CERT-In VPN rules, four years on: which providers left India and what it means now

In April 2022 the Indian Computer Emergency Response Team — CERT-In — issued a directive that fundamentally restructured the VPN market in India. It got reported as a privacy crackdown. It was more specifically a compliance requirement that several providers chose not to meet. Four years later, the Indian VPN market still operates around the consequences.

We can write about this honestly because we never had servers in India in the first place. The major Western brands — NordVPN, ExpressVPN, Surfshark, ProtonVPN, Mullvad — did have servers in India and had to make a choice in mid-2022. Most chose to physically leave. They have not been eager to publish blog posts titled "We left India" since.

This is what actually happened, what's changed since, and how to think about it.

What CERT-In actually requires

The April 2022 directive is short. It applies to VPN providers, cloud providers, and data center operators with infrastructure in India. The relevant requirements:

Five years of customer KYC retention. Required fields: name, address, phone number, email, IP address allocated to the customer, contract period, payment method, and declared purpose of use of the VPN. That last one is unusual — most retention regimes ask for what the service was, not what it was used for.
Six-hour incident reporting. Any cybersecurity incident has to be reported to CERT-In within six hours of identification. For comparison, the EU's GDPR requires 72 hours.
Synchronized logs to Indian time (NTP-synced to NIC or NPL servers).
Logs maintained for 180 days for general system/network logs (separate from the 5-year customer KYC retention).

The directive came into force on June 27, 2022. Penalties for non-compliance reach up to one year imprisonment for company officers under Section 70B(7) of the IT Act, plus monetary fines.

Why most reputable providers refused to comply

The retention requirement was structurally incompatible with a no-logs commitment.

A no-logs VPN, in its honest form, doesn't keep records that connect a customer to their connections, traffic, or destinations. NordVPN, ExpressVPN, Mullvad, Proton, and Surfshark have all marketed extensively on no-logs commitments and most have had third-party audits to back them up. CERT-In's directive required them to keep exactly the kinds of records they had spent years building infrastructure to not keep.

Their options were to: (1) comply, log Indian customers for five years, and silently abandon the no-logs claim for that customer base; (2) physically remove their Indian infrastructure so the directive no longer applied to it; or (3) refuse to comply and accept legal exposure.

Mostly they chose option 2.

ExpressVPN removed Indian servers on June 2, 2022 — before the directive even came into force.
NordVPN removed Indian servers on June 26, 2022, the day before the deadline.
Surfshark removed Indian servers on June 27, 2022.
ProtonVPN removed Indian servers in early 2023 after initially attempting an alternative.
Mullvad removed Indian servers and never added virtual replacements.
IPVanish and Private Internet Access also withdrew physical infrastructure.

What they didn't stop doing was offering "Indian IPs" to their customers. They moved to virtual server arrangements: a server physically located in Singapore (most commonly), the Netherlands, or London, configured with an Indian IP address routed via a peering arrangement so traffic appears to come from India. NordVPN added its first virtual India location in January 2024, hosted physically from Singapore. ExpressVPN and Surfshark followed similar patterns.

This is a real product compromise. A virtual Indian IP doesn't have the same characteristics as a server actually sitting in Mumbai or Bangalore — the latency profile is different, the IP-block reputation can differ, and the routing path traverses an international link. For most use cases the difference is unnoticeable. For latency-sensitive Indian-server-required workloads (some online games, certain regulated banking interactions), it matters.

The providers that did comply — keeping physical Indian servers and logging customers per the directive — are mostly smaller brands and less-scrutinized aggregators. We are not naming them; the point is that "uses Indian servers" is no longer a quality signal in the post-2022 environment, it is a compliance flag.

January 2025: app store removals

A second wave of enforcement landed almost three years later.

In late 2024 / early 2025, the Indian Cyber Crime Coordination Centre (I4C), under the Ministry of Home Affairs, ordered Apple and Google to remove specific VPN apps from the Indian Apple App Store and Google Play. The order initially targeted 14 apps, per reporting by the Internet Freedom Foundation (IFF) and MediaNama.

Five removals were confirmed in the press by January 3, 2025:

Cloudflare 1.1.1.1 (technically a DNS-and-WARP app, but it includes a free WireGuard VPN tunnel)
Hide.me VPN
PrivadoVPN
Touch VPN
X-VPN

The major commercial brands — NordVPN, ExpressVPN, Surfshark, Proton, Mullvad, Private Internet Access — were not on the confirmed-removed list as of that date. Their apps remained available in Indian app stores.

The legal basis was Section 69A of the IT Act read with the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009. The IFF noted publicly that the order was issued without standard transparency procedures and without giving affected users notice.

The Doda district VPN ban (May 2025)

In May 2025, the Doda district administration in Jammu & Kashmir issued an order under Section 163 of the Bharatiya Nagarik Suraksha Sanhita (BNSS, the new criminal procedure code that replaced the CrPC) prohibiting VPN use in the district for two months. The stated reason was security concerns related to specific militant communications.

This was the first regional-level Indian enforcement action that targeted VPN use by individuals, not VPN provider compliance. The geographic scope was one district. The duration was two months. As of late 2025 the order had not been renewed or extended to other districts.

It is not, on its own, evidence of broader anti-VPN enforcement. It is evidence that Indian authorities have now used Section 163 BNSS for this purpose at least once, and that pattern can in principle be repeated in other security-sensitive areas.

What this means for choosing a VPN in 2026

A few things follow from the above, and they are mostly different from what the listicles will tell you.

1. "Has Indian servers" is no longer a useful selection criterion

Pre-2022 it was a positive signal: lower latency, simpler routing, sometimes a slightly faster path to Indian content. Post-2022 it correlates with compliance with the 5-year log mandate. A reputable no-logs provider will not have physical servers in India in 2026. If a provider markets Indian servers, the question to ask is whether those are virtual (physically elsewhere) or physical (subject to CERT-In retention).

2. Virtual Indian servers are usually fine

If your use case is "I want an Indian IP to access JioHotstar/Netflix India/Indian banking," a virtual Indian IP from a no-logs provider works for the vast majority of those scenarios. Streaming services don't materially distinguish between a physical Mumbai server and a virtual Indian IP routed via Singapore. Indian banking sites care about the IP, not the underlying physical location.

The exceptions are real but narrow: real-time Indian-server-required gaming where latency to a Singapore-physical server is too high; certain regulated trading platforms that require origin-of-connection from a domestic data center.

3. The major brands left, but they're not the only ones who left

Several smaller brands made the same decision quietly. The product question is not "which big-brand VPN works in India" but "which providers operating today have a structural commitment to no-logs that is not undermined by any active server location they operate." The answer set includes the major Western brands, plus several smaller ones — including Fexyn.

4. Be aware of the second wave

The January 2025 app store removals targeted free or freemium VPN apps with poor security reputations. The major commercial brands were not affected. But the regulatory direction is one of incremental restriction, and the Doda district precedent shows that individual-user enforcement is now legally available where authorities choose to pursue it. If you live in or travel to a region with elevated security concerns, having a VPN already installed before you arrive is more useful than trying to download one through a potentially throttled connection later.

5. The end-user is mostly not a regulated party

CERT-In regulates infrastructure operators. The Doda district ban is the only known case of individual users being targeted. The default Indian VPN user is not a regulated party and faces no direct compliance burden. The provider you choose, however, has chosen its own posture toward the directive — and that choice is the part that affects you.

How Fexyn fits

Fexyn does not operate any servers in India. Our infrastructure is in Frankfurt, Helsinki, Cyprus, and Ashburn. We serve Indian IPs the way every other reputable no-logs provider does — via virtual servers physically located outside India.

This is the trade-off the entire reputable VPN industry made in 2022. We are not unique in making it; we are unique mainly in being willing to write about it.

Specifically:

We do not log browsing history, DNS queries, or traffic content.
We issue 24-hour short-lived certificates from a Vault PKI, so the lifetime of any compromised credential is bounded.
Our pricing for India is Tier 4 — $2.99/month — among the lowest published rates from any reputable provider.
The 7-day free trial does not require a card upfront. Card payment via Indian Visa/Mastercard works through Stripe; UPI is not yet supported. Crypto payment is available as an alternative.

If you want the country-page summary with the practical setup steps, that's at VPN for India.

A broader note

The 2022 CERT-In directives have been characterized in some Western press coverage as a privacy crackdown. The more accurate characterization is regulatory rationalization in a country with a serious cybercrime problem and a developing technology sovereignty agenda. Most of the data-retention and incident-reporting requirements are well-precedented internationally.

The specific incompatibility with no-logs VPN business models is a real consequence, but it is a consequence of the no-logs commitment being a hard one to maintain under any retention regime — not a unique Indian failing. Several other jurisdictions (Russia in 2017 with the Yarovaya laws, Belarus in 2015, Pakistan with the 2025 CVAS-Data licensing) have produced similar provider-exit dynamics.

The honest version, four years on: India did not become more hostile to VPN users. It became a jurisdiction where reputable VPN providers operate without local servers. That is a smaller change than the listicle headlines suggested. It is also a change that the providers most affected have generally avoided talking about, which is why this post exists.

Try Fexyn free for 7 days — Tier 4 pricing, no card required for the trial.