It was recently reported that Microsoft had suddenly cut off access to vital cloud services for Nayara Energy, a leading private fuel retailer and refinery operator in India, on grounds of compliance with Western sanctions against Russian-owned enterprises. The shocking action, triggered due to the involvement of the Russian shareholder of Nayara, Rosneft, threw Nayara into disarray to revive its digital operations and created a wave of concern through India’s policy and corporate circles. The incident reignited an old debate: How susceptible is a country’s technological foundation to executive suite decisions around the globe, and what does really amount to “tech sovereignty” for giant economies such as India?
It might seem simple at first sight, the solution presented in most op-eds and government slogans: transfer our sensitive workloads to domestic or open-source alternatives, maybe require the localisation of servers and data, and exclude the West’s Big Tech from the equation. But if only issues of 21st-century digital interdependence were so straightforwardly disconnected. Reactive policies based on the shock of a single event tend to produce an atmosphere of instant gratification without addressing the underlying difficulties – or even discerning their real cost and extent.
The Nayara-Microsoft standoff needs to be viewed against the backdrop of the larger digital dependencies underlying contemporary economies. India, similar to every other country, has quickly adopted cloud computing, with the Indian public cloud market projected to exceed $17.8billion in 2027. The majority of large Indian enterprises already depend on the troika of Microsoft, Amazon, and Google for core cloud infrastructure. The irrefutable efficiency, availability, and integration that these platforms provide is exactly why they are so ingrained in everything from oil refineries to banks to hospitals. However, it is precisely this embeddedness that generates systemic exposure to geopolitical risks.
Responding, one is tempted to view a silver lining, even an opportunity, in “digital atmanirbharta,” or self-reliant tech infrastructure. Open-source fundamentalists cite enormous, pliable software universes free of foreign firms’ whims. Politicians speak of the benefits of keeping critical data and services within Indian territory, safeguarded by geography and statute. Local industry lobbies make the case for special treatment, seeking to profit from vulnerabilities laid bare by the Nayara episode.
But a clear-eyed examination reveals actual, usually overlooked trade-offs. Moving mission-critical operations from international cloud providers to on-premises infrastructure or local platforms isn’t simply an engineering effort; it’s an organisational heart transplant. Cloud migration for a big company can simply cost tens of millions of dollars, apart from ongoing investments in hardware, security, and reskilling, industry estimates indicate. The productivity and security advantages that international cloud services provide – multiple levels of security, real-time scalability, ongoing innovation – are difficult to produce domestically at pace and scale. There is a reason why Indian startups, MNCs, and government departments alike turn to international cloud leaders.
Likewise, data localisation, while well-meant, is no silver bullet. Requiring all sensitive information to remain within the country can drive up compliance costs by as much as 30%, thereby making Indian businesses less competitive in the world. More seriously, it will undermine user experience, hinder global cooperation, and ironically expose data to greater risks if local security standards fall behind global best practices. Australia’s push for data localisation in key sectors, for example, did not lead to any substantive decrease in cyber-attacks, but did incur increased expense and a chilling effect on cross-border R&D collaborations.
The reflexive charge towards open-sourcing is replete with its own dangers. Open-source software, favoured for its openness and adaptability, places enormous burdens on maintenance, security patching, user training, and continuity guarantee. Countries such as Russia and China, despite massive investments, have struggled to supplant Western vendors in their enterprise IT stacks. Wholesale migrations rarely go as planned – see the German city of Munich, which after a decade-long, expensive turn to Linux, reversed course and returned to Microsoft in 2017, citing user dissatisfaction, interoperability problems, and steep hidden costs.
More fundamentally, all of these approaches – cloud repatriation, localisation, techno-nationalism – get the location where data sits or the name of code confused with real strategic independence. Sovereignty has nothing to do with the box or the badge on your server shelves; it is about having strong leverage, crisis-ready agility, and viable fallbacks.
So, what then should a country committed to tech sovereignty do? The response is a mixed, multi-dimensional approach that sees not only technical, but diplomatic, economic, and strategic aspects. Diplomatic contact comes first. The Nayara case is a textbook example: It was Western sanctions and regulatory risk, rather than a Microsoft engineering debacle, that caused the cutoff. Acting with allies and multilateral organisations, nations such as India require forewarning, exemptions, or bargained flexibility in circumstances where sanctions cut across legitimate local concerns. Subtle back-channel negotiation, rather than public diplomatic battles, more frequently opens avenues to practical, face-saving compromises.
Second, asymmetric leverage goes untapped. India’s vast and rapidly expanding digital market makes it a key participant in international tech supply chains. Strategic application of access to markets, procurement orders, or cross-industry negotiations – airplane purchases, telecom frequencies, patents – can be powerful instruments to leverage digital negotiations. Occasionally, the stick of delayed approvals or regulatory inspection can push even the largest companies into more adaptable, more open partnerships.
Third, stress-testing of continuity plans should be prioritised by public-private partnerships. Rather than “all or nothing” migrations, key sectors may build hybrid models that integrate the local control of on-premises solutions for the most sensitive functions with the global reach and resilience of large cloud services. Systematic, periodical “tabletop exercises” – roughly speaking, wargames of IT shutdown or sanctions incidents – can get the government and industry ready to respond quickly to the unanticipated, limiting the potential for any given vendor’s action to immobilise the system.
In addition, instead of blanket requirements, governments can encourage the creation of indigenous alternatives in specific, niche areas – digital payments, language translation, or local health data – where domestic solutions can truly provide scale, security, and domain experience. Autarky should not be the objective, but legitimate alternatives that build bargaining leverage and diminish single points of failure.
Above all, rational cost-benefit thinking needs to become the standard. Prior to prescribing expensive migrations, localisations, or prohibitions, policymakers ought to seriously examine: What is the actual risk the policy is seeking to diminish? What is the true cost of acting vs doing nothing? Who gets billed, who gets paid, and is there a less wasteful or less destructive means to the same ends? This restraint is vital not only for efficiency, but also for responsibility. All too frequently, digital “sovereignty” measures are introduced to placate a domestic political audience, rather than deal with the issue at hand.
Contemporary scholarship frames technological sovereignty not as a binary of autarky versus dependence, but as a dynamic spectrum involving agency, control, and strategic autonomy for states and societies within a globally networked system.
True technological sovereignty is about a nation’s capacity to act and make independent choices in the international system, rather than owning each piece of infrastructure or source code for its own sake. This approach regards sovereignty as a form of agency – maintaining the ability to set priorities, direct innovation, and respond to challenges without undue reliance on potentially adversarial, external actors. Importantly, sovereignty must be balanced with openness, collaboration, and participation in global value chains – since extreme isolationism (“autarky”) incurs steep costs and undercuts national welfare and competitiveness.
There is a need to distinguish between different degrees of sovereignty: from full control over all tech components and knowledge, to strategic reliance on external partners while retaining system-level control, all the way to wholesale dependency where nations lack the knowhow or capacity to operate critical infrastructure independently. The goal, therefore, is not to maximise insulation, but to maximise options and resilience – the ability to absorb shocks, switch suppliers, and maintain critical functions in times of stress – and not go for policy responses that are more symbolic than substantive – for example, localising data or mandating open source – as immediate, visible actions that may not address root vulnerabilities.
The Nayara shutdown lesson is not just one of foreign cloud risk, but of the price of simplistic fixes. It is an age of unavoidable interconnectedness; sovereignty has to be constantly renegotiated – not with technology alone, but with diplomacy, economic means, and strategic foresight. India and other digitally aspiring countries would do well to recall: true autonomy is crafted through pragmatic, rational, and durable choices, rather than merely reactive ones.
