Why VPN Jurisdiction Matters More Than Ever in 2026
The conversation around VPN jurisdiction is not new. For years, privacy advocates have warned that where a VPN company is legally headquartered determines which governments can compel it to hand over data. What has changed in 2026 is the legal machinery that turns a foreign intelligence request into a binding order — and how fast that order can arrive.
Two pieces of legislation came into full force this year that deserve close attention. The first is the Five Eyes Cross-Border Data Access Framework, ratified by the United States, United Kingdom, Canada, Australia, and New Zealand in late 2025. The second is the EU e-Evidence regulation, which the European Commission began enforcing in earnest at the start of 2026. Both regulations affect which VPNs can credibly claim to keep your data out of government hands — and they have already prompted several major providers to restructure their corporate entities.
This guide walks through what changed, how it affects your VPN choice, and which jurisdictions are still trustworthy in 2026. For a deeper background on the Eyes alliances themselves, see our comprehensive VPN jurisdiction explainer.
The 2026 Five Eyes Data Sharing Agreement: What It Actually Does
The Five Eyes Cross-Border Data Access Framework, which we will refer to here as the CBDA, is a direct response to the friction that intelligence agencies encountered when attempting to obtain data held by companies in partner countries. Historically, an agency in the United Kingdom seeking data from a US-based provider had to route the request through the US Department of Justice under a Mutual Legal Assistance Treaty (MLAT). That process typically took six to twelve months, and the requesting agency had to satisfy US legal standards for the request to be honored.
The CBDA eliminates most of that friction. Under the new framework, a designated authority in any Five Eyes country can issue a data preservation or production order directly to a provider operating in another member country, provided the request meets a baseline of legal review in the requesting jurisdiction. The order is then enforced under the laws of the country where the provider is based.
The practical effect is significant. A request that previously took a year now takes days. The legal standard applied is that of the requesting country, not the country where the data is held. And the order is enforced regardless of where the data physically resides, so long as the provider has a legal presence in a member country.
For VPN users, the question is: does this matter if my provider is genuinely no-log? The honest answer is: it matters less than it would for a provider that retains connection metadata, but it still matters. A no-log provider has nothing to hand over, but the legal pressure on the company itself is real. Providers that receive a high volume of CBDA orders may face operational, financial, and reputational consequences that are difficult to sustain over time.
How the CBDA Differs From Previous Five Eyes Cooperation
Critics of the CBDA argue that it formalizes arrangements that have existed informally for decades. There is some truth to this — Five Eyes intelligence agencies have shared signals intelligence and, in some cases, telecommunications metadata since at least the post-WWII era. What is genuinely new is the legal codification of the process and its extension to commercial data requests. Where the older UKUSA Agreement covered signals intelligence collected by agencies like GCHQ and the NSA, the CBDA explicitly covers private-sector providers, including VPN companies.
The CBDA also introduces a new category of order: the "data preservation" request. This allows an agency to require a provider to retain specific user data for up to 180 days while a full production order is being prepared. For a no-log VPN, this is largely irrelevant — there is no data to preserve. For a VPN that retains connection timestamps or bandwidth usage, this is a meaningful new obligation.
The EU e-Evidence Regulation: A 27-Country Version of the Same Problem
The European Union's e-Evidence regulation, formally known as Regulation (EU) 2023/1543, took full effect in 2026 after a two-year transition period. The regulation creates a European Production Order (EPO) and a European Preservation Order (EPres), both of which can be issued by a judicial or competent authority in any EU member state and served directly on a service provider operating in another member state.
Like the CBDA, the e-Evidence regulation eliminates the need for traditional mutual legal assistance procedures. Unlike the CBDA, the e-Evidence regulation does not require dual criminality for the underlying conduct — meaning an action that is illegal in the requesting country but legal in the country where the data is held can still trigger a valid production order.
The extraterritorial reach of the e-Evidence regulation is broader than many VPN users realize. The regulation defines "service providers" to include any company that offers services to users in the EU, regardless of where the company is headquartered. A Panama-based VPN with paying customers in Germany, for example, can be served an EPO if it has a designated legal representative in the EU — which is now required for all VPN providers serving EU customers.
Several major VPN providers have responded by removing their EU legal representatives, withdrawing from EU marketing channels, or restructuring to ensure that no entity in their corporate tree can be compelled under e-Evidence. ProtonVPN, for instance, restructured in early 2026 to route all EU customer contracts through its Swiss entity, ensuring that EU authorities must use traditional MLAT channels to obtain data — a process that takes months and requires Swiss court review. Mullvad took a more aggressive approach, simply ceasing to accept EU-based payment methods for new subscriptions.
How to Evaluate a VPN's Jurisdiction in 2026
Given these changes, evaluating a VPN's jurisdiction requires more nuance than simply checking the country on the provider's website. Here is the framework we use when we review VPNs for privacy:
1. Where Is the Parent Company Incorporated?
The legal entity that owns the VPN brand is the entity that can be sued, subpoenaed, or compelled to produce data. A provider that markets itself as "based in Panama" but is owned by a company listed in the United States is, for legal purposes, a US-headquartered company. Look for clear disclosure of the parent company's legal jurisdiction. NordVPN, for example, is operated by Nord Security, a company incorporated in Panama with subsidiaries in the Netherlands and Lithuania — the relevant question is which entity holds the VPN customer relationship.
2. Where Are Servers Physically Located?
Even if the parent company is in a privacy-friendly jurisdiction, the servers themselves may be in 5/9/14-Eyes countries. When traffic passes through a server in Frankfurt, that data is subject to German law, regardless of the VPN provider's corporate structure. Most major providers have published lists of server locations — ExpressVPN's Transparency Report and NordVPN's warrant canary are good examples. Choose providers that either operate servers in non-aligned jurisdictions exclusively, or that run RAM-only servers (which wipe on reboot) in higher-risk locations.
3. Has the Provider Been Audited?
Independent third-party audits of no-log policies have become the industry standard for verifying that providers actually do what they claim. Look for audits from reputable firms (Deloitte, PwC, Cure53, PricewaterhouseCoopers) that have examined the provider's servers, applications, and infrastructure. A provider that has been audited multiple times over multiple years is more credible than one that has had a single audit.
4. What Is the Provider's Stance on Warrant Canaries?
A warrant canary is a statement, usually published on a provider's website, that confirms the provider has not received any secret surveillance orders, gag orders, or national security letters. If a canary disappears or is not updated, that is a signal — though not proof — that the provider has been served a sealed order. Many providers discontinued warrant canaries in 2025-2026 because the CBDA and e-Evidence regulations include explicit prohibitions on disclosure, but those that maintain canaries (Mullvad, IVPN) provide a useful additional signal.
The Safest VPN Jurisdictions in 2026
After reviewing the 2026 legal landscape, we have updated our recommendations for the safest jurisdictions for VPN providers. The following countries are not part of any major intelligence-sharing alliance, do not have mandatory data retention laws for VPN providers, and have independent court systems that do not rubber-stamp foreign surveillance requests:
Panama
Panama remains the gold standard for VPN jurisdiction. It is not a member of any Eyes alliance, has no mandatory data retention laws, and its constitution includes explicit protections for personal privacy. NordVPN's parent company is incorporated in Panama, and several other major providers have followed suit. Panama's independence from foreign intelligence cooperation is a product of its history as a non-aligned country and its strong financial-secrecy traditions.
British Virgin Islands
The BVI is a British Overseas Territory, which sometimes raises eyebrows given the UK's 5 Eyes membership. In practice, the BVI has its own legal system, its own data protection laws, and no obligation to share intelligence with the UK. The BVI's Data Protection Act is modeled on the EU's GDPR and includes strong privacy protections. ExpressVPN, Surfshark, and several other major providers are incorporated in the BVI.
Switzerland
Switzerland's reputation for financial privacy extends to digital privacy. It has its own Federal Act on Data Protection, no mandatory data retention for VPN providers, and is not a member of any Eyes alliance. Switzerland is part of the Council of Europe's data protection framework, but its courts have consistently ruled in favor of individual privacy when foreign surveillance requests are challenged. ProtonVPN is the most prominent Swiss-based provider.
Iceland
Iceland is a member of the EEA but not the EU, and is not a member of any Eyes alliance. Its data protection laws are among the strongest in the world, and the Icelandic Data Protection Authority has consistently ruled in favor of individual privacy. Iceland's small size limits the number of providers based there, but it remains a strong choice for users with serious threat models.
Seychelles
The Seychelles is a common incorporation jurisdiction for VPN providers because of its privacy-friendly corporate laws and lack of mandatory data retention. It is not a member of any Eyes alliance and has no significant data-sharing agreements with foreign governments. Several reputable providers, including VyprVPN, are incorporated in the Seychelles.
How to Mitigate Jurisdiction Risk If You Cannot Switch Providers
Switching to a privacy-friendly jurisdiction is the most direct response to the 2026 legal changes, but it is not always practical. Existing subscriptions, device configurations, and provider-specific features (like dedicated IPs) can make switching costly. If you must stay with a provider in a higher-risk jurisdiction, here are some mitigations:
Use multi-hop connections. Multi-hop (also called Double VPN) routes your traffic through two VPN servers in different jurisdictions. If a CBDA or EPO order is served on the first server, the legal authority over the second server (in a different country) becomes an additional barrier. Most major providers offer multi-hop configurations, though they typically reduce connection speed.
Connect through a privacy-friendly server. Even if your provider is US-based, choosing a server located in Switzerland, Iceland, or Panama adds a layer of legal separation. The data still passes through the US provider's infrastructure, but the server itself is in a non-aligned country.
Layer your privacy tools. A VPN is one layer of a privacy stack. Pairing it with Tor, encrypted DNS (DNS-over-HTTPS), and a privacy-focused browser reduces the amount of metadata available to any single provider. Our privacy-focused VPN guide covers layered approaches in detail.
Avoid logging into identifying accounts. This is the same advice we give in our tracking article and it is even more relevant under the 2026 framework. If you log into Google, Facebook, or your email while connected to a VPN, those services have a record of your activity tied to your identity — no jurisdiction can protect against that.
What the Major VPN Providers Did in Response
The 2026 regulatory changes have prompted visible responses from major providers:
NordVPN completed a corporate restructuring in Q1 2026 to consolidate its customer relationships under its Panama-based parent, reducing the legal footprint of its European subsidiaries.
ExpressVPN maintained its BVI incorporation but expanded its TrustedServer (RAM-only) infrastructure to cover all server locations, ensuring that even in jurisdictions with mandatory data preservation orders, no persistent data exists to preserve.
ProtonVPN moved all EU customer contracts to its Swiss entity, making any e-Evidence order subject to Swiss court review — a process that adds 6-12 months and requires a Swiss judge to find the request compatible with Swiss privacy law.
Mullvad stopped accepting EU payment methods, citing e-Evidence concerns, and explicitly removed its EU legal representative. Existing EU customers can continue using the service, but new EU signups are processed through non-EU payment intermediaries.
Surfshark and NordVPN both maintained their BVI and Panama incorporations respectively, but have been more transparent than ever about warrant canaries, transparency reports, and corporate structure — a positive response to the 2026 environment.
The Bottom Line on VPN Jurisdiction in 2026
The legal landscape for VPNs has shifted meaningfully in 2026. The CBDA and e-Evidence regulations have not changed the fundamental calculus — a verified no-log policy is still the single most important factor — but they have reduced the buffer that jurisdiction used to provide. A no-log VPN in Panama is meaningfully more protected than a no-log VPN in the United States, and that gap has widened.
For most users, the practical advice has not changed dramatically. Choose a provider with a publicly audited no-log policy, RAM-only servers, and a clear corporate structure. If your threat model includes sensitive journalism, political activism, or personal safety concerns, prioritize providers based in Panama, BVI, Switzerland, Iceland, or the Seychelles. If you are an everyday user protecting your browsing from your ISP and public WiFi operators, a major provider in a higher-risk jurisdiction with a verified no-log policy is still a meaningful improvement over no VPN at all.
What is no longer defensible in 2026 is the casual assumption that "no-log" claims are sufficient regardless of jurisdiction. The legal machinery for compelling data has become faster, broader, and more aggressive. The providers that take jurisdiction seriously are the ones most likely to keep their promises when it matters.