Data sovereignty and cloud computing: A call to action for Indian businesses

In a rapidly digitising world, data has become the new gold—a precious resource that demands safeguarding. For Indian businesses, the concept of data sovereignty has evolved from being a regulatory buzzword to a critical operational imperative. 

At its core, data sovereignty ensures that information is subject to the laws of the country in which it is collected or stored. However, as organisations increasingly embrace cloud computing for its scalability and efficiency, navigating the complexities of data sovereignty has become a significant challenge.

In recent years, the Reserve Bank of India (RBI) has taken decisive actions against financial entities for non-compliance with data localisation norms. Notably, in April 2021, the RBI barred American Express and Diners Club International from onboarding new domestic customers due to their failure to store payment system data exclusively on servers located within India.

Similarly, in July 2021, the RBI imposed restrictions on Mastercard for non-compliance with the data localisation mandate, preventing the company from issuing new cards in India. 

The cloud conundrum: Opportunities meet risks

Cloud computing has revolutionised the way businesses operate, enabling them to process and store massive amounts of data effortlessly. But with great power comes great responsibility. When businesses rely on international cloud vendors, their data often travels across borders—sometimes landing in jurisdictions with conflicting laws. This exposes Indian enterprises to the risks of non-compliance and potential breaches of trust.

Take, for instance, the Digital Personal Data Protection (DPDP) Act, 2023, which mandates stringent measures to prevent data breaches. Non-compliance could result in penalties of up to ₹250 crore (〜$30 million). Add to this the requirement by the Indian Computer Emergency Response Team (CERT-In) to report cybersecurity incidents promptly, and the stakes become even higher.

For Indian businesses, especially startups, the cost of neglecting data sovereignty isn’t just financial—it’s existential. Not knowing about the law does not absolve you from the consequences of breaching them, even unknowingly.

The evolving regulatory landscape

The Indian government has been proactive in addressing these challenges. In January 2025, the draft Digital Personal Data Protection Rules introduced a significant provision: mandatory data localisation. This regulation requires specific categories of personal data to be stored and processed within Indian borders, ensuring greater control and security.

Furthermore, initiatives like the MeghRaj Cloud framework aim to bolster India’s cloud infrastructure, reducing dependency on foreign providers. The Reserve Bank of India’s pilot programme, set to roll out in 2025, will offer local cloud storage solutions tailored for financial enterprises. These developments underscore the government’s commitment to data sovereignty while creating opportunities for businesses to align with national interests.

Strategic roadmap for businesses

Adapting to these changes is not just a matter of compliance; it’s about staying competitive in a data-driven economy. 

Here’s how Indian businesses can navigate this landscape effectively:

1. Audit data practices: Conduct a thorough review of current data storage and processing practices. Identify risks associated with cross-border data flows and address vulnerabilities proactively.
2. Partner with compliant cloud providers: Opt for providers with data centres in India to ensure compliance with localisation mandates. Local partnerships can mitigate risks and simplify adherence to evolving regulations.
3. Enhance data protection: Develop robust policies aligned with the DPDP Act and other laws. Invest in technologies like encryption and advanced security measures to safeguard sensitive information.
4. Stay informed: Regulatory landscapes change rapidly. Businesses must stay updated on new laws and guidelines to avoid compliance gaps.
5. Train employees: Build a culture of data security by educating employees about compliance requirements and best practices. An informed workforce is a key defence against breaches.

A golden opportunity for Indian startups

The push for data sovereignty is not just a regulatory hurdle; it’s a chance for innovation.

Startups, in particular, are uniquely positioned to capitalise on this shift:

• Localised cloud solutions: Develop cloud platforms tailored to Indian regulations, offering secure, compliant alternatives to global providers.
• Advanced security tools: With a heightened focus on data protection, there’s a growing demand for innovative encryption technologies and compliance management solutions.
• AI within sovereign borders: The government’s IndiaAI Mission has unlocked funding opportunities for startups to build AI and machine learning applications using localised data.

As businesses traverse the intricate pathways of cloud computing and data sovereignty, the road ahead is clear: adapt, innovate, and secure. The emphasis on localisation isn’t just about regulation; it’s about building a resilient digital economy where trust and security are foundational pillars.

Indian enterprises stand at a crossroads. By embracing data sovereignty and aligning with governmental initiatives, they can not only mitigate risks but also unlock new avenues for growth. The question isn’t whether businesses can afford to prioritise data sovereignty, it’s whether they can afford not to.

The author is CEO of Verge Cloud, a platform in content delivery network, cybersecurity, and edge computing.