The abrupt suspension of Microsoft services to Nayara Energy—over EU sanctions tied to its Russian shareholder—has exposed a critical vulnerability in India’s digital infrastructure. Despite holding fully paid licences, Nayara was locked out of essential tools and data, raising urgent concerns about digital sovereignty and operational continuity. The broader risks that Indian enterprises face when reliant on foreign tech platforms makes a compelling case for strategic digital independence in an era of escalating geopolitical tensions.
Microsoft recently restored services to Nayara Energy, an Indian oil and gas company, after suspending them due to European Union sanctions. Nayara, which runs India’s second-largest private refinery at Vadinar in the state of Gujarat and operates over 6,750 fuel stations. The sanctions were imposed by the EU over its Russian shareholder Rosneft’s links to Moscow. Nayara described Microsoft’s decision as a threat to India’s digital and energy security.
Microsoft had restricted Nayara Energy’s access to its own data, proprietary tools, and products – despite these being acquired under fully paid-up licences. The suspension, which began on July 22nd, restricted Nayara’s access to services like Outlook and Teams, as well as its own data and proprietary tools. Nayara, 49.13% owned by Russian state-run Rosneft, challenged the suspension in the Delhi High Court, arguing Microsoft’s actions were unilateral and not required under US or Indian law. Services were restored ahead of the court hearing.
Retired Indian Army Colonel Hunny Bakshi, raised the alarm over India’s dependency on foreign digital infrastructure. Posting on X, Bakshi said, “Microsoft blocks access!! Now just think, it’s a hot war situation. Our total reliability on the foreign Operating system. Grand Daddy decides to place sanctions on us as we are fighting his love child. Your entire ICT goes phuttt. To lead, u need ur own secure ICT”.
While the exact amount of Indian government data hosted on America’s Microsoft, Google, and Amazon cloud services is not publicly specified, it’s known that all three companies have a significant presence and are actively used by various government departments. AWS is a major player, followed by Azure and Google Cloud. Amazon Web Services (AWS) is a key partner for the Indian government, providing cloud services across multiple sectors. Over 100 government departments are reported to use Microsoft’s cloud services, and many states and union territories utilize them. Google is also actively working with the Indian government to provide cloud services, particularly in the public sector.
The Indian government needs to urgently review its position and take urgent action to hedge its vulnerability, Nic Adams, Co-Founder and CEO, 0rcus, a cyber security firm has penned down some thoughts in a new and emerging perspective emanating from this geopolitical risk impacting enterprises across the globe.
The immediate operational risks for an enterprise subjected to an abrupt cessation of cloud services include comprehensive data inaccessibility, rendering mission-critical applications non-functional and paralyzing business processes dependent on the cloud infrastructure. This translates into immediate revenue loss due to service disruption, impaired customer relations from inability to fulfill commitments, and severe reputational damage. Strategically, such an event exposes fundamental vulnerabilities in the enterprise’s digital supply chain, highlighting an over-reliance on single points of failure.
It can trigger an immediate re-evaluation of digital transformation initiatives, prompting a shift towards hybrid or multi-cloud architectures, and forcing significant, unplanned capital expenditure for rapid on-premises or alternative cloud infrastructure deployment. Furthermore, intellectual property and sensitive operational data, if not adequately replicated off-platform, face an immediate exfiltration risk or permanent loss, undermining competitive advantage and long-term viability.
Organizations must rigorously assess hyperscaler dependency as an integral component of their enterprise risk management (ERM) framework, extending beyond traditional financial and operational risks to encompass geopolitical and regulatory vectors. This requires a comprehensive inventory of all cloud-hosted assets, including data, applications, and computational resources, mapped against their criticality to business continuity and revenue generation. Quantitative risk assessment methodologies should be employed to model the financial impact of various outage scenarios, including service degradation, data loss, and complete service termination. This necessitates an evaluation of each hyperscaler’s global operational footprint, regulatory compliance posture across jurisdictions, and geopolitical exposure, including their home-country’s foreign policy and sanction regimes. A crucial element involves assessing data sovereignty implications and the legal recourse available under differing contractual and international legal frameworks.
To mitigate the impact of geopolitical or compliance-driven service suspensions, IT leaders must proactively implement a robust data portability, backup, and continuity strategy. This 
involves establishing geographically dispersed, redundant data architectures utilizing a multi-cloud or hybrid-cloud approach, ensuring that critical datasets are replicated asynchronously across disparate hyperscalers or secure on-premises environments. Employment of vendor-agnostic data formats and open-source tooling for data management facilitates portability. Regular, automated backups, coupled with comprehensive recovery point objective (RPO) and recovery time objective (RTO) targets, must be rigorously tested through simulated service termination drills. Furthermore, establishing “dark” or standby infrastructure with alternative providers, capable of rapid activation, is imperative to maintain critical operational functions during a primary service disruption. This also extends to maintaining local copies of essential software licenses and configuration data.
While contingency planning for general vendor service termination is a standard practice within mature enterprise risk management frameworks, specific contingency plans addressing termination due to sanctions or geo-political regulatory actions remain less prevalent, particularly among organizations operating outside highly regulated sectors such as finance or defense. Many enterprises historically focused on commercial breach or performance failure as primary termination triggers, often overlooking the escalating risks posed by international relations and sovereign decrees. The Nayara Energy incident underscores a systemic deficiency in holistic vendor risk assessments, revealing that the “unknown unknowns” of geopolitical leverage on commercial agreements are frequently underestimated or entirely absent from traditional business continuity and disaster recovery (BCDR) protocols. This represents a significant gap in resilience strategy for globally integrated enterprises.
Service-level agreements (SLAs) and comprehensive contractual terms are paramount in defining the parameters of service provision and termination, yet their efficacy in insulating customers from abrupt, geopolitically driven service cutoffs is inherently limited. While robust SLAs can specify performance metrics, uptime guarantees, and clear escalation paths for disputes, they typically operate within the legal and regulatory framework of the provider’s domicile. Force majeure clauses, often invoked during unforeseen circumstances, may encompass governmental actions, effectively absolving providers of liability for sanction-induced service terminations. Therefore, while contractual agreements should explicitly detail notice periods, data return protocols, and financial remedies for termination not related to sovereign directives, they cannot fully negate the sovereign power to compel or restrict commercial activity. The true protection lies in architectural resilience and diversified dependency, rather than purely contractual assurances.
Balancing the economic and operational benefits of integrated cloud ecosystems with the imperative for resilience and vendor independence necessitates a strategic hybrid and multi-cloud architectural paradigm. Enterprises should leverage the specialized services and economies of scale offered by hyperscalers for non-critical or horizontally scalable workloads, optimizing cost and innovation. Concurrently, mission-critical applications and sensitive data should be architected for portability across multiple cloud providers or maintain a significant on-premises footprint, employing containerization, microservices, and API-driven development to abstract infrastructure dependencies. This involves a calculated trade-off between the depth of integration into a single ecosystem’s proprietary services and the agility to migrate or failover. Investing in robust cloud management platforms, data orchestration tools, and comprehensive cybersecurity frameworks that span heterogeneous environments is crucial to managing this complexity effectively.
Mandating advance warnings from tech providers before service suspension due to geopolitical reasons is ethically and economically imperative, though legally complex given the sovereign nature of sanction imposition. A responsible transition process would entail a tiered notification protocol: initial confidential advisories to affected clients upon the imminence of potential sanctions, followed by formal notification upon official decree. This should include a clearly defined grace period, ideally 90-180 days, during which the provider facilitates data exfiltration in common, open formats, offers technical assistance for migration, and ensures continued, albeit potentially degraded, service for essential data transfer operations. This transition period is vital for minimizing systemic shocks to the global economy, preserving customer data integrity, and upholding principles of fair commercial practice, even under duress of international policy. However, the practical implementation remains challenging when national security imperatives dictate immediate action.
The Nayara-Microsoft episode serves as a stark reminder of the vulnerabilities Indian enterprises face in an increasingly globalised yet geopolitically fragmented digital ecosystem. As strategic sectors such as energy, defence, and infrastructure become more reliant on foreign tech platforms, the potential for abrupt service disruptions due to external political pressures cannot be ignored. This incident enhances the urgent need for India Inc. to re-evaluate digital sovereignty, diversify technology dependencies, and build resilient alternatives—before the next geopolitical fault line threatens business continuity and national interests.
The author is GB Singh, Editor SECURITY TODAY
