employees, per Moneycontrol. NDTV added that service providers must appoint designated compliance officers and maintain subscriber records for five years, including names, addresses, contact information, and IP addresses, the same compliance model drives the VPN adoption trends.
🚨 The Indian government is considering stricter rules for VPN providers, including requiring local offices and compliance officers in India. pic.twitter.com/CCcRStBj3O
— India Plus (@india_plus_) July 3, 2026
The design mirrors compliance obligations already imposed on large social media platforms under the Information Technology Rules, 2021, which require intermediaries to name accountable officers reachable by law enforcement. Per NDTV, the proposed rules mirror existing intermediary guidelines requiring Chief Compliance Officers and Nodal Contact Persons for law enforcement coordination.
Officials frame the plan as a fix for a rule that failed to bite. A senior government official told the Indian Express: “The 2022 Cert-In directives have not managed to rein in these companies as they have simply refused to comply.” Moneycontrol quoted a similar line from officials: users can bypass blocked content, accounts, and online services using VPNs, and existing regulations have not managed to rein in these companies.
Why Providers Left and What Changed Since 2022?
CERT-In (Indian Computer Emergency Response Team, India’s national cyber-incident response agency) issued that original order. Facing it, Proton VPN, NordVPN, ExpressVPN, and Surfshark removed physical servers from India, routing Indian traffic through Singapore instead. NDTV confirmed the same pattern for one provider by name: ExpressVPN removed its Indian physical servers rather than comply.
That exit strategy is the compliance gap the new framework targets. A local office and a named compliance officer are harder to route around than a server rack. The original deadline also slipped once already: the government extended the original June 27 deadline to September 25, 2022, for implementation of the 2022 directive, and providers still walked away rather than comply.
The blocking-order numbers show why officials are escalating now rather than reissuing guidance. 24,000+ content blocking orders were issued in 2025, up from 12,000+ blocking orders issued in 2024, roughly double in a year, a trend line consistent with the Cybersecurity Threat Data SQ Magazine tracks. VPN traffic is what lets users route around those orders, which is the enforcement gap the office-and-officer model targets.
The Telegram episode is the clearest single data point: a 120% increase in daily Proton VPN registrations from India during Telegram’s temporary block shows how fast demand for workaround tools spikes once the government blocks a major platform.
Officials say the target is narrower than the “surveillance” framing suggests. Officials emphasized investigations target cybercriminals and fraud perpetrators, not ordinary users engaging in lawful activities, while also noting rampant abuse of VPN services, with people using them to conceal their identity, bypass law enforcement, and access websites that have been blocked in India.
Providers reject that framing. Proton VPN, whose general manager is David Peterson, has publicly declared it has “no intention of complying with this invasive mass surveillance law.” That is the same public posture Proton, NordVPN, ExpressVPN, and Surfshark took after the 2022 directive, when all four pulled servers rather than store subscriber data locally.
SQ Magazine’s Takeaway
This reads as India extending its social-media compliance template to infrastructure that, last time, simply left rather than comply. Five years of retained IP addresses and contact details, paired with a mandatory local office, is designed to close the Singapore-routing loophole. Whether that holds depends on whether providers stay this time; a second exit would likely just push traffic to smaller, less-vetted VPN services that never had a footprint to lose.
No formal notification or comment period has been announced yet, so the timeline for a binding rule remains unclear. Worth watching is a draft rule opened for comment, provider responses, and whether the 2022 exit pattern repeats or a five-year retention mandate finally changes providers’ calculus. Businesses and remote workers relying on commercial VPNs should watch for provider statements on whether service in India continues if the rule takes effect.