New VPN Regulations in 2026: What Users Need to Know (EU, India, Australia)
In 2026 regulators across three major jurisdictions moved to tighten the regulatory regime around virtual private networks (VPNs). The European Commission invoked provisions of the Digital Services Act (DSA) to demand greater transparency from VPN operators; India’s CERT-In expanded enforcement of its logging mandate; and Australia introduced a proposed bill that would require VPN registration and a local contact point. These are not abstract policy shifts — they will materially change what “privacy” means for millions of users.
What the EU said under the DSA
In early 2026 the European Commission published implementing guidance clarifying that VPN providers, when they perform traffic routing and make claims about content access or moderation, fall within the DSA’s scope of intermediary services. The guidance does not criminalize encryption, but it does impose obligations: documented transparency reporting, verifiable evidence for no-logs claims, risk assessments for systemic harms, and compliance with legal removal orders issued under national courts.
Critically, the DSA guidance requires VPNs that market to EU residents to make available independent audit reports or attestations that specifically validate logging and retention practices, the existence and location of any logging, and the technical controls used to isolate user identifiers. The Commission explicitly called out the necessity of describing audit scope — what was and was not tested — because audit reports with opaque scopes undermine the transparency goal.
This is a meaningful departure from prior practice where many vendors issued short audits or high-level attestations that did not examine server configurations, retention backends, or legal processes for responding to orders. Independent firms such as Cure53 and PricewaterhouseCoopers (PwC) are named in the guidance as acceptable auditors, but the Commission warned that the identity of the auditor alone is insufficient; methodology and scope matter.
India’s CERT-In: the logging mandate update
India’s Computer Emergency Response Team (CERT-In) first issued a controversial directive in 2022 requiring VPN, cloud, and virtual private server providers to retain user metadata and furnish it on request. In 2026 the agency published clarifications that concretely broaden enforcement: providers reachable in India must appoint a local compliance officer, maintain mandatory metadata for 180 days, and respond to lawful requests within a 72-hour window.
The update explicitly states that jurisdictional location of corporate headquarters is not a shield: foreign-based providers that have users in India or that market to Indian customers are in scope. CERT-In’s order also clarified penalties for noncompliance, including fines and blocking orders at the ISP level, and it opened the door to requirements for real-time interfaces for urgent investigative demands.
From a privacy and civil liberties perspective this is substantial. Mandatory retention of metadata combined with a local representative undermines the anonymity model that some VPNs — notably those that allow anonymous payment or limit account identifiers — have used as a mitigant to surveillance risk.
Australia’s proposed VPN registration bill
Australia’s proposed bill, introduced in parliament in 2026, would require registration by any VPN operator that offers services to Australian residents or markets its product in Australia. Registered providers would need to maintain verified contact details, respond to certain lawful data requests, and certify adherence to a new Australian communications code, which includes provisions for disabling access to specified illegal content.
The bill also contemplates a whitelist/blacklist mechanism at the ISP level to enforce noncompliance and allows warrants to compel cooperation. Unlike the EU DSA guidance, Australia’s proposal is explicit about the registration itself being a public record, which civil liberties advocates warn would create a catalog of privacy-preserving services and their owners.
What this means for consumers (practical impacts)
Three practical consequences are immediate and concrete: reduced anonymity for customers of providers that comply with registration or local-representative rules; stronger evidence requirements for “no-logs” marketing claims; and a higher administrative burden on smaller privacy-focused operators that may choose to stop servicing certain markets rather than expose themselves to local law enforcement orders.
Users in affected jurisdictions should assume that some VPN services will fork: larger, commercially mature firms (NordVPN, ExpressVPN, Surfshark) will likely accept regulatory compliance and publish the requested transparency artifacts; smaller operators that prioritize anonymity (Mullvad, OVPN-style providers) may restrict access, withdraw from markets, or shift to invitation-only models.
Critically, registration and logging mandates do not make encryption useless. They change threat models. If a provider keeps connection metadata — timestamps, assigned IPs, source IPs — that metadata can be correlated with other datasets to deanonymize users. For dissidents, journalists, or activists, the difference between a service retaining no metadata and one that retains 180 days of logs is existential.
Technical security: audits, CVEs, and real threats
Regulation often focuses on paperwork, but security failures are technical and concrete. Past vulnerabilities such as CVE-2021-4034 (PwnKit) and CVE-2019-14899 illustrate the risk: local privilege escalation bugs and network-stack edge cases can allow an attacker to bypass user-level protections or infer VPN usage patterns. Users must therefore treat software hygiene as part of regulatory risk mitigation.
Independent audits are useful but limited. Audits by reputable firms (the Commission cites Cure53 and PwC) should be inspected for scope: did the audit review source code, server deployment, retention backends, legal-process handling, and incident response, or was it limited to browser extensions or client binaries? A 10-page summary that proclaims ‘no logs’ without showing server-side evidence is insufficient.
Users should look for specific signals: RAM-only server setups (ephemeral servers that do not write persistent logs), published audit reports with clear scope and methodology, jurisdiction in privacy-friendly countries (Switzerland, Iceland), and privacy features such as anonymous payment (cash, cryptocurrencies), multi-hop routing, and reliable kill-switch implementation.
What you can do right now
Immediate consumer steps
- Read the privacy policy and the audit report: verify scope and dates; a recent 3rd-party report that inspects server infrastructure is preferable to a marketing statement.
- Choose providers with transparent operational models: Mullvad’s account model, for example, minimizes identifiers; ProtonVPN publishes transparency reports and has a history of court resistance in data requests.
- Consider jurisdiction: a Panama- or Switzerland-based provider may offer stronger contractual protections against foreign compulsion than a provider incorporated in a surveillance-friendly state.
- Harden your clients: keep VPN clients and operating systems up to date to mitigate known CVEs (e.g., CVE-2021-4034), and prefer providers that support modern protocols (WireGuard) and have well-implemented kill switches.
- If anonymity is essential, deploy your own endpoint on a minimal VPS or use Tor for high-risk browsing; running your own WireGuard server reduces exposure to provider-side logging.
These steps are not ironclad; they change the probability of exposure. But they are concrete actions that reduce risk in a world where regulatory choices increasingly intersect with technical evidence of privacy.
Policy criticism: what regulators miss
I am deeply skeptical of “registration solves abuse” narratives. Registration creates rich target sets for surveillance and corporate capture. Mandating public registries of privacy-preserving services invites harassment, state pressure, and commercial opportunism. The policy impulse to make enforcement easier must be weighed against the chilling effect on speech and association.
Regulators have also ignored a basic technical reality: proving a negative (absence of logs) is hard. Audits can demonstrate configurations and policies at a point in time, but they cannot prove that a provider will not be compelled in the future or that a compromised server did not transiently retain identifiers. This is why technical designs — ephemeral RAM-only servers, strong compartmentalization, and minimal metadata collection — matter as much as legal commitments.
Civil liberties advocates should demand precise oversight mechanisms that respect encryption and anonymity while giving law enforcement narrow, transparent, and judicially supervised tools. Blankets that force retention or public registration are blunt instruments that trade away core privacy rights for speculative gains in enforceability.
Market consequences to watch
Expect consolidation and geographic segmentation. Large firms with legal and compliance resources will expand; boutique anonymity-first providers may narrow their markets or exit jurisdictions they deem unsafe. Consumers who prioritize privacy will face trade-offs: ease-of-use and broad device support from large, compliant vendors versus strict minimization and stronger anonymity from niche providers.
Finally, watch for technical evasions: some providers will adopt geo-fencing to avoid being in-scope for particular laws, while others will offer tailored “compliance” and “privacy” tiers. Vet such offers skeptically and ask for independent validation of claims.
Regulation is not inherently bad. Transparency and accountability for deceptive advertising and shoddy security are overdue. But regulation that ignores cryptographic realities and the asymmetric risks faced by vulnerable populations is dangerous. The policy debate in 2026 is a live one — and the stakes are civil rights, not just convenience.