By Rishi Agrawal, CEO and Co founder of Teamlease Regtech
India’s digital economy is growing at an unprecedented rate. This growth brings an urgent need to ensure that the infrastructure underpinning it is both resilient and sovereign. At the heart of this conversation lies data localisation, which ensures that critical data resides in the country, governed by domestic law.
Over the past few years, India has taken myriad but measured steps to shape data localisation legislation. The Companies Act, 2013, and the Companies (Accounts) Rules, 2014, require organisations to maintain financial records at their registered offices in India. The Reserve Bank of India’s 2018 directive, under the Payment and Settlement Systems Act, 2007, mandates that payment data be stored locally. Additionally, SEBI requires financial data related to Indian investors, such as trading records and sensitive information, to be stored in India. Similarly, the IRDAI (Maintenance of Insurance Records) Regulation, 2015, requires insurance companies to store their records within Indian borders, ensuring compliance with local regulations. Under the National Digital Health Mission (NDHM), all health data generated as part of healthcare services and digital health records must be stored in India. The Consumer Protection (E-Commerce) Rules, 2020, mandate that data generated by e-commerce platforms be stored in India to safeguard the interests of Indian consumers. The proposed Digital Information Security in Healthcare Act (DISHA) aims to protect the privacy and security of digital health data and requires localising sensitive health data in India. Most recently, the DPDPA, 2023, introduced a framework allowing cross-border data transfers only to countries notified by the Union government, effectively giving the state strategic oversight.
However, there is still no overarching localisation law that applies uniformly across sectors. The result is a patchwork of compliance obligations, clear in some domains but ambiguous in many others, creating uncertainty and inconsistency in interpretation and enforcement.
This legal ambiguity makes Indian businesses vulnerable to decisions by foreign technology vendors, whose actions are often influenced by domestic legal landscapes, trade policies, or geopolitical constraints. Whether it’s a cloud service provider responding to a regulatory order overseas or a platform revising its terms of service due to international events, the operational consequences for Indian enterprises can be immediate and severe. Risks range from abrupt service suspensions and data access restrictions to reputational damage and regulatory non-compliance within India. For firms in regulated or strategic sectors, such as healthcare, finance, energy, defence, or logistics, these disruptions can halt core operations. Even startups and small and medium enterprises, which rely heavily on foreign cloud infrastructure for scale and affordability, are not immune. In essence, the risk profile of Indian firms today includes a new vector: acute dependence on external jurisdictions for uninterrupted digital services.
It is high time Indian enterprises moved beyond convenience-led procurement strategies and adopted resilience-by-design frameworks. Vendor due diligence must not only include technical evaluation but also assess geopolitical exposure and legal liabilities. Contracts with foreign service providers should explicitly address jurisdictional risks, data portability, and designate Indian law as the governing legislation. Businesses should consider adopting hybrid or multi-cloud strategies that include domestic cloud players, enabling multiple options and greater control over critical functions. Additionally, for sensitive data and operations, localisation should not merely follow regulatory mandates but become part of internal policy, with onshore backups, disaster recovery systems, and secure data mirroring by default. Sector-specific industry associations and regulators must collaborate to establish best practices, conduct periodic digital stress tests, and simulate cross-border service disruptions as part of enterprise risk management. Most importantly, adopting effective technology solutions can streamline the tracking of updates, automate document generation, and facilitate efficient filings, keeping companies ahead of compliance requirements.
India stands at a digital inflection point. As the country embraces global integration, the far-reaching vision of digital sovereignty must not be lost. A clear, sector-agnostic localisation framework will protect Indian businesses from external shocks and build confidence in India’s digital ecosystem. This should be backed by robust domestic infrastructure and policy incentives. Together, these steps can make the country self-sufficient and enhance the Digital Public Infrastructure, enabling a bolder vision of Digital India.