Last July, Microsoft suspended Outlook, Teams, and cloud storage for Nayara Energy — India’s second-largest private refiner, handling 8% of national refining capacity. The trigger was EU sanctions linked to Rosneft’s ownership stake. Neither Indian law nor US law required Microsoft to act. The company made its own call on EU directives.
No prior notice. No due process.
Nayara went to the Delhi High Court. Hours before the hearing, Microsoft restored access. But for six days, a company operating critical national energy infrastructure could not access its own email.
Then SAP cut off Nayara’s ERP system. Accounting, procurement, supply chain, invoicing, tax compliance — across a 20-million-ton refinery and 7,000 petrol pumps. Gone. SAP’s advocate told the court that its officials “would end up in a German jail” if they restored services.
Nayara’s response in court: “I cannot invoice because my entire accounting is through SAP. I can’t make a manual change.”
The Delhi High Court denied relief. SAP’s suspension stood.
An Indian company operating critical national infrastructure — unable to generate an invoice, unable to meet GST deadlines — because a German software company was enforcing European sanctions that Indian law did not recognise.
The lesson nobody drew
Email. ERP. Invoices. GST filings. These are not exotic technologies. Every business runs on them. And every one of them was taken away from Nayara by a company headquartered in another country, enforcing another country’s law.
Some will read the Nayara story as a sanctions case. It is. But that is not the point.
The specific trigger changes. Sanctions, export controls, cybersecurity directives, political pressure. The dependency does not.
Cloud systems are often the rational choice. The mistake is assuming that dependency carries no strategic cost.
When things are normal, the cost is invisible. You get better uptime, faster updates, lower capex. The trade-off looks clean. But the trade-off includes a clause nobody reads: access is subject to the legal and political framework of the country where the vendor is incorporated. Not your country. Theirs.
And yesterday, it happened to AI
On Thursday evening, Anthropic received a directive from the US government citing national security. By nightfall, Fable 5 and Mythos 5 — the most capable commercial AI models deployed anywhere — had their access abruptly suspended globally.
The trigger was a narrow jailbreak. Someone figured out how to get the model to read a codebase and flag vulnerabilities. Anthropic says the capability “is widely available from other models, and is used every day by the defenders who keep systems safe.”
Did not matter. The models were pulled. Hundreds of millions of users. No notice.
The directive covers “any foreign national, whether inside or outside the United States.” Any bank in Mumbai running contract analysis through Claude’s API could lose access because of a letter delivered to a San Francisco office at 5:21pm.
Anthropic itself disagrees. They wrote: “If this standard was applied across the industry, we believe it would essentially halt all new model deployments for all frontier model providers.” The company that built the model is telling you the rules are unworkable. They complied anyway, because they had to.
Nayara lost its email and invoicing. Now enterprises are losing their AI. The pattern is the same. The stakes are escalating.
What this means
The overwhelming majority of India’s enterprise cloud infrastructure is controlled by US-headquartered providers. AWS, Microsoft Azure, and Google Cloud dominate the market. Enterprise AI runs on US-hosted APIs. ERP and accounting systems are governed by European parent companies. And the operating system running most of India’s government and enterprise desktops is built by the same American company that just demonstrated — with Nayara — that access can be suspended because of legal obligations outside India.
The dependency runs all the way down the stack. Cloud. AI. ERP. Email. And the OS underneath all of it.
Most of the time, this dependency is economically rational. The question is whether it is being consciously managed.
India does not let foreign governments control its power grid. Or its telecom backbone. Or its defence systems. But we are comfortable letting them control the software layer that increasingly runs everything else.
For governments, this is a strategic autonomy question. For companies, it is a risk-pricing question. The expected value of cloud might be higher on any given Tuesday. But the tail risk — your AI stops working, your ERP goes dark, your invoicing freezes, because of a geopolitical decision you had no part in — is real. Nayara proved it is real. Anthropic proved it again yesterday.
The question every enterprise should be asking is simple: if this access disappeared tomorrow, what breaks?
Digital sovereignty does not eliminate risk. It changes who controls the risk.