If you’ve seen the headlines this month about the EU “banning VPNs,” you can relax. They’re not banning VPNs.
They’re doing something far more insidious: making them useless.
What’s Actually Happening
Three separate EU initiatives are converging on the same target. None of them says “ban VPNs.” All of them, taken together, amount to a systematic assault on encrypted privacy in Europe.
Thread one: ProtectEU. Launched in April 2025, this is the European Commission’s internal security strategy. Buried in the policy language is a “Technology Roadmap on encryption” with a stated goal: EU law enforcement should be able to decrypt private data by 2030. That includes VPN tunnels, end-to-end encrypted messaging, and cloud storage.
Read that again. The European Commission wants the technical capability to break open your encrypted connections within four years.
Thread two: mandatory data retention. Leaked EU Council documents reveal proposals to extend data retention obligations to VPN providers, messaging apps, and cloud services for the first time. The requirements: log IP addresses, timestamps, session duration, traffic volume, and user identification data for 6–12 months. A formal legislative proposal is expected next month.
This would make “no-log” VPN policies illegal within EU territory.
Thread three: the age verification sideshow. EU officials publicly described VPNs as a “loophole” in their new age-verification system. The Commission later clarified there’s no VPN crackdown planned. This is where most of the breathless headlines came from, and it’s the least important of the three threads. Classic misdirection — everyone’s arguing about whether there’s a ban while the real damage happens elsewhere.
Why This Matters More Than a Ban
A ban would be honest. You’d know where you stood. You could route around it, use services outside the jurisdiction, make an informed choice.
What the EU is proposing instead is a hollowing out. Your VPN will still exist. It will still have a logo and a subscription fee and a “connect” button. But the tunnel won’t be private anymore. Your provider will be logging your metadata. And somewhere on the Commission’s roadmap, there’s a checkbox for decrypting what’s inside it.
This is the Crypto Wars all over again. Phil Zimmermann faced a criminal investigation in the 1990s for releasing PGP — strong encryption that the US government classified as a munition. The argument then was the same as now: “We need access to encrypted communications for law enforcement.” The counterargument hasn’t changed either: you cannot build a door that only the good guys can walk through.
The Backdoor Fallacy
Every serious cryptographer will tell you the same thing: there is no such thing as a backdoor that only works for authorised parties. If the EU mandates that encrypted tunnels must be decryptable by law enforcement, they are mandating a vulnerability. Full stop.
Proton (the Swiss company behind ProtonVPN and ProtonMail), Surfshark, and Tuta Mail have all said the same thing publicly: weakening encryption doesn’t make Europeans safer. It makes them targets.
Consider what flows through corporate VPN tunnels every day: financial data, medical records, legal communications, trade secrets, board papers, M&A documents. Now consider a mandated decryption capability sitting in a government database somewhere in Brussels. How long before it’s breached? How long before a state actor — or a sufficiently motivated criminal — finds the key?
The answer, based on every precedent in cybersecurity history, is: not long enough.
What About Businesses?
If you run a company with staff connecting remotely to corporate systems — and in 2026, who doesn’t? — this affects you directly.
The data retention proposal targets commercial VPN providers. If your company uses a third-party EU-based VPN service, that provider could be forced to log every connection your employees make. Self-hosted infrastructure (your own WireGuard or OpenVPN servers) appears exempt for now, but the distinction between “provider” and “operator” could narrow as the legislation evolves.
Several major VPN providers have already indicated they’d relocate outside the EU rather than comply. NordVPN is in Panama. Proton is in Switzerland. Mullvad has publicly stated they’ll maintain their no-logs policy regardless. But if your provider is EU-domiciled, you need to ask them what their plan is — now, not after the legislation passes.
There’s also a beautiful irony in the GDPR conflict. The EU’s own flagship privacy regulation requires data minimisation — don’t collect what you don’t need. The data retention proposal requires the opposite: collect everything, keep it for a year, hand it over on request. The Court of Justice of the EU struck down the last blanket retention directive in 2014 (Digital Rights Ireland). It may well do so again. But the years of legal uncertainty in between will be painful for businesses trying to comply with both frameworks simultaneously.
The UK Angle
Post-Brexit, the UK is not bound by EU data retention rules or ProtectEU. Before you breathe a sigh of relief: the UK already requires ISPs to retain connection metadata for 12 months under the Investigatory Powers Act 2016. We’re hardly the privacy utopia.
But there’s an opportunity here. If the EU forces VPN providers to log, and the UK doesn’t extend the same requirement to VPN services specifically, UK-based VPN infrastructure becomes more attractive for privacy-conscious businesses. Post-Brexit regulatory divergence occasionally produces something useful. This might be one of those times.
Encryption Is a Right, Not a Feature
Here’s where I stop being measured and start being honest.
Encryption is not a “loophole.” It’s not a “tool for criminals.” It’s a fundamental component of digital self-sovereignty. When Hal Finney ran the first Bitcoin transaction and championed strong encryption, he wasn’t evading law enforcement. He was building the infrastructure for a world where individuals control their own data. When Phil Zimmermann released PGP and told the US government that privacy was a human right, he wasn’t being a radical. He was being correct.
The EU’s position — that encrypted tunnels should be decryptable by state actors — is not a security measure. It’s a power grab dressed up in the language of child protection and counter-terrorism. The same arguments, the same emotional blackmail, every single time. And every single time, the actual result is the same: ordinary people lose privacy, criminals adapt, and the state gets more access to data it has no business seeing.
Erik Voorhees said it best: “Privacy is not about having something to hide. It’s about having something to protect.”
What Happens Next
The formal legislative proposal on data retention is expected next month. The ProtectEU encryption roadmap trundles toward its 2030 target. The age verification debate will continue to generate misleading headlines.
If you care about digital privacy — and if you’re running a business in 2026, you should — here’s what to do:
- Audit your VPN architecture now. Know who your provider is, where they’re domiciled, and what they’ll do if forced to log.
- Consider self-hosted or non-EU VPN infrastructure for anything sensitive.
- Support the organisations fighting this. The EFF, EDRi, and companies like Proton are doing the heavy lifting.
- Don’t wait for the legislation to pass. By then it’s too late to architect around it.
The EU doesn’t want to ban your VPN. It wants to turn it into a surveillance pipe with a privacy logo on it. Don’t let them.
Mark Hendy is a PE-focused interim CFO and founder of Tanous Limited. He runs his entire digital infrastructure through encrypted, self-hosted systems and believes privacy is a right, not a feature.
Leave a Reply