In July 2025, Nayara Energy, one of India’s largest private refiners, suddenly lost access to its corporate digital infrastructure. Outlook, Teams, cloud data systems, everything went dark. The disruption was not caused by any violation of Indian law. It was triggered by a decision inside Microsoft’s compliance division, reacting to an EU sanctions update.

Rosneft, which holds a 49.13 percent stake in Nayara, had been added to the EU’s sanctions list. Although Nayara itself was not sanctioned, Microsoft interpreted the link as grounds to suspend services. There was no prior notice. No Indian court order. No domestic legal process.

Emails could not be retrieved. Historical data was locked. Internal communication had to shift to Rediffmail. Tankers were turned away at ports. Business continuity was disrupted.

Nayara approached the Delhi High Court. Microsoft restored access just before the matter was heard. The case was withdrawn. But the incident had already set a precedent.

This was not a technical glitch. It was a compliance-triggered blackout, enforced by a foreign private actor. A decision made outside Indian jurisdiction had the power to suspend a critical Indian company’s operations.

This is not the first time global infrastructure owners have acted without court orders. In 2021, AWS de-platformed Parler. In 2022, Google cut off Huawei. That same year, Microsoft disabled the ICC prosecutor’s email access. These are not acts of state enforcement. They are corporate risk calculations, implemented through licensing clauses and software logic.

India’s own digital backbone remains vulnerable. Our public systems, from CoWIN to DigiLocker, operate on infrastructure that is licensed, governed, or hosted abroad. Most of our fintech and startup ecosystems are similarly dependent.

Other countries are beginning to respond. France and the Netherlands are encouraging governments to move off US-based hyperscalers. Germany is exploring sovereign cloud frameworks. Iran attempted to build its own.
However, India has not even acknowledged the risk.

Nayara was not accused of any wrongdoing. It was affected simply because of proximity to a sanctioned entity. This time, it was a refinery. The next time, it could be a hospital chain, a port, or a stock exchange.

Final Thought: For all the talk of data being the new oil, this incident shows that oil now reports to data. And data, in turn, is governed not by courts or countries, but by licensing terms and commercial risk matrices. Until India treats its cloud infrastructure as a matter of strategic priority, we will remain at the mercy of systems that we do not control.

The question is no longer abstract: Who holds the kill switch?