The Indian government is drafting legislation that may require VPN providers to establish local offices and appoint compliance officers. This move follows the limited success of the 2022 CERT-In data storage mandates, which saw several major providers remove their physical servers from the country.
What Happened
The Indian government is reportedly working on a new legal framework to increase regulation over virtual private network (VPN) providers. The proposed rules may require these companies to maintain a physical presence within India and appoint local compliance officials to coordinate with government authorities. This effort aims to address challenges in enforcing official content moderation and data security directives, which officials claim have faced limited compliance from global VPN services under the existing 2022 CERT-In guidelines.
The Shift Toward Stricter Compliance
In 2022, the Indian Computer Emergency Response Team (CERT-In) issued directives requiring VPN companies to store specific customer data, including IP addresses and personal identifiers, for an extended period. Many international VPN providers, such as NordVPN, ExpressVPN, Surfshark, and Proton VPN, responded by removing their physical servers from India to avoid these requirements, rerouting traffic through servers in other countries. The proposed new legislation appears intended to close the gaps created by this departure by creating a direct legal obligation for these companies to operate within the country's jurisdiction.
Motivations Behind The Proposed Rules
Government officials have expressed concern over the use of VPNs to bypass official blocks on websites, applications, and other online content. By requiring a local office and dedicated compliance staff, the government aims to establish a clear point of contact for enforcement actions. Reports indicate that the framework may align with the broader Information Technology (IT) Rules, 2021, which already apply to large social media platforms. There is also discussion about introducing stronger penalties, potentially including legal repercussions for local representatives if companies fail to comply with government mandates.
Business Reality And Sector Context
The regulation of VPNs involves a balance between national security and user privacy. While the government views these tools as a method to circumvent content moderation and undermine data security policies, many service providers argue that strict logging and local storage requirements conflict with their primary business model of providing user anonymity and privacy. The history of these companies removing physical infrastructure from India demonstrates the potential for future conflict between global privacy standards and domestic regulatory requirements.
What To Watch Next
Investors and observers should monitor the official draft of the legislation, specifically the scope of the compliance requirements and the severity of the proposed penalties. The next major update will be the formal introduction of the bill, which will clarify how VPN providers must adjust their operations to remain available in the Indian market. Additionally, the response from global VPN firms—whether they choose to establish local entities or continue operating via offshore servers—will determine the long-term impact on their accessibility and business model in India.
