Option 1 states that data centres and service providers must report cyber security breaches within 24 hours according to the guidelines issued by the Indian Computer Emergency Response Team (CERT-In). This is incorrect since there is no mention in the CERT-In guidelines about the obligated timeframe to report cyber security breaches.

Option 2 claims that Virtual Private Network (VPN) providers need to retain user data for at least five years and share these records with authorities when required. According to the guidelines, this statement holds true as VPN providers are indeed required to retain user data for a specified period and share this data when demanded by authorities.

Option 3 suggests both statements are correct, which is incorrect as explained above. Option 4 posits that neither statement is correct. However, statement 2 is correct, making this option incorrect as well.

Hence, option 2 is the correct answer since the VPN providers are indeed required to retain user data for a certain duration as per the CERT-In guidelines.