NordVPN, one of the most popular VPN providers, is the latest to confirm it will remove its servers in India before the nation imposes new strict guidelines later this month.
The Lithuania-based company, which counts General Catalyst and Novator among its backers and is valued at $1.6 billion, said on Tuesday it keeps no logs of its customers’ data, information strings that New Delhi will soon need VPN providers. . parts.
“In addition, we are committed to protecting the privacy of our customers. That’s why we can no longer keep servers in India,” said a company spokesperson.
In late April, the Indian Computer Emergency Response Team, the body appointed by the government to protect India’s information infrastructure, unveiled cybersecurity guidelines that would require “virtual private server (VPS) providers, cloud service providers, VPN service providers, virtual asset- service providers, virtual asset providers, custodian wallet providers, and government organizations” to store customers’ names, email addresses, IP addresses, know-your-customer data, and financial transactions for a period of five years.
The new rules will come into effect on June 27.
NordVPN’s decision follows similar directions from ExpressVPN and SurfShark, both of which have removed servers in the country. It is unclear how popular VPN services are in India, but on their sites, the aforementioned companies say that they are used by millions of users worldwide.
ProtonVPN, another popular VPN provider, has also said it is committed to maintaining its “no logs” policy. Some VPN providers, including ExpressVPN, have said they will continue to offer “virtual server locations” to Indian customers, but under the new rules, such bypass would still violate the new guidelines.
Lawmakers in India have made it clear that they have no intention of relaxing the new rules.
Rajeev Chandrasekhar, India’s junior IT minister, said in a news conference last month that VPN providers who want to hide who uses their services “will have to withdraw” from the country. The government, he said, will not hold a public consultation on these rules.
The new rules also require companies to report security breach incidents, such as data breaches, within six hours of detecting such instances. After pushing back advocacy groups last month, Chandrasekhar said India was “very generous” by giving companies six hours to report security incidents, citing countries like Indonesia and Singapore that he said had stricter requirements.
“When you look at the global priority – and understand that cybersecurity is a very complex issue, where situational awareness of multiple incidents allows us to understand the greater force behind it – accurate, timely and mandatory reporting is an absolutely essential part of the ability of CERT and the government to ensure the internet is always secure,” he said.