Is VPN Legal in India 2026? CERT-In Rules Explained Simply
If you have been searching "is VPN legal in India?" you are not alone. After CERT-In dropped its landmark cybersecurity directive in 2022, millions of Indian internet users found themselves confused about whether firing up a VPN before browsing could land them in legal trouble. The short answer is: yes, using a VPN in India is perfectly legal in 2026. But there are important nuances every user needs to understand, and that is exactly what this guide covers.
I have spent years tracking VPN regulations across Asia, and the Indian situation is genuinely unique. The government did not ban VPNs outright — instead, it changed the rules for how VPN companies operate within India. That distinction matters enormously, and getting it wrong could mean choosing the wrong provider or worrying unnecessarily about something that is completely lawful.
What Exactly Did CERT-In Change in 2022?
In April 2022, the Indian Computer Emergency Response Team (CERT-In) — the government body responsible for cybersecurity — issued directions under Section 70B of the Information Technology Act, 2000. These directions, which took effect on 25 September 2022, fundamentally changed the obligations placed on VPN service providers operating in India.
Here is what the directive requires from VPN providers:
Mandatory data logging for 5 years: VPN companies must maintain logs of their users' validated names, email addresses, IP addresses assigned at the time of registration, purpose of use, and contact numbers. This data must be stored for a rolling period of five years, even after a user cancels their subscription or account.
KYC-style information collection: Providers are expected to collect and verify subscriber identity, much like telecom operators do under existing Indian regulations. This includes the period of hire, IP addresses allotted to subscribers, email addresses used at the time of registration, and timestamps of activity.
Incident reporting within 6 hours: Any cybersecurity incident must be reported to CERT-In within six hours of detection. Previously, the window was much longer and loosely enforced. This is among the strictest reporting timelines in the world.
Accurate time synchronisation: All service providers must synchronise their system clocks with the Network Time Protocol Server of the National Informatics Centre (NIC) or the National Physical Laboratory (NPL), ensuring that timestamps on logs are accurate and legally admissible.
The directive does not just target VPN providers. It applies equally to data centres, cloud service providers, virtual private server hosting companies, and even cryptocurrency exchanges. VPNs simply became the most visible target because the directive effectively conflicts with the core promise most commercial VPNs make: that they keep no logs of user activity.
How VPN Providers Responded: India Server Removals
The reaction from the global VPN industry was swift and nearly unanimous. Most reputable VPN providers chose to remove their physical servers from Indian territory rather than comply with the logging mandate. This was a principled stand, but it has practical implications for Indian users.
NordVPN was among the first to announce the removal of its physical Indian servers. However, NordVPN quickly introduced virtual Indian servers — these are servers physically located in Singapore or other nearby countries but configured to issue Indian IP addresses. For users who need an Indian IP for accessing local banking portals, Hotstar, or government websites, these virtual servers work identically. If you need a reliable option that respects your privacy while still offering Indian IPs, you can get NordVPN and connect to their virtual India servers with confidence.
🔒 Our #1 VPN Recommendation
NordVPN — Best Overall VPN for India. Tested from India, starting at ₹279/mo.
Surfshark took the same approach, shutting down Indian data centre operations and switching to virtual servers routed through neighbouring countries. Surfshark was particularly vocal about its reasons, stating publicly that mass surveillance requirements are incompatible with its no-logs policy. The Surfshark deal remains one of the most affordable ways for Indian users to access both Indian and international content privately.
ExpressVPN removed its Indian servers and also shifted to virtual locations. ExpressVPN has been independently audited multiple times to confirm its no-logs claims, which made compliance with CERT-In effectively impossible without rebuilding their entire infrastructure philosophy.
Other providers that pulled physical servers include ProtonVPN, Hide.me, Windscribe, and Mullvad. A smaller number of VPN providers — mostly lesser-known ones or those with primarily Indian user bases — chose to comply with the directive and continue operating physical servers in India.
What this means for you: When you connect to an "India" server on a major VPN in 2026, you are almost certainly connecting to a virtual server physically located in Singapore, the UAE, or Sri Lanka. Your traffic is routed through that server, you get an Indian IP address, and speeds are generally good because of geographical proximity. But the server itself is outside Indian legal jurisdiction, meaning the CERT-In logging requirements do not apply.
Is Using a VPN in India Actually Illegal? The Clear Answer
Let me be unambiguous: there is no law in India that makes it illegal for an individual to use a VPN. The CERT-In directive does not criminalise VPN usage. It places obligations on VPN providers, not on VPN users.
This is a critical distinction that many blog posts and news articles get wrong. The Information Technology Act, 2000 — the primary legislation governing cyber activity in India — does not contain any provision that penalises the act of connecting to a VPN. Similarly, the newer Digital Personal Data Protection Act, 2023, focuses on how companies handle personal data and does not restrict individuals from using encryption or VPN tools.
There are, however, important caveats:
Using a VPN to commit a crime is still a crime. This should be obvious, but it bears stating. If you use a VPN to engage in fraud, distribute illegal content, hack into systems, or commit any activity that violates the Indian Penal Code or IT Act, the VPN does not provide legal immunity. Law enforcement agencies can and do pursue digital forensics, and the VPN usage itself may be treated as evidence of intent to conceal criminal activity.
Government-ordered blocks still apply to you. Under Section 69A of the IT Act, the central government can direct ISPs like Jio, Airtel, BSNL, and Vi to block specific websites. While a VPN technically bypasses these blocks (since your traffic is encrypted and routed through a server outside India), the legal obligation to comply with the block order rests on the ISP, not on you as a user. That said, if a court specifically orders you not to access certain content and you use a VPN to do so, you could be in contempt of court.
Corporate VPNs have special status. Businesses that use VPNs for legitimate enterprise purposes — connecting employees to internal networks, securing corporate communications, etc. — are largely exempt from the CERT-In provisions that target commercial VPN providers. The government recognised early on that disrupting corporate VPN usage would harm India's massive IT outsourcing industry and the thousands of multinational companies operating here.
Penalties and Enforcement: What Could Actually Happen?
Since the directive targets providers, not users, the penalties outlined are directed at companies. VPN providers that operate physical servers in India and fail to comply with CERT-In's logging requirements face penalties under Section 70B(7) of the IT Act, which can include imprisonment of up to one year, fines, or both.
For individual users, the practical enforcement risk in 2026 is essentially zero for normal usage. Indian law enforcement agencies are focused on cybercrime, terrorism financing, and national security threats — not on someone using NordVPN to watch Netflix US or to prevent their ISP from throttling their connection.
That said, the legal landscape can evolve. India's IT ministry has floated the idea of a more comprehensive cybersecurity framework multiple times, and future regulations could theoretically place restrictions on VPN usage directly. This has not happened as of February 2026, and there are no active legislative proposals that would criminalise personal VPN use.
In regions like Jammu and Kashmir, where internet restrictions including VPN bans have been imposed during periods of unrest, the situation is more complex. These are typically enacted under Section 144 of the Code of Criminal Procedure and are temporary, region-specific orders. Even in these cases, enforcement against individual VPN users has been rare and legally contested.
Practical Advice for Indian VPN Users in 2026
Based on the current legal framework, here is what I recommend for anyone using a VPN in India:
Choose a provider with verified no-logs policy. Since most major VPNs have moved their servers out of Indian jurisdiction anyway, your data is not subject to CERT-In logging requirements when using providers like NordVPN, Surfshark, or ExpressVPN. Look for providers that have completed independent audits of their no-logs claims.
Use virtual Indian servers when you need an Indian IP. For accessing Indian banking apps, streaming IPL on JioCinema, or using government portals like DigiLocker or IRCTC that require an Indian IP, virtual servers work perfectly. You get the IP without the logging.
Do not use free VPNs. Many free VPN apps — especially those heavily marketed on Indian social media — are based in jurisdictions with no privacy protections, or worse, they monetise your data. Some free VPNs actually comply with the CERT-In directive and log everything, which defeats the purpose entirely. If budget is a concern, the get Surfshark option often comes out to less than ₹150 per month on long-term plans.
Keep the VPN app updated. VPN providers regularly update their apps to adapt to new blocking techniques used by Indian ISPs. Jio and Airtel have been known to use deep packet inspection (DPI) to identify and throttle VPN traffic, and updated apps include obfuscation features that counter this.
Understand that a VPN is a privacy tool, not an invisibility cloak. A VPN encrypts your traffic and masks your IP address, but it does not make you anonymous in an absolute sense. Your VPN provider can see your traffic (which is why a no-logs policy matters), and sophisticated adversaries with access to both ends of the connection can theoretically correlate traffic patterns.
For businesses: If you run a company in India that uses VPN infrastructure, consult with a cybersecurity lawyer about your specific obligations under the CERT-In directive. Corporate VPN use is generally exempt, but the boundaries are not perfectly defined, and compliance requirements may vary based on your industry and the nature of your VPN deployment.
The bottom line is reassuring: VPN usage in India in 2026 is legal, widely practiced, and practically unimpeded. The CERT-In rules changed the provider landscape, but for end users, the impact has been minimal. The major international VPN services adapted quickly, and Indian users continue to enjoy strong privacy tools at affordable prices. Whether you are protecting your data on public Wi-Fi at a cafe in Bengaluru, streaming content blocked in your region, or simply exercising your right to digital privacy, a quality VPN remains both your legal right and a smart choice.
Vikram Patel
VPN Security ExpertVikram has tested 50+ VPNs from servers across India. With 8 years in cybersecurity, he helps millions find the right VPN for privacy, streaming, and savings.