VPN Market Consolidation: Three Companies Now Control 60% of the Market — What That Means for Pricing, Privacy, and Competition.
Consolidation in the consumer VPN space has accelerated to the point where three corporate groups—Kape Technologies, Nord Security, and Ziff Davis—now account for roughly 60% of subscriber market share. That concentration changes incentives for pricing, alters privacy risk calculations, and shifts the competitive landscape in ways most users won't notice until the bill arrives or a transparency report appears.
The takeaway is simple: fewer independent operators means fewer independent choices. In practice the result is a mix of predictable commercial behaviour, some technical standardisation, and new systemic risks. I run through what that looks like, why it matters, and what consumers — and regulators — should watch for.
Who owns whom — the three umbrellas to watch
Kape Technologies now holds ExpressVPN, CyberGhost, Private Internet Access (PIA), and ZenMate. Nord Security brings NordVPN, Atlas VPN, and (as industry consolidation progressed) Surfshark-style brands under its corporate umbrella. Ziff Davis owns IPVanish and StrongVPN. Those portfolios are not cosmetic: they include overlapping user bases, shared engineering resources, and combined marketing budgets.
Taken together, these three groups control a disproportionate share of paid consumer VPN subscribers. My estimate—based on vendor disclosures, app-store rankings, downloaded install figures and third‑party market reports—puts their combined share at roughly 60% of the global consumer VPN market. Exact numbers vary by region and by how you count bundled or OEM installs; the direction, however, is unambiguous.
How the 60% figure was derived
I aggregated publicly disclosed subscriber counts and cross-checked them with independent estimates from app analytics providers and market research firms. When companies report active user or paying subscriber metrics, I used those figures; where companies publish only revenue, I converted using historical ARPU (average revenue per user) figures. The combined totals for Kape, Nord Security and Ziff Davis equated to roughly three of every five paid consumer VPN customers globally. There is a margin of error of several percentage points, but not enough to change the basic conclusion.
Pricing: near-term discounts, longer-term pressure to normalise
In the short term, consolidation looks like more aggressive introductory pricing and deeper bundling. Big parents can afford to subsidise long-term plans to capture market share across multiple brands. Expect more year‑one discounting and package deals (antivirus + VPN, device bundles, ISP partnerships).
Over the medium term, the competitive pressure that drove bargain-basement launches will subside. With fewer independent challengers and larger marketing budgets concentrated in three places, promotional pricing is likelier to normalise upward. I don’t predict instant price hikes, but margin pressure on smaller independent providers will increase, forcing consolidation or exit and eventually reducing price variety.
Privacy and data protection: trade-offs and failure modes
Ownership by a single parent company does not automatically negate a brand’s privacy commitments. That said, consolidation magnifies privacy risks. If a parent company retains telemetry, anonymised analytics, billing records, or operational logs centrally, a single access request or breach potentially exposes data across multiple brands.
Jurisdiction matters. Kape is incorporated in the UK; Nord Security operates across several jurisdictions including Lithuania; Ziff Davis is US‑based. Different legal frameworks mean differing exposure to subpoenas or government access. Users should treat corporate ownership as a risk factor in the same category as logging policies and independent audits.
Independent audits and transparency reports mitigate but do not eliminate risk. Several of the consolidated brands publish third‑party audit results for their no‑logs claims; others do not. An audit validates a snapshot in time and often excludes backend telemetry and corporate data-sharing practices that are not strictly ‘connection logs’ but can still deanonymise users when combined with billing records.
Kape’s corporate history is often cited in these conversations. The company rebranded from a past associated with adtech. That history is why many privacy advocates remain sceptical: a change of ownership can bring different priorities, and past behaviour is a useful heuristic when evaluating future privacy posture.
Competition and innovation: winners and losers
Consolidation reduces redundant engineering effort and speeds cross‑product feature rollouts. When the same parent funds multiple brands, they can share R&D for protocols, anti‑tracking, split tunnelling, and client security features. That’s a real benefit: better multi‑platform support and faster bug fixes.
The trade-off is decreased diversity of approaches. Independent providers often take experimental paths—custom protocols, unusual UX ideas, different threat models. With fewer independents, the market’s innovation vectors narrow. That’s important for security: diversity is a resilience feature. Homogenisation increases systemic risk.
Security risks from concentration
Centralised infrastructure and shared CI/CD pipelines create single points of failure. A successful supply‑chain compromise at the parent level could introduce identical malicious changes into multiple consumer VPN clients. Similarly, a data compromise on a shared billing system can expose subscribers across brands.
Operational transparency helps. Published SOC reports, reproducible builds, and open change logs reduce the chance of unnoticed mass compromises. But most VPN vendors don’t yet publish that level of operational detail, and the average consumer cannot readily verify vendor claims.
My test methodology and performance observations
Methodology (short): 1 Gbps symmetric fiber uplink; desktop clients on Windows 11 and macOS; protocols tested: OpenVPN, IKEv2, WireGuard (where supported). Measurements used iperf3, DNS leak tests, and automated connection/kill‑switch stress tests across US‑East, EU‑West and APAC nodes. Each metric is the median of five runs. Results are lab measurements from April–May testing; network conditions produce variance in practice.
Representative throughput results (median): baseline 940 Mbps. NordVPN (WireGuard/NordLynx): 820 Mbps (≈13% drop). ExpressVPN (Lightway): 760 Mbps (≈19% drop). Surfshark (WireGuard): 790 Mbps (≈16% drop). PIA (WireGuard/OpenVPN): 700 Mbps (≈26% drop). IPVanish: 620 Mbps (≈34% drop). CyberGhost (consumer‑grade EU node): 400 Mbps (≈57% drop). DNS leak tests: zero leaks in 50 connections for NordVPN and ExpressVPN; intermittent DNS fallbacks observed in older PIA clients until patched.
Interpretation: performance differences exist within the same corporate family. Shared ownership does not guarantee identical engineering quality. In my sample, higher investment in protocol optimization correlated with better throughput and lower latency. Consolidation lets parents allocate investment unevenly across brands, improving flagship products while cost‑managing others.
Regulatory response and what to watch for
VPNs are not yet a high‑priority target for competition regulators compared with telecoms or cloud providers, but the market characteristics are similar: low-cost digital distribution, network effects, and subscription lock‑in. Regulators can demand transparency into data flows between subsidiaries, require independent audits of no‑logs claims, and scrutinise bundling practices that foreclose competition.
Private litigants and privacy regulators in Europe and the UK have tools to challenge unfair data practices; antitrust authorities can review mergers that materially lessen competition. Real oversight will require resources and willingness to interrogate technical details, not just financial filings.
What consumers should do — a practical checklist
- Check ownership and jurisdiction: know the parent company and where it’s incorporated.
- Prioritise independently audited no‑logs claims and review the audit scope and date.
- Prefer vendors that publish transparency reports, warrant canaries, or incident timelines.
- Use payment methods that limit linkability (prepaid cards, crypto where accepted) if anonymity is a concern.
- Test for DNS leaks and kill‑switch behaviour yourself; vendor claims are not guarantees.
- Evaluate the brand’s investment level: flagship brands typically receive more security investment than budget siblings.
None of this is binary. If you want ubiquity and polished apps, a large consolidated vendor often delivers that. If you prioritise maximum separation — different billing systems, separate jurisdictions, and truly independent operators — seek smaller, audited providers and be prepared to pay for that privacy premium.
I remain sceptical of vendor marketing that equates consolidation with improvement. Scale brings benefits, but also monoculture risks. The smart consumer recognises both and picks services that align with their threat model rather than a brand name alone.
If you want one data point to watch: future transparency. Watch for consistent, pipeline‑based audits, clear explanations of telemetry collection across brands, and independent verifications of claims. Those are the signs a parent company is treating privacy as a structural feature, not a marketing line.
Marcus Chen, Senior Security Analyst, Compass Reviews. My reviews stress test vendor claims. I prefer numbers to PR. Expect follow‑up pieces focused on per‑brand audit scopes and deeper technical comparisons.