India urged to assert data sovereignty amid foreign cloud risk
India's current reliance on foreign cloud and data infrastructure is raising questions about national security, corporate resilience, and long-term control over sensitive information. Industry voices are calling for clearer policies and practical investment to strengthen data sovereignty.
Strategic dependency
Much of India's enterprise and consumer data remains hosted by international cloud vendors, including Amazon Web Services, Microsoft Azure and Google. These foreign-owned infrastructures support operations for a range of Indian businesses, including some of the country's largest technology enterprises. However, local businesses do not own the physical cloud environments underpinning their digital services.
This dependence places not just operational workloads but mission-critical data under outside control. Foreign legal regimes and the potential for international sanctions or policy changes pose potential barriers to unhindered access, while consolidation among major service providers introduces concentration risk. These risks are increasingly seen as threatening both commercial continuity and national interests.
Regulatory context
India's Digital Personal Data Protection (DPDP) Act establishes a framework for privacy, consent and data processing governance. Sector-specific rules-such as the Reserve Bank of India's data localisation mandates for payments-address issues at an industry level. However, these measures primarily target privacy and business agility, rather than asserting national control over where and how data is stored and processed.
Sectors using non-sovereign infrastructure, including payments, health, transportation, and e-government, face what experts see as systemic risk. Critical digital assets could be disrupted by outages, changes in foreign policy, or extraterritorial regulatory action, potentially threatening national continuity.
National strategy
Industry proposals include rapidly expanding government-led cloud initiatives and incentivising private sector co-investment. This approach would see policies encouraging the development of data centres and sovereign cloud stacks designed to achieve hyperscale capability. New models for governance and service level assurances could underpin both public sector workloads and a wider market for Indian businesses.
A suggested approach includes classifying data based on its strategic value. A tiered system could see stringent residency and control measures for Tier-1 critical data, while less-sensitive categories might be subject to lighter-touch oversight. Legal and operational frameworks would also be needed to manage business continuity risks if current providers are unable or unwilling to deliver services.
Corporate responsibility
The emerging consensus is that boards and management teams must revisit their understanding of data risk. Questions around how much telemetry and metadata leaves Indian jurisdiction, and how multi-cloud or hybrid strategies enhance resilience, are moving to the fore. Many organisations are urged to treat data management as a matter of corporate governance and strategic risk.
Calls are growing for rapid, board-level assessment of current data exposure. Techniques could include 'sovereign data maps' for organisations outlining data residency, risk categorisation, and potential legal or operational vulnerabilities. Insurance, robust contracts and contingency simulation exercises are being promoted as necessary for preparedness in the event of service disruption.
Private sector role
Experts believe that Indian technology service providers could play a critical role in translating these policy ambitions into day-to-day operational practices. Work with government and corporate boards would focus on mapping risk and shaping appropriate interventions for data continuity and resilience.
"The party that holds the data controls the power," said Ravi Kumar, CEO and Co-Founder, Cubastion Consulting.
