The Central government is reportedly working on a new legal framework to regulate virtual private network (VPN) providers in India. The proposed rules aim to strengthen oversight of VPN companies, which the government believes are increasingly being used to bypass restrictions on blocked apps, accounts and online content.
The Centre is planning a new legal framework for VPN providers after the 2022 directions issued by the Indian Computer Emergency Response Team (CERT-In) failed to secure compliance from many global VPN companies.
Under the proposed framework, VPN providers may have to establish a physical presence in India, appoint compliance officers and designate local representatives to coordinate with government authorities. The rules could also include penalties for non-compliance, including possible jail terms for local employees. The proposed obligations are expected to be similar to those imposed on large social media intermediaries under the Information Technology (IT) Rules, 2021.
The move comes amid growing concerns that VPNs are being used to bypass restrictions on blocked apps, accounts and online content. VPNs hide users’ IP addresses and encrypt internet traffic, allowing private browsing and access to geo-restricted content. However, officials believe they also make it easier to bypass government content-blocking orders by routing internet traffic through servers outside India.
The government also wants VPN providers to maintain local points of contact so authorities can direct them to restrict access to blocked content.
The push for stricter rules comes as the government’s use of content-blocking orders has increased. More than 24,000 such orders were reportedly issued in 2025, compared with over 12,000 in 2024.
The issue gained fresh attention during the temporary blocking of Telegram in India last month. Following the restrictions, downloads of leading VPN apps rose 49% above their recent daily average, increasing from about 1,39,000 to 2,08,000. It was the biggest spike in VPN downloads since the beginning of 2025.
The proposed law also revives a dispute that began in April 2022, when CERT-In directed VPN providers, cloud service providers and virtual private server (VPS) operators to collect and retain customer information, including names, email IDs, contact numbers, IP addresses and usage records, for at least five years to support cybersecurity investigations.
Major VPN providers, including Proton VPN, NordVPN, ExpressVPN and Surfshark, opposed the directive, saying mandatory data retention conflicted with their no-logs privacy policies. Instead of complying, some companies removed their physical servers from India and began routing Indian users through virtual servers in countries such as Singapore.
At the time, Proton VPN said it had “no intention of complying with this invasive mass surveillance law”, adding that removing its servers from India was the only option consistent with its privacy commitments.
The 2022 directions also drew criticism from digital rights groups and legal experts, who argued that mandatory data retention without a comprehensive data protection framework could increase surveillance, weaken user privacy and expose journalists, activists and whistleblowers to greater risks.
The government, however, has maintained that these measures are necessary to strengthen cybersecurity and improve cybercrime investigations.
Read Article: IT Minister Vaishnaw Orders MeitY to Summon Meta Over CSAM Ads on Instagram

