wordpress blog stats
Connect with us

Hi, what are you looking for?

Corporate VPNs not subject to cybersecurity directive, govt clarifies

The rules around VPNs had drawn more negative attention.

The Indian government clarified that corporate and enterprise VPN services are not subject to its new cybersecurity directive, which requires VPN providers to maintain detailed information about their customers. The directive only applies to services catering to the general Internet users, the government said.

“For the purpose of this direction, VPN service provider refers to an entity that provides ‘Internet proxy like services’ through the use of VPN technologies, standard or proprietary, to general Internet subscribers/users,” the Ministry of Electronics and Information Technology (MeitY) said in its FAQs document on the directive issued by the Indian Computer Emergency Response Team (CERT-In).

Companies use VPN services to allow employees to connect to the office network and access company files from outside of the office premises. This clarification will be a relief to a large number of these companies who had been left wondering how they can comply with the new directive.

What are the rules for VPN providers?

The new directions issued by CERT-In on April 28 contain provisions that extend beyond VPN providers, and cybersecurity experts have spared no time in criticising them for a long list of reasons. However, the provisions pertaining to VPN providers have garnered extra attention because the proposal by CERT goes against the very selling point of VPN companies: privacy. Starting 28 June 2022, VPN providers are required to:

  • Maintain detailed customer information: Data Centres, Virtual Private Server (VPS) providers, cloud service providers, and Virtual Private Network Service (VPN Service) providers, are required to register the following accurate information about customers and subscribers for a period of 5 years or longer duration after any cancellation or withdrawal of the registration:
    • Validated names of subscribers or customers hiring the services
    • Period of hire including dates
    • IPs allotted to or being used by the members
    • Email address and IP address and time stamp used at the time of registration
    • The purpose of hiring services
    • Validated address and contact numbers
    • Ownership pattern of the subscribers or customers hiring services
  • Maintain logs for 180 days on Indian servers: Separately, all entities (not just VPN providers) must mandatorily enable logs of all their systems and maintain them securely for a rolling period of 180 days and the same should be maintained within Indian jurisdiction.
  • Face fine of jail term for failure to comply: Failure to comply with these rules can result in imprisonment for up to one year or with a fine of up to one lakh rupees or both. It is not entirely clear who will be subject to the jail term if dealt out.

There are more directions that apply to VPN service providers as well as other companies. You can access a copy of the full directions here and read our summary.

What has been the reaction from VPN services?

Nord, Proton, Express, Surfshark, Windscribe, and Mullvad, which are some of the popular Virtual Private Network (VPN) service providers, objected to the new rules on privacy and surveillance grounds. All of these providers made it clear that they will not comply with the new directions either because it is technically not feasible for them to or because they will pull out of the country to avoid compliance or because they don’t have any structural presence in India for the government to go after them. Windscribe criticised the rules for being more stringent than those of “dictatorships” like China and Russia.

Advertisement. Scroll to continue reading.

Also Read:

Have something to add? Post your comment and gift someone a MediaNama subscription.

Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



The Delhi High Court should quash the government's order to block Tanul Thakur's website in light of the Shreya Singhal verdict by the Supreme...


Releasing the policy is akin to putting the proverbial 'cart before the horse'.


The industry's growth is being weighed down by taxation and legal uncertainty.


Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.


Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ