In an environment where policy can move faster than platforms, Indian enterprises must revisit an uncomfortable yet critical question: Do we truly control our cloud infrastructure, or are we renting it under someone else’s legal terms?
This isn’t alarmism. It’s a new reality.
The rules are shifting, so should your questions
On 7 August 2025, the United States imposed a blanket 25% tariff on Indian exports: a policy recalibration with ripple effects across procurement, pricing, and ecosystem stability [1]. Around the same time, U.S. export-control rules restricted the use of advanced AI chips and GPU cloud access in over 120 countries [2]. Indian companies—especially those in AI, manufacturing, and research—were forced to rethink not just compute sourcing but also where and how they hosted their AI workloads.
Meanwhile, 144 countries now enforce national data protection laws, many requiring strict data localisation [3]. IDC estimates that 65% of enterprises will mandate data sovereignty clauses in new cloud contracts by the end of 2025 [4]. And yet, the majority of Indian enterprises still rely on cloud service providers (CSPs) governed by foreign jurisdictions, assuming availability and neutrality in a world that’s proving neither.
These developments should prompt every Indian CIO to pause and ask: Are we building our digital future on foundations we truly own, or just access temporarily?
Five questions every CIO should be asking today
1. Who can legally switch off our cloud?
Many CSP contracts defer to the laws of their home country. If those laws change—via sanctions, export restrictions, or diplomatic recalibrations—the provider is obligated to act in compliance, not in partnership. This means Indian businesses could lose access to services, data, or infrastructure not because of a breach, but because of foreign political decisions. It is essential to examine contract clauses on governing law, jurisdiction, and service termination triggers.
2. Where does the control plane reside—and under whose law?
It’s not enough to know that your data is stored in India. What matters equally is where the control plane—the orchestration logic, metadata, and management APIs—resides. If this sits outside Indian jurisdiction, your organisation’s ability to act during a crisis is constrained. Data localisation alone is no longer sufficient; control locality is just as critical.
3. What is our CSP’s plan for sanctions-related disruption?
We routinely test for disasters such as cyberattacks or outages. But few organisations ask their providers how they would respond to geopolitical disruptions. What happens if foreign policy decisions force the CSP to suspend service? Does your provider offer local continuity protocols, dual key management, or sovereign operational zones? If these conversations aren’t happening now, they’ll arrive too late when it matters most.
4. If access is denied, where will we go for legal redress?
In the event of a dispute or service suspension, your path to legal recourse must be local. CSPs that operate solely under foreign law—and expect arbitration in overseas jurisdictions—leave Indian enterprises with little leverage during a crisis. Legal recourse that begins twelve time zones away may not arrive in time to restore mission-critical workloads. Contracts must be structured to ensure Indian jurisdiction applies to service interruptions and dispute resolution.
5. Do our cloud workloads match the sensitivity of our data?
Not every workload needs sovereign cloud hosting, but some absolutely do. Board minutes, payment data, personal health records, and government projects cannot be treated the same as development sandboxes. Proper workload classification—public, restricted, confidential—is essential. Without it, sensitive data may be exposed to jurisdictions that do not offer the same legal protections or assurances as Indian law.
Rethinking cloud decisions through the lens of sovereignty
Sovereignty is no longer an optional design principle—it’s a strategic imperative.
For Indian enterprises, the sovereignty conversation must move beyond compliance into the realm of control, continuity, and risk containment. The global landscape is no longer neutral. Cloud environments are increasingly shaped by the politics, policies, and priorities of the countries that govern them. And when those priorities shift, it’s not infrastructure that takes the hit—it’s your business.
This is why cloud decisions today cannot be based solely on performance metrics or feature parity. They must be based on ownership of control, jurisdictional alignment, and business resilience. Indian CIOs and boards have a responsibility to ensure that the cloud supporting their mission-critical operations is governed by Indian law, hosted within Indian borders, and operated by entities legally accountable in India.
It is time we placed sovereignty on par with scale, cost, and innovation. Because when the next shockwave arrives—not if—it’s this dimension that will separate those who stay online from those left negotiating terms.
Learn more here.
Sources
- Deccan Herald, ‘US tariff: Why all is not unwell,’ 4 Aug 2025
- U.S. Federal Register, ‘Framework for Artificial Intelligence Diffusion,’ 15 Jan 2025
- IAPP, ‘Global Privacy Laws 2025: Interactive Map,’ Jan 2025
- IDC Future of Trust 2023 Predictions
Read More from This Article: Cloud control in an unruly world: 5 questions every CIO in India should be asking
Source: News