Centre keen firms in critical sectors use ‘Made in India’ cloud systems

The central government has indicated a preference for firms operating in critical sectors — including banking, energy, and public utilities — to migrate thei...

What Happened

The central government has indicated a preference for firms operating in critical sectors — including banking, energy, and public utilities — to migrate their data and workloads to domestically built cloud systems rather than foreign hyperscalers.
The push follows an incident in 2025 where a major oil refiner's cloud services were temporarily suspended by a foreign provider in response to geopolitical sanctions, exposing the vulnerability of critical infrastructure to external service disruptions.
The Ministry of Electronics and Information Technology (MeitY) has an existing empanelment framework for cloud service providers; the new direction seeks to preference Indian-domiciled providers within this framework for sensitive and critical workloads.
Approximately 70% of Indian organisations currently host critical workloads on foreign cloud platforms, indicating a significant transition challenge.
India's installed data centre capacity is projected to grow from about 1,280 MW today to over 8 GW by 2030, with domestic providers expected to capture a larger share as policy directives tighten.

Static Topic Bridges

Critical Information Infrastructure (CII) Protection

Critical Information Infrastructure refers to computer resources the disruption of which would severely affect national security, economy, public health, or safety. Under the Information Technology Act, 2000 (Section 70), the government is empowered to declare any computer resource as a 'protected system', and Section 70A empowers designation of a National Critical Information Infrastructure Protection Centre (NCIIPC).

NCIIPC (under NTRO) is the designated body to protect CII in India.
Sectors designated as CII include power, banking, telecom, transport, e-governance, and defence.
Foreign-hosted infrastructure creates a jurisdictional gap — data and services may be subject to another country's legal orders.

Connection to this news: The sovereign cloud policy directly addresses the vulnerability of CII by reducing dependence on foreign cloud providers for sectors like energy and banking.

Data Localisation and the Digital Personal Data Protection Act (DPDPA), 2023

Data localisation refers to requirements that data about a nation's residents be collected, processed, or stored within the country. India's DPDPA 2023 empowers the central government to restrict cross-border transfer of personal data to certain countries or territories via a 'whitelist' or 'blacklist' mechanism (Section 16). This interacts with MeitY's cloud empanelment framework, which already mandates data residency in India for government data.

MeitY empanelment requires compliance with ISO 27001, ISO 27017, ISO 27018, and ISO 20000-1 standards.
Current empanelment covers IaaS, PaaS, and SaaS categories.
Domestic cloud providers like TCS SovereignSecure Cloud have launched offerings aligned with India's data localisation needs.

Connection to this news: Pushing critical sectors toward Indian cloud platforms reinforces data localisation in practice, reducing the likelihood of foreign jurisdiction over sensitive national data.

MeitY Cloud Service Empanelment Framework

MeitY operates a formal empanelment process that qualifies cloud service providers for procurement by central and state government bodies, PSUs, nationalised banks, and financial institutions. Audit is carried out by the Standardisation Testing and Quality Certification (STQC) directorate.

Empanelment is a prerequisite for government cloud procurement.
Providers must demonstrate data residency within India, certifications, and audit readiness.
The framework does not currently mandate Indian ownership — foreign providers with Indian data centres (like AWS Mumbai) have been empanelled.

Connection to this news: The new policy direction goes further by preferring Indian-owned and operated clouds, a step beyond data residency to ownership and control of the underlying infrastructure.

Technological Sovereignty

Technological sovereignty is the capacity of a state or community to make independent choices about the technology it uses, develop, and maintain. It is increasingly viewed as an extension of national security strategy, especially as cloud computing becomes foundational to economic activity.

The geopolitical dimension: foreign cloud providers can be subject to sanctions regimes, export controls, or governmental orders from their home jurisdiction.
India's National Cybersecurity Policy and the NCIIPC mandate seek to reduce such dependencies.
Countries like France (GAIA-X) and China have pursued sovereign cloud architectures at national scale.

Connection to this news: The 'Made in India' cloud initiative is India's articulation of technological sovereignty, ensuring that critical sector operations remain insulated from foreign geopolitical decisions.

Key Facts & Data

India's data centre capacity: ~1,280 MW (2026); projected >8 GW by 2030.
~70% of critical workloads in Indian organisations hosted on foreign cloud platforms as of 2026.
MeitY empanelment standards include ISO 27001:2017, ISO 27017:2015, ISO 27018:2019, ISO 20000-1:2018.
IT Act 2000, Section 70: authorises designation of 'protected systems'; Section 70A: establishes NCIIPC.
DPDPA 2023, Section 16: governs cross-border data transfer restrictions.
India's National Critical Information Infrastructure Protection Centre (NCIIPC) operates under NTRO (National Technical Research Organisation).
Sectors covered under CII: power, banking, telecom, transport, e-governance, defence.