India's VPN Rules in 2026: What the New Licensing Proposal Actually Says
Written with AI assistance and reviewed by the NorwegianSpark SA editorial team.
Affiliate disclosure: This article contains affiliate links. If you click a link and buy a subscription, we may earn a commission at no cost to you. Our editorial recommendations are never influenced by commissions — read the full disclosure.
Using a VPN in India is legal. That is the single most important thing to say first, because a great deal of writing on this subject implies otherwise. What has changed — twice now — is the regulatory position of the companies that sell VPNs, and the difference between those two things matters enormously if you are trying to decide what to actually do. In April 2022 India's Computer Emergency Response Team, CERT-In, issued a directive requiring VPN providers operating servers in India to collect and retain customer records — names, addresses, contact details and assigned IP addresses — for five years. For providers whose entire product promise is that they keep no such records, this was not a compliance burden to be absorbed. It was an existential contradiction. Several of the largest simply left. In July 2026 the government signalled that the 2022 approach had not worked and that a more comprehensive legal framework is being drafted. This page explains what is settled, what is proposed, and what it changes for you in practice.
What the 2022 CERT-In directive required
The directive applied to VPN providers, cloud services and data centres operating infrastructure in India. It required them to register and retain, for a minimum of five years, the name of the subscriber, the period of hire, the IP address allotted to and used by the subscriber, the email address and contact number used at registration, and the stated purpose of the subscription. It also required reporting of specified cyber incidents within six hours. The retention obligation was the sticking point. A no-logs VPN is not simply a VPN that promises discretion; it is one architected so that the data does not exist to be handed over. Retaining subscriber-to-IP mappings for five years is the opposite of that architecture — and several providers have had that claim tested, most publicly when Swedish police searched Mullvad's offices in April 2023 and left with nothing, because there was nothing to take.
Why NordVPN, ExpressVPN, Surfshark and PIA pulled their Indian servers
Rather than comply, several major providers removed their physical servers from India in 2022. NordVPN published its own explanation of the decision at the time. The practical consequence is that these providers still offer Indian IP addresses, but through what the industry calls virtual server locations: the physical machine sits in Singapore, the Netherlands or the United Kingdom, while the IP address it assigns is registered to India. Traffic is routed to look Indian; the hardware and the data it touches sit outside Indian jurisdiction. This is worth understanding clearly, because it is easy to misread as a trick. It is not hidden — reputable providers label virtual locations in their apps. But it does have real consequences. Latency is higher than a genuinely local server, because your traffic is making a round trip out of the country and back. And if your reason for wanting an Indian IP is to reach a service that checks for one, a virtual location usually works; if your reason is the lowest possible ping for gaming, it usually does not.
What changed in 2026
Two developments. In April 2026, India's Ministry of Electronics and Information Technology issued an order directing VPN providers to actively block access to banned gambling and prediction-market platforms — a shift from requiring providers to retain records towards requiring them to enforce blocks. Then, on 3 July 2026, officials confirmed that a comprehensive legal framework for regulating VPN providers is being drafted, on the stated basis that the 2022 rules had not achieved their aim. Reported elements of the proposal include requiring VPN companies to establish a physical office in India, appoint local compliance officers to act as government liaisons, and maintain subscriber records — names, addresses, contact details and IP addresses — for five years. As of this writing the framework is a draft under development, not law. Nothing described in this section currently binds any provider, and the final text may differ substantially from what has been reported. Treat it as direction of travel rather than settled fact, and check the current position before making decisions that depend on it.
What this means if you are in India
Using a VPN remains legal for individuals. The regulatory pressure described here is aimed at providers, not at users. If you are choosing a provider from within India, the questions worth asking are these. Does it operate physical servers in India, or virtual locations? If the former, it is subject to the retention directive and its no-logs claim deserves closer scrutiny. Has the no-logs claim been independently audited, and how recently? Where is the company legally domiciled, since that determines which government can compel it? And does it publish a transparency report showing what it has been asked for and what it was able to hand over? These questions are not India-specific — they are the right questions everywhere — but the Indian regulatory environment makes the answers unusually consequential.
What this means if you are outside India
Two groups of people care about this from abroad. The first are travellers, who mostly do not need to think about it: a VPN bought elsewhere works in India, and the regulatory position affects the provider rather than you. The second, and much larger, group are members of the Indian diaspora who want an Indian IP address from abroad — usually to reach a service that is only available domestically. For that use case, the virtual-server shift is the whole story: you are relying on an Indian IP that is served from outside India, and whether that works depends on whether the service you are trying to reach accepts it. It generally does; it is not guaranteed to, and no provider can honestly promise otherwise.
The honest summary
India has spent four years trying to bring VPN providers into a records-retention regime, and the providers most committed to not keeping records left rather than comply. The 2026 proposal is a second attempt with sharper teeth — local incorporation and named compliance officers are much harder to walk away from than a server rack. Whether it becomes law, and in what form, is genuinely unknown. What has not changed throughout is that using a VPN in India is lawful, and that the meaningful differences between providers are jurisdiction, audit history and transparency — not marketing claims about speed.
Frequently Asked Questions
Are VPNs illegal in India?
No. Using a VPN is legal for individuals in India. The 2022 CERT-In directive and the 2026 licensing proposal both regulate VPN providers and their record-keeping, not the act of using one.
Why did NordVPN remove its servers from India?
The April 2022 CERT-In directive required providers with Indian infrastructure to retain subscriber names, addresses, contact details and assigned IP addresses for five years — incompatible with a no-logs architecture. NordVPN, ExpressVPN, Surfshark and Private Internet Access all removed their physical Indian servers rather than comply.
What is a virtual India server?
An IP address registered to India that is served from hardware physically located elsewhere — commonly Singapore, the Netherlands or the UK. Sites see an Indian IP; the machine and its data sit outside Indian jurisdiction. Reputable providers label these in their apps. Expect higher latency than a genuinely local server.
Is the 2026 VPN law in force?
No. As of July 2026 it is a draft framework under development. Reported elements include mandatory local offices, appointed compliance officers and five-year subscriber records, but nothing is binding yet and the final text may differ. Check the current position before relying on any of it.
Can I still get an Indian IP address from abroad?
Yes — major providers still offer Indian IP addresses via virtual server locations. Whether a specific Indian service accepts that IP varies by service, and no provider can honestly guarantee any particular platform will work.
Also worth comparing
Other providers we recommend for this topic. Sponsored links — we may earn a commission at no extra cost to you.
VPNTex is published by NorwegianSpark SA (Org no: 834 984 172). We may earn commissions on qualifying purchases via affiliate links. This does not affect our editorial independence. Full disclosure · Privacy policy