The Telecom Regulatory Authority of India (TRAI) has informed the Department of Telecommunications (DoT) that it does not have the legal authority to regulate virtual private network (VPN) applications. TRAI clarified that VPN services fall under the jurisdiction of the Information Technology (IT) Act, not telecom regulations.
In response to a request from DoT regarding recommendations on monitoring and controlling the misuse of application-layer VPNs (Layer-7 VPNs), TRAI stated that it is not empowered to regulate such services.
A letter signed by TRAI Secretary Atul Kumar Chaudhary explained the regulatory limitations. “As application VPN service providers are not licensed entities under the Telegraph Act, TRAI is not empowered under the TRAI Act, 1997, to furnish regulatory recommendations on Application VPNs. Hence, the reference seeking recommendations on monitoring and controlling VPN misuse falls outside TRAI’s regulatory scope and is hereby returned,” the letter stated.
DoT’s Request and TRAI’s Response
DoT had initially asked TRAI for recommendations on monitoring application-layer VPNs, defining them as “a non-network-based network established without seeking explicit connectivity from service providers, using logical rather than physical means for remote or site-to-site access.” Unlike network-based VPNs provided by licensed telecom entities, these application-layer VPNs operate independently of telecom networks.
Earlier, in June 2024, DoT had sought TRAI’s recommendations on the terms and conditions for authorizing telecommunication services under the Telecom Act, 2023. Following consultations with stakeholders, TRAI submitted its recommendations in September 2024.
In January 2025, DoT provided a back-reference to TRAI, indicating that the government had reviewed TRAI’s recommendations. It requested TRAI to reconsider certain points where the government had reached a preliminary conclusion that modifications might be needed.
After reviewing DoT’s stance, TRAI finalized its response, maintaining its position on key issues.
Key Recommendations from TRAI
Apart from clarifying its stance on VPN regulation, TRAI reiterated other recommendations:
- Satellite-Based Services: TRAI emphasized that satellite-based service authorizations should remain separate from standard telecom service authorizations, as they involve distinct technology and service models.
- Machine-to-Machine (M2M) Services: It recommended separate authorization for M2M services to support startups and small businesses with expertise in the field but limited financial resources.
- Investor Confidence: TRAI stressed that regulatory policies should provide assurance to authorized telecom entities, ensuring that no major changes to licensing terms occur unilaterally, which could affect investment confidence in the sector.
TRAI’s response highlights its commitment to maintaining a clear regulatory framework while ensuring that services like VPNs are governed under the appropriate legal provisions.
