NordVPN, one of the most popular VPN providers, is the latest to confirm that it will be removing its servers in India ahead of the nation enforcing new strict guidelines later this month.
The Lithuania-based firm, which counts General Catalyst and Novator among its backers and is valued at $1.6 billion, said on Tuesday that it doesn’t maintain any logs of its customers’ data, strings of information that New Delhi will soon require VPN providers to share.
“Moreover, we are committed to protecting the privacy of our customers. Therefore, we are no longer able to keep servers in India,” a company spokesperson said.
The Indian Computer Emergency Response Team, the body appointed by the government to protect India’s information infrastructure, unveiled cybersecurity guidelines in late April that will require “virtual private server (VPS) providers, cloud service providers, VPN service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers and government organisations” to store customers’ names, email addresses, IP addresses, know-your-customer records and financial transactions for a period of five years.
The new rules go into effect June 27.
NordVPN’s decision follows similar directions taken by ExpressVPN and SurfShark, both of which have removed servers in the country. It’s unclear how popular VPN services are in India, but on their sites the aforementioned firms say they are used by millions of users worldwide.
ProtonVPN, another popular VPN provider, has also said that it is committed to keeping its “no-logs policy.” Some VPN providers including ExpressVPN have said that they will continue to provide “virtual server locations” to Indian customers, but according to the new rules, such a bypass might still be in violation of the new guidelines.
Lawmakers in India have made it clear that they have no intentions to relax the new rules.
Rajeev Chandrasekhar, the junior IT minister of India, said in a press conference last month that VPN providers who wish to conceal who uses their services “will have to pull out” of the country. The government, he said, will not be holding any public consultation on these rules.
The new rules also mandate firms to report incidents of security lapses such as data breaches within six hours of noticing such cases. Following pushback from advocacy groups, Chandrasekhar said last month that India was being “very generous” in giving firms six hours of time to report security incidents, pointing to nations such as Indonesia and Singapore that he said had stricter requirements.
“If you look at precedence all around the world — and understand that cybersecurity is a very complex issue, where situational awareness of multiple incidents allow us to understand the larger force behind it — reporting accurately, on time, and mandatorily is an absolute essential part of the ability of CERT and the government to ensure that the internet is always safe,” he said.