← Guides

India's VPNA virtual private network encrypts traffic between your device and a provider-run server, hiding activity from local networks while shifting trust to the VPN operator.Glossary → Crisis: What the CERT-In Logging Mandate Means and Which VPNs Still Work

IndiaVPNSurveillanceMarch 2026~8 min read

In April 2022, India's Computer Emergency Response Team, CERT-In, forced major VPN providers to choose: log users or leave. The serious privacy providers left. The rest either complied or hid the tradeoff behind softer language.

Here is what CERT-In requires, what providers actually did, and what still makes sense for Indian users in 2026.

Summary for Indian users

5 yrs
5-YEAR LOG
CERT-In mandate, Apr 2022
6 hrs
RESPONSE WINDOW
CERT-In directive
848
SHUTDOWNS (2012–24)
Internet Shutdown Tracker
−91.5%
TRADING VOLUME DROP
India exchange data 2025

What CERT-In Actually Requires

The CERT-In directive, issued April 28, 2022 and effective June 28, 2022, applies to VPN providers, cloud providers, VPS providers, and data centers that run physical infrastructure inside India. It requires them to:

  • Collect and verify the real name of each subscriber
  • Collect and validate email address and phone number
  • Log IP addresses assigned to users, including source and destination IPs
  • Record usage patterns and session timestamps
  • Retain all of the above for five years
  • Provide this data to CERT-In or law enforcement within six hours of a request

That six-hour window matters. This is not a court process. It is an administrative demand. CERT-In does not need a judge to sign off before it asks for data. The Information Technology Act gives it broad power over companies that run tech infrastructure in India.

Which Providers Complied vs Refused

Mullvad was blunt: "We will not collect the data required by CERT-In." It removed all Indian servers in May 2022, before the rule took effect. IVPN followed. Other providers also pulled servers, though some were less clear in public.

VPN provider responses to India CERT-In directive
VPN ProviderResponse to CERT-InPhysical Indian ServersVirtual India Server AvailableRecommended
MullvadRemoved servers - publicly refused loggingNoYes (Singapore-hosted)Yes
IVPNRemoved servers - no-logs policyNoNoYes
NordVPNRemoved servers, offers virtual IndiaNoYesCaution - Panama-based but Tesonet ties
ExpressVPNRemoved servers, offers virtual IndiaNoYesNo - Kape Technologies owned
SurfsharkRemoved servers, offers virtual IndiaNoYesCaution - merged with NordVPN parent
PureVPNInitially unclear; later removed serversNo (moved to virtual)YesNo - history of cooperating with FBI (2017)
ExpressVPN is not recommended even apart from CERT-In. It is owned by Kape Technologies, a company with a documented history of shipping adware under earlier names. See our full analysis: Kape Technologies and ExpressVPN.

What "Virtual India Server" Actually Means

When a VPN says it still offers an "India server" after pulling hardware out of India, it usually means a server in Singapore, the Netherlands, or another country that hands out Indian IP addresses and routes traffic so it appears Indian.

Because the hardware is not in India, CERT-In has no jurisdiction over that server. Indian law reaches infrastructure inside Indian borders. A server in the Netherlands with an Indian exit IP falls under Dutch law, not Indian law.

This is a normal technical setup, not a magic shield. It works for streaming and region-specific services. The cost is speed. Latency will usually be 80-150ms higher than a domestic connection, which matters for real-time use.

The Broader Surveillance Context

CERT-In is only one piece of India's surveillance stack. It drew attention because it hit foreign privacy tools directly, but it sits inside a much bigger system:

  • Centralised Monitoring System (CMS): Operational since roughly 2013-2016, CMS intercepts phone calls and internet activity without needing telecom operators involved in each request. Agencies can tap traffic directly.
  • NATGRID: The National Intelligence Grid links 21 intelligence and law enforcement agencies and handles more than 45,000 data requests each month. It pulls together railway bookings, airline records, immigration data, banking data, and telecom records into one searchable system.
  • IT Act Section 69: Allows interception of online communication without a court order. The approving authority is an executive official, not a judge.
  • IT Act Section 69A: Lets the government block websites without judicial oversight and without public notice. It is the legal path behind the 848 shutdowns documented between 2012 and 2024.

A VPN shields your traffic from your ISP and from CERT-In-style logging at the provider layer. It does not stop CMS interception if your connection is already identified, and it does not stop NATGRID queries against other records tied to you, such as banking or travel data.

India's Shutdown Record - Why VPNs Are Survival Infrastructure

India has imposed more internet shutdowns than any other country on record. The Internet Shutdown Tracker counted 848 shutdowns between 2012 and 2024. Some hit one district during protests. Others cut whole states off for days or weeks.

During a partial shutdown, where officials block specific sites or services with DNS tampering or IP blocks, a VPN routed through another country can bypass the block. VPN use spiked more than 700% in India during a major shutdown in June 2025, according to network monitoring firms.

During a full blackout, where ISPs cut connectivity at the backbone level, no VPN can help because there is no link to tunnel through. In that case, offline mesh tools like Meshtastic still allow device-to-device communication. That is a different setup and it has to be ready before the shutdown starts.

The Crypto Surveillance Connection

The same state that wrote CERT-In built an aggressive surveillance regime for crypto users too:

  • 30% flat tax + 1% TDS: India's 2022 crypto tax rules imposed a 30% flat tax on gains, no loss offsetting, and a 1% tax deducted at source on each transaction. Domestic exchange volume then collapsed 91.5% between October 2024 and October 2025 as traders moved offshore.
  • IT department probes: India's Income Tax department opened investigations into more than 400 high-value Binance users identified through data-sharing channels and used offshore exchange activity to build domestic tax cases.
  • January 2026 biometric KYC: Indian exchanges now require a live selfie with deepfake checks, a PAN card, secondary ID, and geo-tagging with latitude, longitude, timestamp, and IP address. Few jurisdictions demand more.

For Indian crypto users who want less surveillance, the practical path is peer-to-peer access through Haveno, self-custody, and privacy coins like Monero when financial privacy matters. See our guide: How to Buy Monero Without KYC.

Why Mullvad's Server Removal Matters

The most important signal from the CERT-In episode was not technical. It was behavioral. Mullvad and IVPN both removed Indian infrastructure instead of logging users. That tells you how those companies act when a government applies direct pressure.

A provider that complied in order to keep Indian market share made a different choice: revenue over user privacy. Even if the policy details differ, the decision shows what wins when the state demands logs.

A no-logs policy only means something if it survives pressure. Mullvad left. IVPN left. That is the test that matters.

Practical Recommendations for Indian Users

1
Use Mullvad or IVPN. Both have audited no-logs claims, removed Indian infrastructure instead of complying with CERT-In, and accept Monero. Mullvad offers a virtual India server if you need an Indian IP for geo-unblocking. Subscribe with Monero from a wallet like Cake Walletif you want less identity linkage.
2
Choose a server outside Five Eyes jurisdiction. Use servers in Switzerland, Iceland, or Sweden when your threat model includes state actors. Avoid UK, US, Australian, and Canadian servers in that case. See our explainer: Five Eyes Jurisdiction and Privacy.
3
Use TorThe Tor network uses onion routing to obscure IP addresses and browsing paths by relaying traffic through multiple volunteer-run nodes.Glossary → for the most sensitive work. Tor Browser routes traffic through three relays in different countries so no single hop sees both you and your destination. For reaching blocked sites during partial shutdowns or talking to sources, Tor gives a different and often stronger guarantee than a commercial VPN. Running Tor over Mullvad also hides Tor use from your ISP.
4
Understand what the VPN does not protect. A VPN encrypts traffic between your device and the VPN server. It does not stop device malware, provider-side metadataData about data, such as who contacted whom, when, from what device, and from which location. Metadata often remains exposed even when content is encrypted.Glossary →, NATGRID queries against banking or travel records, or full blackouts where connectivity is cut off.
5
For crypto: use offshore or P2P paths. Indian exchange KYC now includes biometric liveness checks and GPS-tagged registration. If you want to avoid that, the practical options are peer-to-peer use of Haveno or self-custody of assets you already hold. As of 2026, there is no domestic no-KYC route left.

Cunicula is editorially independent and receives no government or financial industry funding. CERT-In mandate details sourced from official gazette notifications. Shutdown statistics from the Internet Shutdown Tracker. Mullvad server removal sourced from Mullvad's official blog.

Follow the Money

India's ISP surveillance stack sits inside giant conglomerates. VPNs that stayed kept market access. VPNs that left kept their position.

$India surveillance ISP ownership and VPN compliance decisions
ISP ownership
Jio (Reliance / Mukesh Ambani, $200B+ market cap) · Airtel · Vi - all with full deep packet inspection
CERT-IN mandate
Apr 2022: 5-yr logs · 6-hr disclosure · no court order required · NordVPN/Surfshark/ExpressVPN removed servers · PureVPN retained → AVOID · Mullvad + IVPN refused and left
Crypto surveillance
30% flat tax + 1% TDS → −91.5% trading volume · IT dept probes: 400+ Binance users identified · Jan 2026: biometric + GPS-tagged KYC

Frequently Asked Questions

Are VPNs legal in India?

Yes. VPN use is legal in India. The CERT-In directive did not ban VPNs. It forced providers with physical servers inside India to keep user data for five years. Providers that moved infrastructure outside India are outside that rule. Indian users can legally use foreign VPN providers with no Indian servers.

What is a "virtual India server" and does it protect me?

A virtual India server gives you an Indian IP address while the hardware sits outside India, often in Singapore, the Netherlands, or the UK. Because the hardware is not in India, the CERT-In logging rule does not apply. It works for geo-unblocking. The tradeoff is higher latency than a domestic server.

Which VPN should Indian users use in 2026?

Mullvad and IVPN are the clearest picks. Both refused CERT-In logging, removed their Indian servers, and keep public no-logs claims backed by outside audits. Both accept Monero. Mullvad also offers a virtual India server if you need an Indian IP.

Does a VPN protect me during an Indian internet shutdown?

Partly. A VPN can bypass DNS blocks and some IP blocks during partial shutdowns. It cannot help during a full blackout where the ISP cuts connectivity itself. India has used both. For full blackouts, mesh tools like Meshtastic can still support local device-to-device communication.

← PreviousHow to Scrub Your Personal Information from the InternetNext →M-Pesa Is Watched. Machankura Isn't.

Related