NoTrackr The privacy-tools directory that audits what it recommends.

VPN jurisdictions in 2026: what the country changes

VPN jurisdiction affects legal pressure, data retention and remedies. In 2026, country matters—but less than audited no-logs and ownership.

VPN jurisdiction in 2026 matters because it determines which courts, regulators and surveillance laws can reach a provider, but it does not override the provider’s actual data handling. As of April 2026, the practical question is not whether a VPN is in a “good” or “bad” country in the abstract; it is whether local law can compel retention, whether the service has any logs worth seizing, who owns it, and whether its no-logs claims have been independently audited. A VPN in a 5-Eyes country can still be a sensible choice if it keeps no activity logs and that claim has been tested, while a VPN in Panama or the British Virgin Islands can still be a poor choice if ownership is opaque, logging is broad, or the product uses dark-patterned pricing. This guide explains what key VPN jurisdictions actually change in 2026, what the 14-Eyes alliance can and cannot do, and how to evaluate country, ownership and audits together.

What this guide covers

This guide covers the VPN jurisdictions readers ask about most in 2026: Switzerland, Sweden, Panama, the British Virgin Islands, Gibraltar, the Netherlands and the United States. It focuses on three practical questions: whether local law imposes telecom-style retention duties on VPNs, what cross-border intelligence alliances actually mean for a private company, and which large providers sit in each country. It also explains why ownership, audits and technical design usually matter more than flag maps.

The short version: jurisdiction matters, but only in context

Country affects four things.

  1. Who can issue lawful demands: local police, intelligence agencies, regulators and courts.
  2. Whether retention can be mandated: some jurisdictions impose duties on telecom operators, but VPNs are not always treated as telecoms.
  3. How easy cross-border cooperation is: MLATs, production orders and regulator-to-regulator channels vary.
  4. Your remedies: consumer law, data protection complaints and court oversight differ a lot.

What country does not do is magically create logs that were never stored. As reported by the U.S. Department of Justice in 2021 in the PureVPN cyberstalking case, historical logs can become evidence when they exist. The inverse is also true: when providers architect systems to minimise or avoid identifiable logs, jurisdictional pressure has less to work with.

That is why you should read jurisdiction alongside three other variables:

  • Logging policy: exactly what is stored, for how long, and for what purpose.
  • Most recent independent audit: date, auditor, scope and limitations.
  • Ownership: named owner, corporate structure and public history.

A quick comparison of the main jurisdictions

The table below is the high-level view. It is simplified, because legal obligations can turn on service type, local establishment and the exact order served.

JurisdictionEyes alliance statusGeneral mandatory retention for VPNs?Main practical risk in 2026Consumer/privacy upside
SwitzerlandNot a 14-Eyes memberNo clear general VPN-wide mandate, but targeted lawful orders existSwiss surveillance orders if the provider is in scopeStrong rule-of-law reputation; outside EU/US bloc
Sweden14-Eyes participantTelecom retention rules exist, but VPN applicability depends on service classificationBroad cooperation environment and EU-law contextStrong consumer law and public records of enforcement
PanamaNot a 14-Eyes memberNo known general VPN-specific retention mandateOpaque enforcement environment; ownership opacity can matter moreOutside EU/US alliance politics
British Virgin IslandsUK overseas territory, not a sovereign 14-Eyes memberNo known general VPN-specific retention mandateUK-linked legal ecosystem and offshore opacityOften lighter local data-retention posture
GibraltarBritish overseas territoryNo broad VPN-specific mandate publicly cited, but UK-linked legal context mattersUK cooperation channels; small-jurisdiction opacityCommon-law courts; known registry structures
Netherlands9-Eyes contextGeneral indiscriminate telecom retention has faced legal limits; targeted orders remainStrong law-enforcement cooperation; infrastructure-heavy marketEU GDPR remedies and court scrutiny
United States5-Eyes memberNo general federal VPN data-retention mandateNational security orders, subpoenas, gag ordersRobust court process, FTC/state AG enforcement

As of April 2026, the biggest mistake is treating “14-Eyes” as if it were a law. It is an intelligence-sharing framework, not a magic wand that lets one state bypass a company’s domestic legal process.

What the 5-Eyes, 9-Eyes and 14-Eyes labels actually mean

As reported by the UK Investigatory Powers Tribunal and by public disclosures around NSA/GCHQ cooperation over the past decade, the Five Eyes alliance is a long-running intelligence-sharing relationship among the US, UK, Canada, Australia and New Zealand. “9-Eyes” and “14-Eyes” are looser shorthand used by privacy media and some providers for broader SIGINT cooperation circles.

For a VPN user, that means:

  • A provider in a 5-Eyes country may face more mature state-surveillance institutions.
  • It does not mean another member state can directly requisition the company without domestic legal process.
  • It does not create a retention duty where domestic law has not created one.
  • It does increase the odds that lawfully obtained data may be shared with partner states.

Why the label is often overused in VPN marketing

A VPN in Panama can still lease servers in the US, use US cloud services for support tickets, process payments through US entities, and have executives in Europe or North America. A VPN in Sweden can still be safer than one in Panama if the Swedish service has named ownership, a narrow logging policy, a recent no-logs audit and a history of disclosing legal process clearly.

Country is a real factor. It is just not a substitute for evidence.

What the law says in the main VPN jurisdictions in 2026

Switzerland

As of April 2026, Switzerland sits outside both the EU and 14-Eyes shorthand lists commonly used in VPN marketing. Swiss surveillance law has long distinguished between telecommunications providers and derived service providers, and the exact classification matters. As reported by Proton in multiple transparency and legal explainers between 2021 and 2025, Swiss authorities can compel disclosure of data a provider has, but Proton has consistently argued that VPN providers are not subject to general telecom-style mass retention in the same way access ISPs are.

Practical reading for VPN users:

  • Switzerland is not a zero-access zone for law enforcement.
  • It is generally seen as better than many jurisdictions on court process and proportionality.
  • The key question is still whether the VPN stores activity or source-IP logs at all.

Provider examples and disclosures:

  • Proton VPN: jurisdiction Switzerland; ownership Proton AG; logging policy states no logs of browsing activity or connection logs that can identify user activity; most recent public no-logs audit cited by the provider was conducted by Securitum in 2024. As of April 2026, Proton also publishes a transparency report.
  • VyprVPN: jurisdiction Switzerland through Golden Frog GmbH / Certida group structure as publicly stated by the provider; no-logs claims have been audited in the past by Leviathan Security in 2018, which is now dated for 2026 and should not be treated as fresh evidence.

Sweden

Sweden is the jurisdiction readers often over-penalise because of 14-Eyes rhetoric. As of April 2026, Sweden has data-retention obligations in its telecom framework, but whether a VPN is in scope depends on how the service is classified and operated. The EU Court of Justice has repeatedly limited indiscriminate retention regimes across member states, including through cases such as Tele2 Sverige and later judgments on traffic and location data.

Practical reading:

  • Sweden is a cooperative law-enforcement environment.
  • EU and national case law constrain blanket retention, but targeted orders remain very real.
  • A Swedish VPN with a well-tested no-logs setup may still be lower risk than an offshore provider with no audit.

Provider examples:

  • Mullvad: jurisdiction Sweden; ownership Mullvad VPN AB; logging policy states no activity logs and no email required for account creation; most recent independent audit package was published in 2023 with Assured AB covering app and infrastructure components. As reported by Mullvad in 2023, police visited its office with a search warrant and left without customer data because accessible logs did not exist.
  • PrivateVPN: jurisdiction Sweden as stated by the provider; as of April 2026, public no-logs audit evidence is less prominent than for Mullvad, so readers should treat its no-logs claim as less verified.

Panama

Panama remains popular in VPN marketing because it sits outside the US and EU intelligence blocs most often mentioned in ads. As of April 2026, there is no widely cited general VPN-specific mandatory retention law in Panama comparable to a federal telecom retention obligation in some other systems.

Practical reading:

  • Panama can reduce exposure to US and EU legal pressure.
  • It does not guarantee better privacy if the company stores logs, outsources core functions, or keeps ownership structures opaque.
  • Enforcement transparency is weaker than in some EU and US contexts, which cuts both ways.

Provider example:

  • NordVPN: jurisdiction Panama via Tefincom S.A. as stated by the provider; ownership is operationally linked to Nord Security, the Lithuanian-headquartered group behind Nord products; logging policy states no logs of user activity; most recent public no-logs audit was by Deloitte in 2024 covering no-logs controls. Dark-pattern note: like many large VPNs, Nord uses long-term introductory pricing that renews at a higher rate; readers should check renewal terms before buying.

British Virgin Islands

The British Virgin Islands are frequently presented as a privacy haven. As of April 2026, there is no widely cited general VPN-specific retention mandate in the BVI. The catch is structural: offshore incorporation can make ownership and accountability harder to assess.

Practical reading:

  • BVI can be fine if the operator, audit history and logging policy are clear.
  • BVI is not automatically superior to a transparent EU provider.
  • UK-linked legal and business ties can still matter where management, payment processing or infrastructure sit elsewhere.

Provider example:

  • ExpressVPN: jurisdiction BVI as stated by the provider; ownership since 2021 is Kape Technologies, rebranded as Pango Group in 2024 according to company announcements; logging policy states no activity logs and no connection logs that can identify users; most recent public no-logs audit was by KPMG in 2023, while the provider also cites multiple prior audits by PwC and Cure53. Ownership history matters here because Kape’s earlier ad-tech background is relevant context even though it predates the current rebrand.

Gibraltar

Gibraltar is smaller and less discussed, but it appears in VPN corporate records. As of April 2026, Gibraltar has a UK-linked legal ecosystem and strong cross-border ties, though it is not the UK itself.

Practical reading:

  • Gibraltar is not a magic offshore shield.
  • Its value depends on transparency and what is actually logged.
  • Small-jurisdiction opacity can make due diligence harder.

Provider example:

  • IVPN has publicly used a Gibraltar entity in its group structure in past disclosures, alongside operating changes over time; as of April 2026 readers should verify the current legal entity from the provider’s privacy policy and terms before weighting jurisdiction heavily. IVPN’s no-logs posture has been audited by Cure53 and other firms in prior years, and its transparency around ownership has generally been better than the industry average.

Netherlands

The Netherlands hosts a lot of internet infrastructure, so many privacy services touch it even when they are headquartered elsewhere. As of April 2026, Dutch blanket telecom retention duties have been constrained by EU and national court rulings, but targeted lawful access remains available.

Practical reading:

  • Dutch jurisdiction is not inherently hostile to privacy services.
  • EU law means strong data-protection complaint routes, but also extensive cross-border cooperation.
  • Server location in the Netherlands can matter separately from company headquarters.

Provider example:

  • Surfshark has used Dutch and Lithuanian corporate structures over time and is part of the Nord Security group after the 2022 merger announcement; as of April 2026 readers should check the current contracting entity in the terms. Public no-logs audits exist, including Deloitte work cited by the provider in 2023. Pricing note: Surfshark is a frequent user of steep intro pricing and higher renewals.

United States

The US is the jurisdiction most often dismissed outright in privacy forums. That is too simple. As of April 2026, there is no general federal law requiring VPNs to retain traffic logs. The real US issues are lawful process breadth, secrecy mechanisms in some investigations, and the large number of adjacent US touchpoints such as cloud hosting, support SaaS and payment processors.

Practical reading:

  • A US VPN is not automatically bad.
  • If no identifiable logs exist, subpoenas and orders may produce little beyond account and billing metadata.
  • FTC and state AG enforcement can be a genuine upside when providers lie about privacy practices.

Provider examples:

  • Private Internet Access: jurisdiction United States; ownership Kape/Pango Group; no-logs policy has been tested indirectly in court filings and public incidents, and the provider cites Deloitte assurance work in recent years. Ownership history should be weighed because of Kape’s pre-VPN ad-tech past.
  • Mozilla VPN: jurisdiction United States via Mozilla; ownership Mozilla Foundation/Mozilla Corporation; built on Mullvad’s network; Mozilla’s funding model mixes search-revenue deals, subscriptions and donations rather than ad-tech tracking. It inherits some trust from Mozilla’s public governance, but users should still read the product-specific logging disclosures.

Which providers are where, and what else matters

The next table combines jurisdiction with ownership and audit status, because country alone is not enough.

ProviderClaimed jurisdictionOwnershipLogging policy summaryMost recent public independent audit cited by providerAudit freshness in 2026
MullvadSwedenMullvad VPN ABNo activity logs; minimal account data; no email requiredAssured AB, 2023Good, but not brand-new
Proton VPNSwitzerlandProton AGNo browsing/activity logs; transparency reportingSecuritum, 2024Strong
NordVPNPanamaTefincom S.A.; operationally linked to Nord Security groupNo activity logsDeloitte, 2024Strong
ExpressVPNBVIPango Group (formerly Kape Technologies)No activity logs; TrustedServer architectureKPMG, 2023Good
Private Internet AccessUnited StatesPango GroupNo activity logs claimedDeloitte, recent provider-cited assurance workCheck exact scope/date
SurfsharkGroup structures in EU/NL/LT over timeNord Security groupNo activity logs claimedDeloitte, 2023 provider-citedGood
VyprVPNSwitzerlandCertida/Golden Frog groupNo activity logs claimedLeviathan Security, 2018Stale

If you are choosing between two providers with similar speed and apps, this table is more useful than a “14-Eyes bad” meme.

Why no-logs usually matters more than jurisdiction

If a provider stores source IPs, connection timestamps, bandwidth usage tied to accounts, device IDs, support metadata and payment records, legal demands can reconstruct a lot even without browsing content. If a provider stores none of that in attributable form, there is much less to hand over.

Worked example with real numbers

Assume a provider keeps these records for 30 days:

  • Source IP on connect
  • VPN server used
  • Start time and end time to the nearest second
  • Account ID

A single user connects from home IP 203.0.113.24 to a New York server on 12 March at 20:14:33 and disconnects at 22:01:10. A website operator has logs showing account abuse from the VPN exit IP at 20:52:11. Even without browsing-history logs, investigators can correlate one user out of a small simultaneous session pool if the VPN retains source IP and precise timestamps.

Now compare a provider that stores only:

  • Total daily aggregate server load
  • Subscription status
  • Last successful payment date

In that second model, the same legal order yields no source IP linkage and no per-session timestamp trail. Jurisdiction still matters, but the evidential value collapses.

That is why a genuinely minimal-log US provider can be safer in practice than a Panama provider that keeps session metadata “for abuse prevention”.

Server location, corporate location and support tooling are different things

Readers often compress all location issues into one word: jurisdiction. In reality there are at least four.

Headquarters jurisdiction

This controls the main legal entity and the courts most likely to hear direct orders.

Server location

A Swiss provider with servers in the US can still face local orders aimed at the data-centre operator or seized hardware, though RAM-only or diskless designs reduce what is recoverable.

Staff location

A Panama-incorporated company whose engineering team sits in the EU and whose support team works from the US has more legal touchpoints than the homepage implies.

Vendor location

Support desks, analytics vendors, crash reporting and payment processors can all pull metadata into different jurisdictions.

This is also where encrypted-email comparisons often go wrong. For email, Schrems II matters directly because providers moving EU personal data to the US need a transfer mechanism and supplementary measures. As of April 2026, the EU-US Data Privacy Framework remains in force as the European Commission’s adequacy mechanism, but Schrems II still matters because adequacy can be challenged and because technical access risks do not vanish just because a transfer path exists. The same lesson applies to VPN vendors using US processors or SaaS tools: legal transfer paperwork is not the same as technical non-access.

How to read provider marketing without getting fooled

“Based in Panama” can hide a lot

Check:

  • Contracting entity in the terms
  • Parent company and group ownership
  • Payment processor location
  • Whether support and analytics are outsourced
  • Audit scope: app? server config? no-logs controls? point-in-time only?

Look for dark patterns

As of April 2026, dark patterns remain common across major VPN brands. Watch for:

  • Introductory 24- or 27-month plans that renew at 2x-4x the teaser monthly price
  • Auto-renew enabled by default on “risk-free” trials
  • Coupon-only public pricing that hides the normal renewal rate
  • Unsubscribe or cancellation flows buried behind support chat

A privacy product that makes account exit hard is telling you something about incentives.

Common mistakes

  • Treating 14-Eyes as if it were a law that directly binds private companies.
  • Ignoring ownership history because the homepage says “independent” or “offshore”.
  • Trusting a no-logs claim that has never been independently audited.
  • Looking only at headquarters and ignoring server, staff and vendor locations.
  • Assuming “outside the EU/US” automatically means stronger privacy protections.
  • Forgetting renewal pricing and cancellation friction when comparing providers.

How to choose a VPN when jurisdiction is one factor, not the only factor

A simple order of operations works better than chasing flags.

Tier 1: Eliminate weak evidence

Reject providers that have:

  • No named owner
  • No recent audit
  • Broad session or source-IP logging
  • A history of misleading security or privacy claims not clearly addressed

Tier 2: Compare jurisdiction and remedies

For the remaining shortlist, ask:

  • Is there a general retention duty likely to apply to this service?
  • How strong is court oversight?
  • Are there data-protection complaint routes?
  • Does the provider publish transparency reports or warrant canaries?

Tier 3: Match to your actual use case

  • If you want the strongest account anonymity, Mullvad’s numbered-account model remains unusually strong.
  • If you want a broad ecosystem and Swiss jurisdiction, Proton VPN is the obvious reference point.
  • If you want a mainstream audited option and are comfortable with Panama plus a large corporate group, NordVPN is defensible.
  • If you want a US-based option, focus on verifiable no-logs design and ownership transparency rather than assuming the jurisdiction alone settles it.

Bottom line for VPN jurisdiction 2026

As of April 2026, VPN jurisdiction still matters, but mostly as a multiplier on the data a provider already has. Switzerland and Sweden offer different legal environments, not simple good/bad labels. Panama and the BVI can reduce certain geopolitical concerns, but they do not compensate for weak audits or opaque ownership. The US brings more surveillance anxiety, but also the absence of a general federal VPN logging mandate and stronger deception enforcement than many readers assume.

If two VPNs are otherwise equal, choose the one with the better jurisdiction. If they are not equal, choose the one with the narrower logging, clearer ownership and fresher audit.

  • For evidence standards, see our guide to no-logs VPN audits.
  • For practical buying advice, see our guide to VPN pricing traps and auto-renewals.
  • For account privacy, see our guide to choosing a VPN without giving your real email.