Picture an ordinary Tuesday a few years from now.

India has done nothing dramatic. It has carried on doing what it has done for years, buying discounted crude where it can find it, declining to sign on to a sanctions framework written in other capitals, and insisting that its foreign policy gets decided in New Delhi. None of that is illegal. All of it is sovereign. Somewhere in Washington or Brussels, a compliance committee, an export-control desk, or a national-security memo concludes that this independence carries a price.

The cost does not take the form of a missile or a blockade. It shows up as a login screen that will not load.

By nine in the morning, employees at a large refiner cannot open their email. By ten, a hospital chain finds its cloud-hosted patient records unreachable and its scheduling system frozen. Court clerks in three High Courts cannot retrieve filings. A state secretariat loses email continuity in the middle of an exchange. The spreadsheet that runs a logistics company’s entire dispatch schedule refuses to open. The AI tools that thousands of developers and analysts had built into their daily work return errors. An app used by thirty million citizens for a government service quietly disappears from a store managed on another continent. Bank back-offices running on a foreign enterprise suite slow to a crawl. Maps stop routing. The cloud console that controls all of it asks for credentials that no longer work.

That scenario is not fiction. It extrapolates from events that have already occurred.

Two warnings, six months apart

The first case came from an unglamorous corner of the technology stack: office email.

In July 2025 the European Union placed Nayara Energy on its eighteenth package of Russia-related sanctions, largely because Russia’s Rosneft holds a stake of just under fifty per cent in the Indian refiner. Microsoft then suspended services to Nayara, reportedly cutting access to Outlook, Teams, and the company’s own hosted data, even though neither US nor Indian law required an American company to enforce an EU designation. Nayara’s licences were paid in full. The company called the move abrupt and unilateral, taken “under the guise of compliance” and without prior notice, and went to the Delhi High Court seeking an injunction to restore access to its own digital infrastructure. The court issued notice, and Microsoft restored services two days later, before the scheduled hearing. During the interval, the refiner reported logistics disruptions and cancelled cargo pickups at its Vadinar port.

Once the specifics are set aside, the lesson stands out. A company that operates in India and serves its energy economy lost access to the systems it runs on for several days, with every licence paid in full, because of a regulatory judgement made on another continent. The dispute ended within days. The underlying weakness remained.

The second case sits at the opposite end of the stack, in frontier artificial intelligence. It is only days old.

On 12 June 2026 Anthropic disabled its two most capable AI models, Claude Fable 5 and Claude Mythos 5, to comply with a US export-control directive that cited national-security authorities. According to reporting in the Wall Street Journal, Commerce Secretary Howard Lutnick had written to Anthropic’s chief executive, Dario Amodei. The order was broad. It told the company to suspend access for any foreign national, inside or outside the United States, including its own non-citizen staff. To comply, Anthropic switched the models off for everyone. They had been publicly available for three days.

Officials raised a cybersecurity concern. The models, on this account, could be pushed into finding software vulnerabilities useful for attacks on banks, government networks and other critical infrastructure, reportedly after agencies learned of a jailbreaking method. Anthropic disputed the directive. It said the vulnerabilities involved were minor and already known to other public models, and that such a standard would freeze frontier AI deployment across the whole industry. The episode followed months of friction between the company and the administration, including a Pentagon decision to label Anthropic a supply-chain risk after it declined certain surveillance and autonomous-weapons uses.

For India the timing was poor. India is reportedly Anthropic’s second-largest market. One large IT services firm had been training fifty thousand employees on the models. Another had recently begun collaborations. Thousands of developers spent the weekend migrating applications, and several startups paused launches that depended on features no longer available. The reaction in India came quickly. Zoho’s founder Sridhar Vembu called it a wake-up call and declared that “globalisation is dead”, urging India to build its own AI and, in the meantime, to lean on smaller Indian and Chinese open-source models. The investor Mohandas Pai went further, calling for an annual AI fund several times the size of India’s existing commitments. Venture investors began advising portfolio companies to reduce their exposure to a handful of foreign frontier providers.

The two cases differ in almost every detail except the one that matters. Nayara lost ordinary office email. India’s developers lost the most advanced AI models on the market. In each case the switch was thrown from abroad, for reasons unrelated to whether the Indian customer had paid or broken any law. Control over that switch sits outside the country at every level of the stack, from the mundane to the cutting edge.

The map of dependence

India’s digital dependence runs in layers. Each layer concentrates in a small number of foreign firms.

At the surface sit the productivity and consumer platforms of daily work: Microsoft 365 and Google Workspace, the leading browser, the two mobile operating systems, the default search engine and map. Beneath them run the enterprise systems that keep the economy moving, such as SAP and Oracle. Lower still is the cloud itself, where a data centre in Mumbai or Chennai can hold Indian data while its control plane, billing relationship and product roadmap stay foreign. The AI layer sits on top of that, and the deepest layers, telecom equipment, semiconductors, app stores and cybersecurity tools, sit underneath everything.

One large country treated the problem seriously about a decade ago, and its approach is worth studying despite its politics. China built domestic substitutes at almost every layer, as the comparison below sets out.

China’s censorship, surveillance and closed internet deserve rejection, and India tends to reject them. The strategic logic underneath still holds. Beijing declined to let foreign platforms become permanent dependencies before domestic alternatives existed.

The risk for India lies less in any single company. Microsoft was not the villain of the Nayara case, and Anthropic clearly preferred a different outcome in its own. The risk lies in concentration. When millions of users, thousands of firms and whole critical sectors rely on the same few platforms, the system gains efficiency and loses resilience at the same time. A single dominant supplier works well until the day it withdraws.

India’s route should differ. It can remain democratic, open, interoperable and globally connected while reducing its exposure. The aim is continuity under pressure rather than isolation.

A familiar pattern of denial

One part of the record should reduce anxiety rather than raise it. The current situation repeats a long-standing feature of independent India’s technological history. On most past occasions when access was denied, India eventually built the capability itself.

The closest parallel to the present AI situation is almost four decades old. During the 1980s India needed high-performance computing for tasks that included weather forecasting. The United States blocked export of a Cray supercomputer, on the grounds that the same machine could model weapons. India responded in 1988 by setting up the Centre for Development of Advanced Computing. By 1991 C-DAC had built the PARAM 8000, an indigenous parallel supercomputer that later grew into a family of machines. A civilian requirement was refused on dual-use suspicion, and the refusal created a domestic capability that had not existed before.

Space technology followed a similar course. India signed an agreement with Russia’s Glavkosmos in 1991 for cryogenic rocket-engine technology to power its satellite launch vehicle. Washington imposed sanctions in 1992 under missile-technology-control rules, and Russia later limited the transfer of know-how under pressure. India argued, with reason, that the engines were meant for civilian satellites used in weather forecasting, telecommunications and resource mapping. It spent close to two decades developing its own cryogenic engine and flew a fully indigenous version successfully in 2014. The denial delayed India’s heavy-lift capability by years while pushing the country to develop it independently.

Navigation produced perhaps the sharpest example. During the 1999 Kargil conflict India sought GPS data for the high-altitude terrain, and the US-controlled system withheld it. Positioning, mapping and location turned out to be strategic infrastructure rather than neutral utilities, available in calm periods and conditional in a crisis. That experience became one of the reasons India built NavIC, its own regional satellite navigation system.

The United States widened the approach after the Pokhran-II tests of 1998, adding dozens of Indian scientific and defence entities to its Entity List and tightening controls on high-performance computers and other dual-use technology. Many of those entities were removed about two years later as the restrictions narrowed. An older case ran in the background. After the 1974 nuclear test, the promised supply of fuel for the Tarapur reactor became tied to supplier-country politics, and India turned to other sources to keep the plant running.

The list runs from uranium to rocket engines to supercomputers to GPS, and now to AI models, cloud accounts and office suites. The specific technology changes each time. The underlying risk stays the same. A capability that a society depends on can be withheld at the moment of greatest need, by firms answerable to a foreign government.

The response has been just as consistent. PARAM exists because a Cray never arrived. India’s cryogenic engine grew out of a blocked transfer. NavIC owes part of its origin to the GPS data withheld at Kargil. Technology denial has worked, oddly, as one of the more reliable spurs to research and development in India’s history. The events of the past year carry that same opportunity alongside the embarrassment.

Where India has built its own

India already holds working sovereign capability in several areas, much of it operating at population scale.

Payments offer the clearest case. The Unified Payments Interface now ranks as the world’s largest real-time retail payments system, handling billions of transactions a month and reducing everyday reliance on foreign card networks. Together with RuPay and the public infrastructure of Aadhaar, DigiLocker and CoWIN, it shows that India can design and run platforms for more than a billion people.

Zoho matters for a different reason. Most of India’s IT services firms build software for foreign clients. Zoho instead owns its full product stack and runs its core workloads on its own servers rather than on a foreign cloud. The company is bootstrapped and profitable, competes with Microsoft and Google on features as well as price, and earns most of its revenue overseas. It shows that India can build finished software products rather than only supply technical labour.

The telecom stack has started to loosen a long-standing import monopoly. BSNL now runs an indigenous 4G stack built by TCS, C-DOT and Tejas Networks across tens of thousands of towers, with an O-RAN-compliant 5G effort and an open-source platform from leading institutes in development. A domestic video-conferencing platform, created through a government challenge, serves several High Courts.

The real weakness lies in adoption rather than capability. India often builds a domestic alternative, then treats the foreign default as inevitable. A platform exists, yet procurement renews the incumbent supplier. Ministerial endorsement of the Indian option has not displaced the habit and network effects that keep users on the global one. The distance between what the country can build and what it actually uses now counts as a security problem rather than a question of market share.

From access to assurance, and the leakage problem

India needs a working doctrine of digital sovereignty rather than a slogan. It can be set out plainly.

First, classify digital systems by sovereign criticality. Email and documents for a small private firm are ordinary business tools, while the same software running a refinery, a port, a power grid, a court, a hospital network or a state administration counts as critical infrastructure and deserves different rules. Second, mandate exitability, so that every critical organisation can export its data, documents and workflows in usable formats within a defined window, and no institution gets trapped in a system it cannot leave. Third, require tested continuity plans: fallback arrangements for email, identity, communication and operational records, whether built on Indian commercial platforms, open-source deployments or government clouds. The test there is practical rather than ideological, namely whether the institution keeps functioning when the primary vendor stops responding. Fourth, give procurement preference to credible domestic alternatives wherever they genuinely meet the bar.

Fifth, separate convenience from criticality. A foreign tool can be a sensible choice for marketing automation and a poor one as the sole operating backbone of a strategic national asset. Sixth, accelerate sovereign AI, meaning compute, models, datasets and evaluation standards strong enough to serve critical needs when foreign access is restricted. Seventh, rehearse failure. India runs military exercises and disaster simulations, and it can run national digital resilience drills in the same spirit, deliberately staging cloud lockouts, API withdrawals, app-store removals and enterprise-software outages before a real crisis does.

On the sixth point, India already has a live debate worth holding in the open. One camp, led by investors such as Mohandas Pai, argues for a national mission several times larger than today’s commitments, running into tens of billions of dollars across funds, credit guarantees, hardware and semiconductors. Another, voiced by Sridhar Vembu, cautions that spending tens of billions is the wrong instinct, and that patient research plus heavy use of open-source models can carry India much of the way. Both positions hold some truth. The point is that the choice has become urgent enough to argue about.

Most proposals for sovereignty skip the next part. Once words like “sovereign”, “swadeshi”, “indigenous” and “strategic” turn into procurement keywords, they attract the wrong applicants. A national effort of this kind tends to draw rent-seekers in its early years. Well-connected firms may wrap a thin Indian shell around foreign software and present it as homegrown. Others may win protected contracts through patronage rather than performance, build subsidised products that never face real competition, then lobby to make the protection permanent. India saw a version of this in earlier decades of protected industry, when closed markets often produced captive monopolies with little reason to improve. Any claim that a sovereignty programme will stay clean from the first day deserves scepticism. Some leakage is likely.

Leakage argues for discipline rather than retreat. Most large strategic projects, from railways to telecom to defence manufacturing, lost something to opportunists in their early stages. The projects that lasted were the ones whose rules gradually reduced that loss. The safeguards here are reasonably well understood. Preference should track performance rather than identity, triggered only when a product clears published benchmarks for security, uptime, interoperability and usability, so that a label alone earns nothing. Open standards and genuine data portability should be mandatory, which keeps the country from trading a foreign lock-in for a domestic one and makes white-labelling easier to detect. Open-source deployments deserve preference where practical, since auditable code is harder to fake and harder to capture quietly. India could adopt Vembu’s suggestion of transparent, independent annual evaluations of national capability across critical technology sectors, so that public claims can be measured against published results. Every form of protection should carry a sunset clause, so that support ends once domestic firms can compete rather than continuing as a permanent subsidy. Procurement should run in the open, with published criteria and audit trails, which leaves less room for patronage.

With that discipline in place, early leakage becomes a cost of building rather than a permanent feature. Without it, India risks swapping foreign dependence for domestic extraction, an outcome arguably worse, since the foreign supplier at least delivered a working product.

Sovereignty is the ability to continue

The test of sovereignty has little to do with using foreign technology in normal conditions, which any country can manage. The real test is whether India keeps operating when conditions change, when a foreign court, a sanctions package, an export-control desk or a company’s compliance team acts for reasons unrelated to India’s interests.

Nayara delivered a warning at the enterprise layer, and Anthropic delivered one at the AI layer. The next case may come from cloud, chips, app stores, operating systems, maps or browsers. It will probably resemble the last two, arriving not as an invasion but as a service that stops responding.

The next phase of Digital India has to shift from access to assurance. Access concerns whether citizens and businesses can use digital tools. Assurance concerns whether the country keeps running once those tools are withdrawn, sanctioned, degraded or attacked. India can keep using Microsoft, Google, Amazon, Apple and Anthropic, and it should keep using the best products available. The change required is to stop treating a paid subscription as a form of sovereign control.

The lesson is short. A capability that cannot be operated under stress is not truly owned. A nation would do well to avoid making any such capability indispensable.