On July 22, Microsoft suspended access to its services for Nayara Energy, cutting off platforms like Outlook, Teams, and SharePoint. The move came in response to the European Union’s latest sanctions targeting Russian interests over the Ukraine conflict.

While Nayara is based in India and operates locally, Microsoft enforced the EU sanctions globally. The company cited Nayara’s ownership structure(49.13% stake belongs toRosneft, a Russian state-controlled energy firm) as falling within the scope of the new restrictions. Despite Nayara not being directly named, Microsoft interpreted the sanctions as applying to entities with substantial Russian state affiliation, irrespective of jurisdiction.

A critical point to note, the suspension came without prior notice to Nayara. It also occurred without input from Indian regulators or any adjudication by an Indian court. Nayara’s employees lost access to standard enterprise systems overnight. As a workaround, the company tried moving to the archaic Rediff.com to maintain internal email functionality. However, access to historical records and data stored in Microsoft’s cloud environment remained unavailable. Thus, Nayara filed a petition in the Delhi High Court. Microsoft restored services before the case could proceed and…the petition was withdrawn.

This event is significant because it reveals a governance gap: multinational vendors may enforce legal obligations from jurisdictions such as the EU or the U.S. across global operations, including in India. This can affect Indian entities, even if the local legal framework does not support or require such enforcement.

Nayara’s situation illustrates that a small number of foreign cloud and software providers hold administrative control over access to essential digital services. In effect, this creates the possibility of a service suspension or “kill switch” situation being activated without local oversight. While this was an isolated case in the energy sector, the implications are relevant for India’s financial services ecosystem, which relies heavily on global cloud and software infrastructure.

India has introduced data localization frameworks to improve regulatory oversight and protect data sovereignty. The RBI’s 2018 mandate requires payment system operators to store all data within India. The Digital Personal Data Protection (DPDP) Act establishes a framework for government oversight of data transfers. SEBI has considered similar proposals for market infrastructure institutions. However, these efforts primarily address the location of data. They do not address who controls the software or service interface that provides access to that data.

Access denial caused by sanctions compliance, contract disputes, or risk assessments by service providers poses a direct continuity risk for financial firms. Institutions cannot assume uninterrupted access based solely on local data storage.

From a risk management perspective, firms should conduct a full audit of their digital infrastructure. This includes identifying all critical cloud services, mapping control and jurisdictional exposure, and reviewing failover protocols. In particular, business continuity planning should include legal or policy-driven service suspensions.

Legal departments should reassess contractual arrangements with cloud and software providers. Contracts should include clear provisions on service continuity, jurisdiction, access to data backups, and dispute resolution. Source code and data escrow provisions should be considered for mission-critical applications.

From a policy standpoint, there is room for proactive measures. The RBI-owned Indian Financial Technology & Allied Services (IFTAS) already manages shared infrastructure for banks. Its mandate could be expanded to include sovereign-grade cloud hosting and application support for the financial sector. A framework modeled on Europe’s GAIA-X initiative could ensure interoperability across providers while maintaining regulatory control.

This is not an argument against using global technology providers. Their capabilities and scale are valuable. 

However, reliance without safeguards introduces systemic exposure. 

The financial system requires a foundation that can operate independently if external factors disrupt service.

Nayara’s experience reveals a real scenario in which access to digital infrastructure was suspended. It tells us the importance of preemptive governance. For the financial sector, which operates under strict regulatory timelines and market interdependence, the risks of such disruption could be materially higher. 

BONUS: A Practical Guide to SEBI’s CSCRF Compliance

Together with AIF Services and Taghash, we’ve co-authored a new e-book on implementing SEBI’s Cybersecurity and Cyber Resilience Framework. While the framework applies broadly to all regulated entities, our focus is on AIF Category I and II funds, which were recently brought within its scope. The e-book offers a practical interpretation of the framework and outlines actionable steps for compliance.

Download FREE Copy