The Centre is considering stricter compliance measures for virtual private network (VPN) service providers operating in India as part of its broader efforts to strengthen cybersecurity enforcement and improve cybercrime investigations. Officials are exploring a framework that could require VPN companies to appoint designated compliance officers or authorised representatives to coordinate with enforcement agencies and the Indian Computer Emergency Response Team (CERT-In).
The move comes amid growing concerns within the government over the alleged misuse of VPN services to conceal user identities, bypass law enforcement, and access websites or online platforms that have been blocked in the country.
Government seeks stronger compliance framework
According to government officials, the proposal is intended to ensure that VPN providers establish a clear compliance mechanism in India. Designated officials would be responsible for responding promptly to lawful requests from investigating agencies and CERT-In during cyber incident investigations.
Authorities have stressed that the objective is to improve accountability and facilitate quicker coordination during investigations involving cyber offences rather than monitor ordinary internet users.
Officials also noted that cybercriminals frequently use anonymisation tools, including VPN services, while carrying out ransomware attacks, financial fraud, phishing campaigns, and other online crimes. The proposed framework is aimed at helping investigators trace those involved in such offences through lawful procedures.
Proposal draws from existing IT Rules
The proposed compliance model is similar to the framework introduced under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.
Under those rules, significant social media intermediaries are required to appoint a Chief Compliance Officer, a Nodal Contact Person for round-the-clock coordination with law enforcement agencies, and a Resident Grievance Officer. Officials believe adopting a comparable structure for VPN providers would improve accountability, particularly for companies serving Indian users from outside the country.
Existing CERT-In directions remain in focus
The renewed discussions also highlight the cybersecurity directions issued by CERT-In in April 2022.
Under these directions, VPN providers, cloud service providers, virtual private server (VPS) providers, and data centres are required to collect and retain subscriber information for at least five years, even after a customer stops using the service.
The framework requires providers to maintain verified subscriber details, including names, physical addresses, contact numbers, email addresses, IP addresses, the duration of service usage, and the purpose for which the service was obtained. These records must be made available to authorities when sought as part of a lawful cybercrime investigation.
Government officials have maintained that access to subscriber information is limited to lawful investigations and is not intended for indiscriminate surveillance.
VPN industry had opposed data retention rules
When the CERT-In directions were introduced in 2022, several VPN companies and digital rights groups opposed the requirements. They argued that mandatory retention of customer information conflicted with their “no-logs” policies, which are designed to protect user privacy.
Some providers responded by changing their operational models. ExpressVPN, for instance, removed its physical servers from India and began serving Indian users through virtual server locations outside the country. Other VPN companies adopted similar arrangements while continuing to offer services in the Indian market.
Following representations from industry associations and technology companies, the government had extended the compliance deadline from June 27 to September 25, 2022, allowing providers additional time to implement the required changes.
Focus remains on cybercrime investigations
Officials said the latest initiative is intended to place VPN providers under compliance standards comparable to those applicable to other digital intermediaries operating in India. The government believes the proposed measures will strengthen its ability to investigate cybercrimes while further expanding the country’s digital regulatory framework.