On July 22, 2025, Nayara Energy, India’s second-largest private oil refiner, lost access to its Microsoft-hosted cloud services.
Why? Because Russia owns a 49% stake in Nayara. And Microsoft, citing compliance with the European Union’s latest sanctions package, cut off access.
There was no prior warning. And critically, Nayara couldn’t access even the data it had paid to store.
The company moved to the Delhi High Court seeking immediate relief. According to reports, Microsoft restored access just before the hearing. In a statement, the company said it had resumed services and was in “ongoing discussions” with the European Union.
Microsoft is quoted as stating: “Microsoft is committed to supporting all its customers in India and worldwide and has restored services for Nayara Energy. We are engaged in ongoing discussions with the European Union towards service continuity for the organization.”
On the surface, this might appear to be an isolated commercial dispute. But underneath lies a question far more consequential: What happens when core infrastructure, used by both private and public sectors, can be turned off without notice by a foreign company?
India has made considerable progress in digitization. But much of what powers this transformation, cloud platforms, backend systems, and data infrastructure, remains under the control of foreign entities. And while the physical servers may sit within Indian borders, control of software layers, data access, and legal oversight still resides elsewhere.
This raises a difficult, but necessary question: If the data stays in India, but the kill switch lies abroad, how sovereign are we?
When Geography Isn’t Enough
India has welcomed foreign capital in cloud infrastructure. And while local data centers have mushroomed, geography alone doesn’t offer protection.
Take Microsoft Azure. While user-facing portals might be locally hosted, backend processing can happen across borders. Indian data, whether commercial, personal, or even governmental, can still fall under foreign surveillance laws, such as the U.S. CLOUD Act.
Or take RISAA (Reforming Intelligence and Securing America Act). Under RISAA, American companies like AWS, Microsoft, and Google can be legally compelled to share user data in the name of “national security.”
These platforms are widely used by Indian institutions, including in sensitive sectors. With such provisions baked into the architecture of global cloud computing, many countries, including India, could be at the mercy of powers beyond their borders.
Other Countries Haven’t Left This to Chance
How have other countries fared? Let’s explore.
China doesn’t allow foreign cloud providers to operate independently. The cloud providers must partner with licensed local firms that retain full control.
In Europe, governments are moving sensitive workloads off U.S.-based platforms altogether.
France’s Cloud de Confiance is a policy with legal teeth. Public-sector workloads are now required to comply with France’s certification regime that enforces local jurisdiction and EU law. Significantly, they are governed entirely by French entities and protected from extraterrestrial laws like the U.S. CLOUD Act.
Germany is going down a similar path. A sovereign cloud operated by T-Systems (a Deutsche Telekom subsidiary), in collaboration with SAP and Microsoft, is being stood up specifically for the public sector. Critically, this cloud is fenced off from Microsoft’s global network, legally and technically, ensuring that German law, not U.S. courts, governs data access.
Crucially, when challenged by compliance risks, nations have preemptively decoupled with foreign cloud providers.
Take Hesse, a state in Germany, which pulled Microsoft 365 out of its schools and administrative systems. The reason? Lack of assurance on GDPR compliance and fear of foreign surveillance.
France’s Health Data Hub made a similar move, switching from Azure to a domestically controlled cloud after privacy watchdog CNIL flagged sovereignty risks.
India’s (Baby) Steps Toward Digital Sovereignty
India has taken some steps. The Digital Personal Data Protection Act, along with RBI and IRDAI mandates, push for data localization. Government-run clouds like Meghraj and the National Government Community Cloud aim to host official workloads.
But the Nayara incident is a reminder that India needs to scale up its digital sovereignty to the national level on a war footing.
What India Can Do
If we are serious about digital sovereignty, there are a few first principles worth adopting:
- Ensure that critical public-sector data resides on Indian-operated clouds, with end-to-end control—physical, legal, and software.
- Mandate joint ventures for foreign cloud players operating in regulated sectors.
- Invest in domestic alternatives: Not just in hardware, but full-stack cloud platforms with verifiable performance and auditability.
- Create phased transitions away from foreign hyperscalers for sensitive government workloads.
- Insist on transparency. Mandate audit logs, access trails, and data flow controls enforceable under Indian law.
It’s Not Just About Servers
The Nayara case offers a preview of what’s possible when external levers are pulled.
This isn’t limited to the private sector. Governments must ask: if a future policy conflict arises, could essential services be suspended overnight?
The SWIFT sanctions on Russia offer a clue. Once cut off from the global financial messaging system, Russia’s ability to transact globally was severely disrupted. The goal was to paralyze systems without firing a shot.
In fact, Special Ops Season 2 focuses on a cyber-terrorism plot, where the protagonist and his team (part of Indian Intel) work to prevent India’s UPI system from being taken over by an antagonist.
This is modern warfare. And digital infrastructure is part of the battlefield.
The Strategic Imperative
Digital sovereignty is about having the ability to operate independently when needed. The goal is to brave adverse situations without succumbing to foreign powers. As the Nayara episode shows: it’s not enough for our data to stay here. The power to access it must stay here too.
I conclude with Zoho founder, Sridhar Vembu’s wise counsel:
“On tech sovereignty, we still have a lot of work to do as a nation. As a company, we are investing heavily in numerous areas of tech and we have pledged to do even more.
The next 2 decades are critical because we have favorable demographics and we have to use all that youthful talent.
Even as we seek to build advanced capabilities, we need to maintain good international standing. Our government and our Prime Minister are doing a commendable job.
It is not in our national interest to pick fights with powerful nations. I hope our entire political class realises this. As a wise statesman counselled “we must bide our time”.”
TL; DR Version: Apna time ayega. But we have work to do, loads of it.
Musings by Madhav 
Leave a comment