Why sovereign clouds are the foundation of India's digital future

As a country, India has accelerated quickly on the digital highway. Today, India is the third-largest digitalized country in the world, with its digital economy expected to grow twice as fast as the overall economy in the next five years. While India clearly is one of the global digital leaders, the nation's reliance on foreign technology service and platform providers is a huge threat to its national security and interests. The recent incident of Microsoft suspending services to Nayara Energy highlights the risks of relying on foreign players. While Microsoft has reinstated support, this incident highlights the vulnerabilities posed by global players. This is going to be even more relevant in the future, as India's digital economy is expected to grow to 20% of its GDP by 2030, from the current 11.74%. Hence, if India has to realize its digital ambitions, it must ensure that data governance and data sovereignty are at the center of every policy initiative.

The strategic importance of data sovereignty

Data is the oil of the new economy, and hence, it is crucial that this data remains available and accessible at all times without any limitations. During these volatile geopolitical times, this assumes greater significance. Data sovereignty can ensure that India's strategic assets remain under India's control and are insulated from foreign influence and control. This is also important as foreign service providers or hyperscalers are governed by the laws of the country they are situated in, as can be seen from the recent Microsoft–Nayara Energy incident.

As India rapidly accelerates and scales its digital initiatives, it is also becoming a hot target for cyberattacks. The reliance on foreign platforms can prove to be extremely risky. India, hence, needs a sovereign cloud (a cloud that is governed by Indian regulations and protocols and ensures that all data is subject to Indian jurisdiction), preventing foreign service providers from imposing extraterritorial decisions. A sovereign cloud can also ensure that data is stored by keeping in mind Indian regulations such as the DPDPA, which mandates that critical data must be stored locally. A sovereign cloud will also increase business confidence and provide much-needed clarity, similar to the European Union's GDPR.

India has started moving positively in this direction. Regulators such as the RBI and IRDAI have been holding the banking, financial services, and insurance sector accountable for cloud risk. Similarly, CERT-In has raised the bar for excellence with a six-hour incident reporting and mandatory log retention policy. These initiatives, when coupled with the DPDPA Act, are forcing Indian enterprises to rethink and re-examine how much control they have and are pushing these enterprises toward exploring genuine sovereignty cloud platforms.

It is also important to highlight that “sovereignty” is different from “data residency.” This was established clearly during the recent Microsoft–Nayara Energy incident, where the foreign service provider could cut off access even though the data was in India. Data residency refers to only the physical location of the servers where the data is stored, while sovereignty goes much deeper. It means a country's control over its data, including encryption keys or emergency access protocols, irrespective of the physical location. This underscores the critical need for sovereign clouds, where systems are managed completely by entities or companies that are subject to Indian laws with complete control over data, logs, and other tools.

To enable a rock-solid digital foundation that can scale quickly and responsibly, India needs to establish clear, accountable standards of data sovereignty. The foundation of data sovereignty must rest on three fundamental pillars: Control, Compliance, and Continuity. Let me explain. Control means that data must reside in India with local encryption keys and operations governed by Indian regulations and law. The criterion of continuity needs clear exit terms, full disclosure of sub-processors (tasked with data processing and cloud management, for example), and domestic teams capable of meeting CERT-In’s deadlines. The third requirement, Compliance, that needs to be clearly defined is tamper-evident audit logs adhering to RBI, Sebi, and IRDAI requirements. This is vital for company boards to adhere to compliance with confidence and prove accountability beyond doubt. This foundation is extremely critical for sectors such as healthcare and BFSI, which handle sensitive data.

Sovereignty: A much-needed reality

The path ahead is clear. Sovereignty must be documented in law and not left to different interpretations. There is a need for a MeitY-led certification that extends beyond physical data location to cover encryption keys, operational autonomy, and India-only support. This can standardize legally bound contracts across sectors such as BFSI, healthcare, and government. It will also help enterprises embed clauses for data portability and protect Indian entities from foreign legal ramifications.

We have seen sovereignty move from rhetoric to engineering over two decades of serving regulated industries. As one of India’s MeitY-empanelled cloud providers, we have built platforms with India-based operations.

Going forward, as AI becomes more central to every application and process, sovereign cloud will become indispensable. Sovereign clouds will ensure that the data powering AI algorithms remains under Indian jurisdiction and under domestic control. Without sovereignty, India risks building its digital foundations on infrastructures where the levers of control are outside its borders. By embedding the three Cs (Control, Continuity, and Compliance) into the fabric of our digital foundation, India can ensure that India's growth. 

Author: Piyush Prakashchandra Somani, Promoter, Managing Director, and Chairman, ESDS Software Solution Limited

More for you:

Rewriting developer DNA with AI, code copilots, and hybrid workflows

How anyone can create an app or website without coding skills

Specter Is the Secret Sauce Behind India’s Next Gaming Boom

How to Write Viral Retro-Style Portrait Prompts in Google Gemini AI

ChatGPT Atlas vs Microsoft Edge Copilot vs Perplexity Comet: Which AI Browser Is Right for You?