The systems that run a modern state can be switched off by people who do not answer to it. India is only now confronting what that means.

---

In the span of a single year, two episodes exposed a vulnerability that India’s policymakers have long acknowledged in principle and underestimated in practice.

In July 2025, Nayara Energy — operator of one of the country’s largest refineries and a fuel-retail network spanning thousands of outlets — lost access to its own digital infrastructure. Microsoft suspended its email, collaboration tools and cloud services, citing the European Union’s latest sanctions package against Russia, to which Nayara was exposed through Rosneft’s roughly 49% shareholding. The company’s licences were paid in full; it had violated no Indian or American law. An American corporation, enforcing a European decision, disabled the operating systems of an Indian enterprise functioning entirely within India.

Nine months later, in April 2026, the Delhi Police Special Cell traced a quieter breach. Inexpensive, solar-powered Chinese surveillance cameras installed near defence installations across four sensitive states had spent nearly three months streaming live footage of troop and convoy movements to servers in China, from where the feeds reached handlers abroad. The cameras relied on a Chinese cloud platform. Each device was a small, lawful, low-cost purchase. Collectively they functioned as a foreign intelligence asset embedded in Indian territory.

The two incidents appear unrelated — one a commercial sanctions dispute, the other an espionage operation. They are, in fact, the same problem in two registers. India’s economy, administration and security increasingly run on digital infrastructure that is owned, operated and ultimately controlled by entities answerable to other governments. That dependence, and the strategic exposure it creates, is the substance of the digital sovereignty debate.

Redefining the question

Digital infrastructure is the track on which contemporary commerce, governance and national security operate. Digital sovereignty is a state’s capacity to retain effective control over that track: over the data its citizens generate, the software its institutions depend upon, the cloud where its records reside, and the code embedded in its critical systems.

The decisive concept is control, not physical location. A common and costly assumption holds that data stored on servers within India is therefore under Indian authority. It is not. Under prevailing global data-governance regimes, a foreign technology provider can be legally compelled by its home jurisdiction to surrender data in its possession, irrespective of where that data is physically held. The operative question is therefore not where the data sits but who can issue binding instructions about it. Where the answer is a corporation accountable to a foreign sovereign, effective control has already migrated abroad — regardless of the location of the hardware.

Why this is a security question

It is tempting to treat digital sovereignty as a matter of procurement or IT policy. The two episodes above demonstrate why that classification is inadequate.

The civilian exposure is direct. Authentication systems, productivity platforms, payment back-ends and cloud services across Indian government and industry sit atop foreign-owned technology stacks. A directive from an external authority — a sanctions order, an export-control measure, a foreign court ruling — can, in principle, suspend public operations, interrupt manufacturing, freeze commerce or immobilise a strategic enterprise. The Nayara case confirmed that this is an operational reality, not a theoretical risk.

The defence exposure is more serious still. Modern warfare is software-defined: the functional intelligence of a fighter aircraft, a missile system or an advanced radar resides in code rather than in metal, and that code frequently remains under the control of manufacturers answerable to foreign governments. In a conflict, such systems could be degraded in accuracy, constrained in range or fed corrupted intelligence through a routine software update. India encountered an early version of this logic in 1999, when access to precise satellite positioning was reportedly restricted at a critical juncture during the Kargil conflict — an experience that directly motivated the development of an indigenous navigation capability. The surveillance-camera breach is the same lesson at smaller scale: dependence on another state’s technology is a vulnerability that a capable adversary will eventually locate and exploit.

A global reassessment

India is not alone in this reckoning. Governments that once regarded reliance on a small number of predominantly American technology firms as benign convenience increasingly treat it as strategic exposure.

France intends to migrate government departments away from mainstream foreign collaboration and conferencing tools toward a sovereign platform by 2027. The Netherlands, Denmark and several German states are developing or adopting domestic alternatives to widely used American software and cloud services. The European Union is pursuing independent cloud and IT infrastructure to reduce its dependence on American technology, and Türkiye is working to lessen its reliance on foreign systems. In a few years, digital sovereignty has moved from the periphery of policy discussion to its centre.

India’s distinct position

The comparison must be drawn carefully, because India’s circumstances differ materially from those of its European counterparts. They are established powers managing dependence among allies; India is a rising power, and that distinction reshapes the analysis.

Power Transition Theory is instructive here. It holds that as a rising power seeks strategic autonomy, the prevailing hegemon tends to act to contain or absorb it — a dynamic visible at scale in contemporary US–China relations. As India advances along its own trajectory, it approaches the same contested zone: pursuing economic ascent on a technological foundation it does not fully control, while the powers above it retain strong incentives to preserve that dependence. China’s response was to confine the development of critical technologies to indigenous firms, accepting a degree of international isolation as the cost. India can neither replicate that model wholesale nor ignore the structural pressure it reflects.

What India is getting right

The situation is far from one of helplessness. India has produced some of the most persuasive examples anywhere of recovering digital sovereignty without retreating into autarky.

The most compelling case is in payments. The Unified Payments Interface and the RuPay network show that the vulnerabilities of foreign-controlled systems can be overcome — and that an indigenous alternative can prove cheaper, more widely adopted and more resilient than what it displaced. That template — building sovereign digital rails — is now being extended.

Other measures point in the same direction. Following the surveillance breach, the Ministry of Home Affairs ordered a nationwide audit of installed cameras and restricted non-certified internet-connected devices, underpinned by a security-testing regime that examines hardware at the chipset level; domestic manufacturers have rapidly displaced foreign suppliers in that market. Central ministries have begun shifting official email to a home-grown platform, and the domestic semiconductor ecosystem is being strengthened, with commercial production commencing at a major chip assembly and packaging facility in Gujarat. On the partnership front, India is favouring mutual rather than one-sided dependence: collaborative defence programmes such as BrahMos built capability without isolation, and India’s participation in a US-led initiative on AI and supply-chain security reflects a strategy of deepening trusted partnerships while reducing reliance on any single source.

The unifying principle is that sovereignty need not mean self-imposed isolation. The more durable approach is diversified interdependence — enough collaboration to share cost and risk, spread widely enough that no single external actor can disable the system at will.

The foundation: closing the R&D gap

Beneath these developments lies a slower and ultimately more decisive constraint. A nation cannot own technology it does not invent, and India still invests too little to invent at the necessary scale. Between 2000 and 2020, its gross expenditure on research and development averaged roughly 0.74% of GDP, against a global average near 2.07%. That persistent shortfall is the structural origin of digital dependence — each imported platform, cloud service and chip design is, in part, a consequence of research not funded domestically. For a country of India’s demographic and economic ambition, the relevant question is not whether it can afford comprehensive technological sovereignty, but whether it can afford to forgo it.

A policy agenda

A coherent response would rest on five priorities. First, expand sovereign digital public infrastructure, extending the logic of UPI and RuPay to cloud, identity, communication and productivity. Second, secure the hardware layer through mandatory, chipset-level certification that covers not only cameras but the recorders, drones and connected devices left outside the first round of regulation. Third, diversify dependence across multiple trusted partners so that no single sanction, export control or foreign ruling can paralyse Indian operations. Fourth, evaluate technology security before deployment in critical systems rather than after the next breach forces a reaction. Fifth, raise research spending toward global norms, since without indigenous invention every other measure remains a temporary patch.

Conclusion

Digital sovereignty is neither techno-nationalism nor a rejection of the world’s best technology. It is the more elementary assurance that the systems running a country’s economy, government and armed forces will continue to function even if a corporation in one jurisdiction, acting on the instruction of another, decides they should not.

Nayara Energy could not access its own correspondence. Indian military movements were observed through cameras bought for a few thousand rupees apiece. Both were warnings in different registers, conveying the same message: in the digital age, control is sovereignty — and a state that does not own the switch can always be switched off.