The case for Indian IPs and encryption
This article is authored by Piyush Somani, chairman and managing director, ESDS Software Solution Limited.
Imagine a $30 trillion economy with its complete data under the control of foreign-owned companies and institutions. How easy would it be for someone to prevent or slow down India's growth?

Digitalisation has changed how we capture, analyse and harness information. It is not just individuals and corporations who have developed a reliance on digital data, but nations as well, who use it to navigate an increasingly interconnected world. More than 137 crore Indians have a digital identity (Aadhaar), making the country highly technological today. DigiLocker released more than 674 crore documents, highlighting data sovereignty's strategic importance and statutory necessity.
But with such unprecedented access comes the attendant concern about security. We understand this with our concerns about user data privacy and cyber threats. In 2024, India witnessed a spike in cyberattacks; in the first four months, more than 740,000 incidents were reported. When it comes to nations, it translates into concerns about the safety and sovereignty of digital data.
India's digital infrastructure is heavily reliant on foreign Cloud Service Providers (CSPs). As it strengthens its Digital Personal Data Protection (DPDP) Act, India must confront the risks of foreign-controlled intellectual property and encryption standards.
Data is an asset. If India, a nation of over 1.4 billion people with a rapidly growing digital economy, loses control over its data, it will be nothing short of losing control over our nation’s future. It would place vital digital infrastructure in foreign hands and undermine innovation, fair competition, and the independence promoted by Atmanirbhar Bharat.
The lack of direct engagement and accountability makes it challenging for Indian organisations – both private and public -- to enforce their rights or safeguard their interests during conflicts.
· Data sovereignty and control: By using foreign IP addresses and encryption software, we, as a nation, give third parties control over our data. Foreign governments with jurisdiction over such organisations can impose regulations compelling service providers to disclose data, potentially compromising the sensitive information of Indian government agencies, companies and individuals. Data hosted on public clouds was a factor in about 34% of data breaches, indicating potential risks of infrastructure under foreign control.
· Legal risks: Data protection regulations differ by nation. Indian organisations may face legal ramifications if they unintentionally violate the compliance rules of the country in which their IP provider is based, because they rely on foreign infrastructure.
· Vulnerability to cyber threats: Data traversing international networks is susceptible to interception by malicious entities such as hackers for espionage. In 2024, the average data breach cost in India hit a record high of ₹195 million, up 39% from 2020 and 9% from the previous year. Foreign encryption software used by foreign service providers may contain vulnerabilities or backdoors, further endangering our data security.
· Vendor lock-in: To guarantee flexibility and innovation, India must deliberately mitigate the risks of vendor lock-in by cultivating a competitive ecosystem of domestic cloud and software providers, [even though sovereign solutions offer unmatched control.
Data sovereignty is more important than ever, especially regarding national security. This problem goes beyond the simple data storage concept; it involves who is in charge of the data, where it is kept, and who has access to it. According to IDC, spending on sovereign cloud services is expected to increase globally from $79.4 billion in 2022 to $258.5 billion by 2027, underscoring the growing significance of global secure and localised cloud infrastructures.
· With internet access, browsers are the easiest approach to regulating data because they allow for tracking every click. Foreign companies can gain access to sensitive data if they hold control. India needs local browsers to ensure data stays under national control and protects against foreign surveillance.
· Similarly, App stores handle the data produced by apps and manage the online marketplace. Foreign-controlled stores can misuse this information. App stores in India must be local to comply with local data protection regulations.
· Operating systems are the core of data management. If they were under foreign control, they could compromise security. India needs local operating system solutions to process and store all data domestically. Since India's economy is expected to expand to become the third largest in the world, protecting data using local operating systems is essential for both security and economic expansion.
It is beyond a doubt that the risks of foreign IPs and encryption are not restricted to operational disruptions, they threaten our strategic and digital autonomy. It is time the Indian government can take some of the following decisive steps to secure our digital future.
· Mandating India-controlled IPs and infrastructure: The use of IPs registered with Indian authorities can be a requirement of government tenders, especially those containing sensitive data. This would ensure data transmission stays under our control and within our jurisdiction.
· Promoting indigenous encryption standards: The government can incentivise the development and adoption of encryption standards created in India. We can reduce our reliance on foreign certificates and ensure that our data security mechanisms are aligned with national interests.
· Strengthening the Government Community Cloud (GCC): The GCC framework is an ideal step towards securing government data. However, its implementation has been diluted by foreign CSPs exploiting loopholes. A renewed focus on GCC, with stricter compliance and enforcement, is essential to restore its original purpose.
· Encouraging the India Cloud Stack: Much like the success of the National Payments Corporation of India (NPCI) in revolutionizing digital payments, India needs a dedicated cloud ecosystem developed and managed by Indian organisations. An India Cloud Stack would not only ensure data sovereignty but also drive innovation and economic growth in the country.
· Enhancing cybersecurity regulations: Policies need to address the evolving threats posed by our foreign dependency. Clear guidelines and penalties for non-compliance must be established to safeguard national interests. Ensuring protection against cyber attacks and interception during transmission requires a strong sovereign framework to prioritize protecting data in transit through secure VPN connections and cutting-edge encryption techniques.
In India’s digital transformation, it requires a concerted effort from policymakers, industry leaders, and Indian citizens.
The choices we make today will determine whether we become a global leader in technology in our digital transformation or remain dependent on external forces for our most critical needs. A robust and secure digital ecosystem should not only serve our immediate needs but also safeguard the aspirations of future generations. Data sovereignty is central to our national security and a source of unwavering national pride. Together, we can ensure that India’s digital future remains firmly in Indian hands.
This article is authored by Piyush Somani, chairman and managing director, ESDS Software Solution Limited.
