Five Eyes, Nine Eyes, 14 Eyes: What They Are and Why They Matter for VPN Users

If you’ve spent any time researching VPNs, you’ve seen these terms: Five Eyes, Nine Eyes, 14 Eyes. Review sites use them constantly, usually as a reason to avoid VPNs based in certain countries. Most explanations stop at listing the member countries. This one goes further.

Here’s what these alliances actually are, what they can (and cannot) compel VPN providers to do, and how much they should actually influence your VPN choice.

What is the Five Eyes alliance?

The Five Eyes (FVEY) is an intelligence-sharing agreement between five English-speaking countries: the United States, the United Kingdom, Canada, Australia, and New Zealand.

It grew out of the UKUSA Agreement signed after World War II, originally focused on signals intelligence (SIGINT), intercepting communications between foreign governments. Over the following decades, it expanded into a comprehensive intelligence-sharing framework covering signals, human intelligence, and bulk data collection.

What makes the Five Eyes significant for privacy is that its members agree to share surveillance data with each other. In practice, this means one country can request that another collect data on its behalf, then receive that data, potentially bypassing domestic legal restrictions on collecting intelligence about their own citizens.

The NSA’s PRISM program (revealed by Edward Snowden in 2013) showed the scale of what Five Eyes collection looks like in practice. The alliance isn’t a theoretical concern.

Five Eyes members: United States, United Kingdom, Canada, Australia, New Zealand

Nine Eyes adds four more countries

The Nine Eyes extends the Five Eyes framework to include Denmark, France, the Netherlands, and Norway. The additional four countries participate in intelligence sharing but with more limited access than the core five.

In privacy terms, the Nine Eyes matters because it broadens the pool of countries that can request data on each other’s behalf. A French court order demanding data from a Dutch company, for example, carries more weight when both countries participate in the same intelligence framework.

Nine Eyes adds: Denmark, France, Netherlands, Norway

14 Eyes extends further across Europe

The 14 Eyes adds Germany, Belgium, Italy, Spain, and Sweden to the Nine Eyes framework. This group is sometimes referred to as SSEUR (SIGINT Seniors Europe) in intelligence circles.

By this point, the alliance covers most of Western Europe plus the US, UK, Canada, Australia, and New Zealand. For VPN users, this means a provider incorporated in Germany is technically within a 14 Eyes country, even if Germany’s domestic privacy laws are among the strictest in Europe.

14 Eyes adds: Germany, Belgium, Italy, Spain, Sweden

Does jurisdiction actually matter for VPN users?

Here’s the nuanced answer most reviews skip: jurisdiction matters, but it’s not the only thing that matters, and it’s often overweighted by people who haven’t thought through the actual threat model.

When jurisdiction matters a lot: If you’re a journalist, activist, or someone living under a government that might pressure a VPN provider through legal channels, jurisdiction is important. A US-based VPN can be served with a National Security Letter, a secret order that prohibits the recipient from disclosing it. A VPN in Panama cannot.

When jurisdiction matters less than people think: For the vast majority of VPN users (people who want to avoid ISP tracking, access geo-restricted content, or use public Wi-Fi safely), what matters more is whether the VPN actually keeps no logs. A no-logs VPN in a Five Eyes country, with that claim independently audited and court-tested, provides better practical protection than a VPN in a “safe” jurisdiction that keeps logs but hasn’t been verified.

The reason: if a VPN keeps no logs, there is nothing to hand over. Jurisdiction only becomes relevant if data exists.

NordVPN (Panama) and Mullvad (Sweden) illustrate this well. Panama is outside Five Eyes, which is a privacy advantage. But Mullvad, incorporated in Sweden (a 14 Eyes country), has had its servers physically seized by police and nothing was found, because it actually keeps no logs. Both are credible options for different reasons.

Countries outside all three alliances

If jurisdiction is a priority for you, these countries have no mandatory data retention laws and sit outside Five Eyes, Nine Eyes, and 14 Eyes:

Panama (NordVPN’s home jurisdiction)
Switzerland (ProtonVPN). Swiss law requires a criminal investigation before data can be compelled
Iceland (strong privacy laws, outside EU mandatory retention directives)
British Virgin Islands (ExpressVPN was incorporated here, though now owned by Kape Technologies, UK)
Romania (CyberGhost parent company incorporated here)
Malaysia (Hide.me)

Switzerland deserves special mention. Swiss law doesn’t just place it outside intelligence alliances. It actively requires a formal criminal investigation opened by Swiss authorities before any data can be compelled. Even then, the process is slow and transparent. This is why Proton (ProtonMail, ProtonVPN) chose Geneva as its base.

How we score jurisdiction at VPN Picker

Our Compare page includes jurisdiction as one of 19 scored criteria. VPNs in Panama, Switzerland, Iceland, and similar jurisdictions score highest. VPNs in the US, UK, and Australia score lower due to the legal tools available to those governments (NSLs, RIPA, etc.). VPNs in 9 or 14 Eyes countries score in the middle.

Jurisdiction score is one input, not the only one. A VPN with a good jurisdiction score but no independent no-logs audit still scores poorly overall. You can see the full breakdown for any VPN on the Compare page.

The bottom line

The Five Eyes, Nine Eyes, and 14 Eyes alliances are real and relevant. They represent genuine legal risk for VPNs that collect data. But they’re not a simple checklist where “outside = safe.”

The honest framework: start with jurisdiction (it’s a meaningful filter), then verify the no-logs claim with independent audits or court-tested track records, then check ownership (a “Panama VPN” owned by a UK holding company has less protection than the headline suggests). All three together give you a clearer picture than any one factor alone.

For a full comparison of how 49 VPNs score across jurisdiction, no-logs audits, and 17 other criteria, see the Compare page.

Quick reference

Five Eyes: US, UK, Canada, Australia, New Zealand

Nine Eyes adds: Denmark, France, Netherlands, Norway

14 Eyes adds: Germany, Belgium, Italy, Spain, Sweden

Best jurisdictions for privacy: Panama, Switzerland, Iceland, BVI

Jurisdiction matters, but no-logs verification matters more for most users.

FAQ

Is a VPN in a Five Eyes country automatically unsafe?

No. A verified no-logs VPN in a Five Eyes country provides strong practical protection because there is no data to hand over. Jurisdiction becomes the deciding factor only when data exists and a government wants it.

Can Five Eyes governments force a VPN to install surveillance software?

In theory, yes. The US and UK have legal mechanisms to compel cooperation and impose gag orders. In practice, this is a risk for high-value targets, not typical VPN users. VPNs with open-source clients and regular audits are harder to compromise without detection.

Does the 14 Eyes apply to all EU countries?

No. Only Belgium, France, Germany, Italy, Netherlands, Spain, and Sweden are 14 Eyes members. Other EU countries (like Switzerland, not actually EU, or Romania) are not part of any of the three alliances.

What about China, Russia, and other authoritarian countries?

The Five/Nine/14 Eyes alliances are separate from authoritarian surveillance states. A VPN incorporated in China operates under entirely different (and more direct) government control. Most serious privacy-focused VPNs are deliberately incorporated outside both Western intelligence alliances and authoritarian jurisdictions.

Keep reading: Best VPN Jurisdiction in 2026: Panama vs Switzerland vs Iceland and Who Really Owns Your VPN? The Consolidation Map in 2026.