The European Commission is preparing a data retention proposal that puts VPN providers directly in scope. If it passes in anything close to its current shape, the no-log VPN model could become illegal to operate inside the EU.
That sentence sounds alarmist. It isn’t. Here’s what the documents actually say.
What the EU is proposing
For years, EU data retention rules have been a legal mess. The Court of Justice of the EU struck down the old Data Retention Directive back in 2014, and member states have been improvising ever since. Law enforcement agencies have complained the whole time that they lack a consistent way to demand connection records from online services.
The Commission’s answer is a new data retention framework, with a legislative proposal expected by mid-2026 after an impact assessment that ran in early 2026. Heise reported on the timeline, and the Commission’s own call for evidence confirms the scope: retention of data by service providers for criminal proceedings.
The list of services being discussed goes well beyond telecom operators. According to TechRadar’s analysis, the targets include messaging apps, hosting providers, file sharing services, cloud storage, and VPN companies.
What member states want VPNs to log
The detail that matters is the kind of data on the table. Member states have made it clear in working documents that knowing who owns an account is not enough for them. They want metadata: when a user was online, from which IP address, and for how long.
For a VPN provider, that means connection logs. Timestamps, source IPs, assigned IPs, session duration. Exactly the records that reputable VPN providers have spent a decade refusing to keep, and exactly the records that independent audits verify do not exist.
A retention mandate would not ask providers to start spying on browsing content. It doesn’t have to. Connection metadata is enough to tie a real person to an online identity, which is the whole thing a privacy-focused VPN exists to prevent. If you want to understand what a no-log policy actually covers, we wrote a full guide on how to verify a VPN’s no-logs claims.
Why this breaks the no-log model
A no-log VPN is not a pinky promise. It’s an architecture. Providers like Mullvad and NordVPN design their systems so the data never gets written anywhere: RAM-only servers, no persistent identifiers, audits to confirm it.
The security argument for this design is simple. Data that doesn’t exist can’t be stolen, subpoenaed, or leaked. Every major no-log audit, every court case where a provider had nothing to hand over, rests on that foundation.
A retention law flips the logic. Providers would be required to create and store the very records their entire security model is built on not having. NordVPN told TechRadar that forced retention of IP addresses, traffic and location data would negate the core function of the product and create a high-value target for attackers. They also warned about the predictable outcome: legitimate providers pull out of the EU market, and users drift toward offshore services that answer to no one.
That second point deserves more attention than it gets. The EU would not actually stop anyone from using a VPN without logs. It would just guarantee that the providers serving EU users from inside the EU are the ones you can’t trust, while the trustworthy ones operate from Switzerland, Panama, or the British Virgin Islands. Jurisdiction already matters when picking a VPN. It would start mattering a lot more. Our VPN jurisdiction guide covers which countries have data retention laws today.
Want to compare all VPNs side by side? Check our full VPN comparison table with scores across 18 criteria.
Where this connects to the bigger EU privacy fight
This proposal is not happening in isolation. It’s one of six pillars in the Commission’s ProtectEU internal security strategy, alongside lawful interception, decryption, and digital forensics. The same strategy that produced Chat Control is now producing this.
The pattern is consistent: each initiative individually sounds technical and narrow, and together they describe an internet where every intermediary keeps records on its users and hands them over on request. We cover the encryption side of this fight in our article on the EU’s Going Dark initiative.
It’s worth saying clearly: there are real investigations that stall because data wasn’t retained. Police agencies are not inventing the problem. But the answer they keep reaching for, mandatory logging of everyone by default, was already rejected by the EU’s own top court. Twice. The CJEU has consistently ruled that general and indiscriminate data retention violates fundamental rights. Any new framework will land in front of the same court.
How we got here: three court defeats in a decade
Some history explains why privacy lawyers are calm and policy people are nervous.
In 2014, the CJEU annulled the original Data Retention Directive in the Digital Rights Ireland case, ruling that storing everyone’s communications metadata by default was a disproportionate interference with private life. In 2016, the Tele2/Watson ruling went further and blocked member states from keeping equivalent national laws. In 2020, La Quadrature du Net confirmed the line again, allowing only narrow, targeted retention for genuine national security threats.
Three rulings, one consistent principle: you cannot log everyone just in case some of them turn out to be criminals.
So why try a fourth time? Because the political demand never went away, and because each ruling left small openings: targeted retention, IP address retention for serious crime, national security carve-outs. The new framework will be drafted by people who have read every one of those judgments and will aim each clause at the gaps. Whether the court accepts the result is the multi-billion-euro question, and the answer is years away.
That legal uncertainty cuts both ways. It means no-log VPNs are not about to disappear from Europe. It also means the industry will spend the next several years building products under a sword that may or may not drop.
What happens next
The expected sequence: the Commission publishes its legislative proposal around mid-2026, then the European Parliament and the Council each take their position, then trilogue negotiations begin. That process usually takes years, and data retention proposals attract heavy opposition from civil society, from the privacy community, and from some member states.
Nothing changes for VPN users today. No-log VPNs remain legal everywhere in the EU, and the audited providers continue to operate exactly as before.
What you can do now is mostly about positioning. If EU data retention worries you, prefer providers based outside the EU with audited no-log policies and RAM-only infrastructure. Proton VPN operates from Switzerland, which is not an EU member and has rejected blanket retention obligations for VPNs. NordVPN is based in Panama and has passed multiple independent no-log audits.
This is the most serious legislative threat to no-log VPNs in Europe so far, and it deserves your attention more than any breach headline this year. It is also far from law. The proposal lands mid-2026, the EU legislative process is slow, and the CJEU has killed blanket retention twice already. Watch where your provider is incorporated, not just what its marketing says. Jurisdiction is about to become the most important line in every VPN comparison.
Sources: TechRadar on the EU data retention plans | Heise: proposal by mid-2026 | European Commission call for evidence | TechNadu on the retention expansion