India’s digital backbone is far more entangled with US‑headquartered software, cloud and platform providers than most policymakers acknowledge — and that entanglement now reads as a strategic vulnerability that must be addressed if New Delhi wants meaningful digital sovereignty by 2030.
India’s governments, businesses and critical infrastructure run on an architecture shaped over decades by market convenience, fast innovation and deep investment from global technology firms. That architecture delivers scale and features at low marginal cost — but it also concentrates control of updates, access and, in some legal situations, continuity in a handful of vendors headquartered outside India.
Recent high‑profile incidents — most notably a summer 2025 service suspension involving an EU‑sanctioned Indian refinery and Microsoft — made the tradeoffs painfully visible. The refinery said Microsoft temporarily restricted its access to Outlook, Teams and other Microsoft services after EU sanctions touched the company’s ownership; services were restored days later after legal action. The episode crystallised how corporate compliance decisions and cross‑jurisdictional rules can have immediate operational consequences in India. (reuters.com)
This feature examines the scale of dependence, the realistic threats it poses, the comparative models (EU and China), and an evidence‑based roadmap India can use to reduce risk while preserving innovation and global interoperability.
India already has concrete building blocks — the MeghRaj/NIC National Cloud as an on‑ramp, large domestic firms (Tata, Jio, Zoho) with meaningful cloud and SaaS capabilities, and a thriving developer base. But turning those building blocks into credible sovereign alternatives will require disciplined, multi‑year investment, transparent certification regimes, and careful international diplomacy to protect trade and cooperation.
The debate is urgent because the dependencies are real and measurable: a majority mobile ecosystem on Android, near‑monopoly browser access through Chrome, hyperscaler domination of enterprise cloud, and entrenched vendor‑supplied software in defence and industrial systems. Each of these concentrations yields convenience and innovation today — and operational leverage for others tomorrow. Policy that treats digital sovereignty as resilience engineering rather than political posturing will give India the best chance of preserving both technological innovation and national autonomy by 2030. (gs.statcounter.com)
Source: Deccan Chronicle India Should Achieve Digital Sovereignty And Cut Dependence On US-controlled Digital Infra: GTRI
India’s governments, businesses and critical infrastructure run on an architecture shaped over decades by market convenience, fast innovation and deep investment from global technology firms. That architecture delivers scale and features at low marginal cost — but it also concentrates control of updates, access and, in some legal situations, continuity in a handful of vendors headquartered outside India.Recent high‑profile incidents — most notably a summer 2025 service suspension involving an EU‑sanctioned Indian refinery and Microsoft — made the tradeoffs painfully visible. The refinery said Microsoft temporarily restricted its access to Outlook, Teams and other Microsoft services after EU sanctions touched the company’s ownership; services were restored days later after legal action. The episode crystallised how corporate compliance decisions and cross‑jurisdictional rules can have immediate operational consequences in India. (reuters.com)
This feature examines the scale of dependence, the realistic threats it poses, the comparative models (EU and China), and an evidence‑based roadmap India can use to reduce risk while preserving innovation and global interoperability.
The scale of the dependence: what the numbers show
Short, verifiable facts matter when discussing national strategy. Recent public statistics and industry data paint a consistent picture: a few platforms and vendors dominate India’s digital stack.- Web browsers and web access: Google Chrome is by far the dominant browser in India, commanding roughly nine in ten pageviews on most professional and consumer devices (StatCounter places Chrome’s share near 89–90% in 2025). That concentration funnels enormous influence over web standards, feature rollout and content‑delivery behaviour to a single vendor. (gs.statcounter.com)
- Mobile operating systems: Android overwhelmingly dominates India’s smartphone ecosystem, with StatCounter reporting Android share in the mid‑90s percent range. That means hundreds of millions of phones rely on Google’s platform, update channels and Play Services for security patches, app distribution and identity plumbing. The sheer scale makes Android a single point of platform dependency in India’s digital economy. (gs.statcounter.com)
- Smartphone penetration and device counts: Independent market trackers and national reporting place India’s active smartphone base in the hundreds of millions — estimates commonly cited range from ~650–720 million active smartphone users in recent quarters. Because Android accounts for the vast majority of those devices, claims that “over 500 million smartphones rely on Google’s Android” are directionally correct, even if any single device count is hard to fix to the last digit. (ibef.org)
- Cloud infrastructure: Globally, Amazon Web Services (AWS), Microsoft Azure and Google Cloud together control the lion’s share of public cloud infrastructure (Canalys/IDC place the combined hyperscaler share above 60–65% in recent quarters). Those same providers host thousands of Indian enterprise workloads — from fintech and e‑commerce to government projects — and continue to make large investments in Indian data centres. Hyperscalers offer features and SLAs that are still hard for smaller domestic providers to match at scale. (canalys.com)
- Enterprise productivity and collaboration: Microsoft 365 (Office, Exchange, Teams) and Google Workspace are the de‑facto default productivity stacks for millions of Indian users. Exact seat counts per vendor in India are largely commercial data and not centrally published; reported figures that place tens of millions of seats on these platforms are plausible but not independently verifiable at single‑digit precision. This limits the ability to compute an exact inventory of exposure without direct vendor or buyer disclosures.
- Operational tech and industrial control: Many electrical grids, water systems, factories and telecom nodes still run supervisory control and data acquisition (SCADA) and programmable logic controller (PLC) software from large multinational vendors. Those systems commonly embed proprietary code, operate with long life cycles and often use protocols or remote access patterns that were not designed around modern threat models — all of which raise real cybersecurity and resilience concerns. The academic and government cybersecurity literature documents both past attacks (e.g., Stuxnet) and frequent, unpatched ICS/SCADA exposures. (publicsafety.ieee.org)
Why this concentration becomes a sovereignty and security problem
Dependence on foreign platforms matters across multiple technical and legal vectors:- Operational control and continuity: When critical services (email, identity, collaboration, cloud databases) are hosted or operated by foreign firms, those firms’ compliance, contractual and risk‑management decisions can directly affect availability. The Nayara–Microsoft incident is a case in point: a compliance‑driven suspension had immediate operational impact and required legal challenge to restore services. (reuters.com)
- Extraterritorial legal exposure: US‑headquartered firms must comply with US laws and court orders; EU‑linked regulatory pressure can also cause vendors to act in ways that affect non‑EU customers. This creates legal crosswinds where Indian entities may find themselves subject to foreign legal consequences that they cannot easily contest in Indian courts. The risk is not hypothetical.
- Technical single points of failure: Operating system update channels, trusted root infrastructure, cloud control planes and identity providers are useful targets for disruption. ICS/SCADA components, in particular, often run legacy or embedded stacks that are difficult to patch and can be remotely manipulated through vendor maintenance channels or exploited via insecure protocols. While evidence of deliberate “remote kill switches” in mainstream vendor products is not publicly documented, the architectural realities and past attacks on industrial systems make the risk credible and material. (infosecinstitute.com)
- Supply‑chain and software provenance: Proprietary binaries and closed‑source mission software (especially in defence or aviation) cannot be audited end‑to‑end by local authorities. Components of mission systems on platforms like the AH‑64E Apache and the P‑8I maritime aircraft include US‑origin mission software and lifecycle support — meaning operational support, patches and certain classified elements remain tied to foreign suppliers. This creates a maintenance and sovereignty dependency that is hard to eliminate without long timelines and significant investment. (boeing.co.in)
What other major economies are doing (EU and China): lessons and limits
The choice is rarely binary between global cloud vendors and full isolation. Two large comparators illustrate different models.European approach: regulation + market building
The European Union pursues a hybrid path: regulatory pressure (Digital Services Act, Digital Markets Act, GDPR enforcement) plus funding and standard‑setting for regional alternatives (e.g., Gaia‑X sovereign cloud initiatives). The EU’s approach aims to preserve global interoperability while creating certified, privacy‑aware, interoperable European cloud and platform capacity. The lesson for India: regulation can reshape vendor behaviour and create procurement preferences for regional sovereignty, but it is slow and legally complex.Chinese approach: state‑led stack replacement
China has aggressively cultivated an indigenous stack. Desktop and server Linux distributions (the Kylin family / openKylin), Huawei’s HarmonyOS for large swathes of domestic smartphones and strong state procurement preferences have materially reduced dependence on Western code in many sensitive sectors. That model is instructive on scale and speed but relies on centralized procurement levers, state subsidies and tight industrial policy that are politically distinct from a pluralistic, open Indian marketplace. Evidence of real substitution is visible: HarmonyOS now competes meaningfully with iOS in China and Kylin/OpenKylin adoption is promoted for government and critical sectors. (reuters.com)A pragmatic roadmap for India to achieve meaningful digital sovereignty by 2030
Sovereignty is not a slogan — it is a multi‑year engineering and procurement program. The following phased plan is oriented to risk reduction, not isolation.- Inventory and risk classification (0–12 months)
- Mandate a verified inventory of critical digital assets across central and state governments: OS footprints, cloud tenants, ICS/SCADA vendors, mission‑critical SaaS seats, identity providers.
- Classify workloads into sensitivity tiers (Tier 1: national security/finance/critical infra; Tier 2: regulated services; Tier 3: non‑critical public services).
- Ring‑fence the highest‑risk workloads (12–36 months)
- Require Tier 1 workloads to run on certified sovereign infrastructure or on hyperscaler “sovereign” zones with Indian operational control and strict right‑to‑audit clauses.
- Pilot migrations for a finite set of high‑risk services (e.g., central payments clearing, defence logistics, national emergency communication).
- Scale sovereign cloud capability (24–60 months)
- Expand MeghRaj/NIC National Cloud capacity, accelerate empanelment of Indian CSPs, and run SLA‑backed pilots with RBI, insurance regulators and telecom governance workloads. NIC’s MeghRaj initiative and recent empanelment efforts already provide an on‑ramp; scaling to hyperscaler parity will require focused capex and regional data‑centre growth. (nic.gov.in)
- Build and certify indigenous alternatives for strategic software (ongoing)
- Seed R&D and procurement programs to scale Indian enterprise SaaS (productivity, identity, collaboration) and EDR/XDR cybersecurity vendors with public‑private certification labs.
- Adopt “open‑source first” procurement for many government apps to ensure auditability — Kerala’s experiments and national open‑source efforts show proof‑of‑concepts but will require scale and support to reach national needs.
- Harden industrial control and defence supply chains (12–48 months)
- Mandate security hardening, segmented remote maintenance, and “no‑single‑vendor‑control” clauses for SCADA/PLC systems in critical grids and plants.
- Negotiate lifecycle and source‑code escrow arrangements for defence mission software where possible; pursue technology transfers and local MRO and software sustainment capacity for platforms like P‑8I and Apache where negotiated in procurement. (boeing.co.in)
- People, skills and interoperability (ongoing)
- Invest heavily in SRE, cloud‑security, open‑source engineering and ICS‑security training in government and industry.
- Maintain interoperability standards (APIs, data formats) so sovereignty does not mean breaking global trade or preventing cross‑border services where appropriate.
Practical immediate steps Indian CIOs and policymakers can adopt tomorrow
- Treat sovereign hosting as a strategic procurement category and demand explicit exit/interoperability guarantees in cloud SLA and master services agreements.
- Require “right to audit,” local keys for encryption, and contractual commitments on continuity and advance notice for any account restriction on vendor contracts for regulated entities.
- Run tabletop failure and migration drills: exercise the ability to fail over email, identity and collaboration to alternate suppliers within 48–72 hours.
- Prioritise ringfencing of the most mission‑critical systems (payments systems hosted by RBI‑regulated entities, emergency services, election infrastructure).
- Fund and fast‑track auditable open‑source reference stacks for email, document storage and identity to establish credible alternatives.
Strengths of a sovereignty push — and real roadblocks
Strengths and upside
- Reduces legal and operational single points of failure and helps keep nationally critical data and control circuits under domestic jurisdiction.
- Creates new domestic industry — sovereign cloud and cybersecurity scale can create exportable services and high‑value employment.
- Improves auditability for sensitive systems and helps reduce the risk of opaque cross‑border compliance actions disrupting operations.
Real roadblocks and tradeoffs
- Scale and capability gap: hyperscalers have decades of engineering investment and staggering capex; replicating full PaaS, ML and CDN capabilities at national scale is capital‑intensive and multi‑year. Canalys and industry trackers show hyperscalers still capture the majority of global infrastructure spend. (canalys.com)
- Migration and user‑experience costs: moving millions of productivity seats or enterprise workloads carries heavy integration, data‑migration and retraining costs.
- Global trade and diplomatic friction: an overly protectionist push can invite trade complaints and hinder cooperation on cross‑border cybercrime and intelligence sharing.
- False security: replacing foreign vendors with homegrown ones without rigorous security, code audits and operational maturity merely shifts the risk domestically rather than eliminating it.
What to beware of: overstated or unverifiable claims
A sober policy requires identifying which claims are verified, which are plausible, and which are asserted but not provable from public data.- Numbers like “25 million government and enterprise laptops running Windows” or precise seat counts for Microsoft 365 and Google Workspace in India have appeared repeatedly in commentary. They are plausible in scale but not publicly verifiable to the last digit from central registries; they should be treated as estimates unless publishers disclose vendor‑level license data or a national inventory is published. Flag: unverifiable exact totals.
- Assertions of an imminent “kill switch” embedded by mainstream vendors are alarmist when stated as confirmed fact. There is no public evidence that major vendors intentionally built a global remote kill switch as policy. Still, architectural realities — privileged update channels, remote management features and legal obligations to comply with foreign orders — create credible operational dependence and scenarios where service interruption can occur. The correct tone is cautionary: the risk exists and is credible, not that it has been proven as a deliberate backdoor. (infosecinstitute.com)
A balanced set of policy recommendations
- National inventory and mandatory sensitivity classification for central and state IT assets.
- Regulatory requirement for critical sectors (finance, defence, power, emergency services) to have a sovereign‑certified hosting option or a validated hybrid plan with strong contractual guarantees.
- Funding vehicles (public‑private partnership, sovereign capex funds) to scale NIC/MeghRaj and accredited domestic CSPs so they can reach enterprise‑grade SLAs.
- Certification, code‑audit and vulnerability‑disclosure frameworks for vendors supplying Tier‑1 systems, including ICS/SCADA and defence mission software.
- Incentives for domestic cybersecurity firms (EDR/XDR, cloud security) to build enterprise capabilities through procurement set‑asides and R&D grants.
- A diplomatic, legal track: negotiate bilateral and multilateral frameworks to limit extraterritorial damage from foreign sanctions and to create predictable operational rules for vendors operating cross‑border.
Final assessment: sovereignty as resilience, not isolation
Digital sovereignty is achievable — but only as a long, pragmatic program that combines targeted public investment, procurement reform and realistic technical roadmaps. The objective should be operational sovereignty (guaranteed continuity, auditability and local control of the highest‑risk systems), not ideological decoupling.India already has concrete building blocks — the MeghRaj/NIC National Cloud as an on‑ramp, large domestic firms (Tata, Jio, Zoho) with meaningful cloud and SaaS capabilities, and a thriving developer base. But turning those building blocks into credible sovereign alternatives will require disciplined, multi‑year investment, transparent certification regimes, and careful international diplomacy to protect trade and cooperation.
The debate is urgent because the dependencies are real and measurable: a majority mobile ecosystem on Android, near‑monopoly browser access through Chrome, hyperscaler domination of enterprise cloud, and entrenched vendor‑supplied software in defence and industrial systems. Each of these concentrations yields convenience and innovation today — and operational leverage for others tomorrow. Policy that treats digital sovereignty as resilience engineering rather than political posturing will give India the best chance of preserving both technological innovation and national autonomy by 2030. (gs.statcounter.com)
Source: Deccan Chronicle India Should Achieve Digital Sovereignty And Cut Dependence On US-controlled Digital Infra: GTRI