India Drafts New Law to Force VPN Providers to Set Up Local Offices, Appoint Compliance Officers
The Indian government is developing a comprehensive legal framework to regulate virtual private network (VPN) providers, sources familiar with the matter have said. The proposed rules would require VPN companies to establish a physical presence in India and appoint compliance officers to liaise with authorities.
This follows a 2022 directive from the Indian Computer Emergency Response Team (Cert-In) that mandated VPN providers to store extensive customer data, including names, email IDs, contact numbers, and IP addresses. However, that directive has not yielded satisfactory results, leading to calls for stricter measures.
“In the last few months, we have observed that users are able to bypass blocked content, accounts, and online services by using VPN services. The 2022 Cert-In directives have not managed to rein in these companies as they have simply refused to comply. So, the need for a full-fledged law is being felt,” a senior government official said, requesting anonymity.
The new framework could require VPN operators to set up offices in India and hire compliance officers to address government grievances. Penal consequences, including jail terms for local employees, are also being considered for non-compliance. These requirements mirror those for large social media companies under India’s Information Technology (IT) Rules, 2021.
VPN services allow users to mask their IP addresses and browse the internet via servers located elsewhere, making it appear as if traffic originates from a different jurisdiction. This capability is often used to bypass India’s geo-blocking orders, which require companies to restrict access to content within the country. By using a VPN server abroad, users can access blocked content and browse anonymously.
India’s content-blocking ecosystem has expanded significantly, with over 24,000 orders issued in 2025, up from more than 12,000 in 2024, according to earlier reports.
Another official emphasized the need for local points of contact for VPN companies so that the government can direct these services to block access to certain content. “Such services otherwise defeat the purpose of blocking orders,” the official said.
For instance, when the Centre temporarily blocked Telegram ahead of the NEET-UG retest last month, Proton VPN’s general manager David Peterson noted that daily registrations from India jumped by over 120%. Peterson’s post on X and his account were later blocked in India.
The 2022 Cert-In directive required VPN providers, along with data centres and cloud service providers, to store customer data for five years. In response, major VPN operators like Proton VPN, NordVPN, ExpressVPN, and Surfshark removed their servers physically located in India and began routing traffic from outside the country.
Queries sent to the Ministry of Electronics and IT did not elicit a response until publication.