India is progressively moving beyond data regulation toward the localisation of digital infrastructure and operational control itself. While framed around digital sovereignty and regulatory access, these measures increasingly operate as structural constraints on globally integrated AI and digital architectures.
India’s Promotion and Regulation of Online Gaming (PROG) Act and Rules, which became operational on May 1, 2026, provide the latest illustration of how Indian regulation is progressively restructuring transnational digital businesses into India-contained operational environments. The PROG empowers the new Online Gaming Authority of India (OGAI) to require the retention and storage of traffic data, metadata or related information on computer resources located in India. The OGAI is expected to apply these rules to e-sports and certain categories of online games which may attract regulatory attention as they scale.
This new local data retention and storage mandate will affect major online game publishers by requiring them to turn their Indian operations into a “fenced” ecosystem within their multinational network. They will have to balance their global interconnected gameplay with India-contained storage rules. As these obligations become applicable with scale, publishers may increasingly need to redesign their system architecture around India-specific operational segregation, including the local hosting of Indian player profiles, traffic data and metadata.
The deeper issue is that localisation progressively disaggregates Indian operations from globally integrated gaming architectures into jurisdiction-specific operational silos. Data localisation is not just a compliance issue but a systems architecture issue.
Similar localisation trends are visible across multiple sectors in India. RBI payment localisation requirements already mandate on-soil storage of payments data. Financial record localisation obligations exist under company law frameworks. Sectoral storage mandates are also in place across insurance and telecom infrastructure. Storage and processing of data locally is on the anvil in healthcare as well. Given this regulatory trend towards India-based storage mandates across sectors, enterprise AI deployments in India are becoming structurally ring-fenced.
What is emerging is not merely a compliance framework, but a restructuring of how global digital systems operate within Indian regulatory space. As localisation obligations expand across sectors, multinational technology companies may increasingly need to treat India not simply as a market within a global infrastructure stack, but as a distinct digital jurisdiction requiring separate governance, operational and data architectures.
For multinational companies, localisation obligations can fragment AI governance itself. Training datasets, inference logs, safety telemetry, and model-monitoring systems may increasingly need to be regionally segregated. Over time, this can produce jurisdiction-specific AI stacks with distinct compliance, moderation, auditing, and deployment pipelines.
Governments, including India, increasingly treat physical localisation as strategically important primarily for jurisdictional control and reducing reliance on cross-border cooperation mechanisms. From the state’s perspective, localisation enhances regulatory reach, investigatory efficiency, and resilience against external dependency.
Localisation alone does not necessarily resolve sovereign control concerns. A dataset stored in Mumbai but remotely accessible from California, Dublin or Singapore may still be fully visible to foreign engineers, cloud administrators or foreign legal processes. From a cybersecurity or confidentiality perspective, localisation alone does not automatically create control. Without parallel controls around access, administration, encryption governance and operational oversight, localisation alone may not fully achieve sovereign control objectives.
This is why, outside India, the trend is beyond simple localisation rules toward access governance and operational control requirements. The European approach increasingly reflects this broader conception of digital sovereignty. Regulatory and policy debates in the EU have progressively shifted from mere data localisation toward questions of operational control, lawful access, cloud governance, encryption management and dependency on foreign hyperscale infrastructure. The concern is no longer limited to where data is physically stored, but whether strategic digital infrastructure remains subject to extraterritorial access or external administrative control. For AI systems, these distinctions become even more significant because model governance, telemetry, training pipelines and safety oversight often operate through globally distributed infrastructure rather than isolated national servers.
Today, the debates around AI and cloud sovereignty are increasingly about “who controls the architecture ?” rather than simply “where is the server located ?” The next phase of digital sovereignty will likely be defined less by where data resides than by who controls access, governance and the underlying architecture itself.”
Aparna Viswanathan,
Managing Partner,
Viswanathan & Co., Advocates
https://www.linkedin.com/pulse/indias-new-data-localisation-fragmentation-global-ai-viswanathan-bcdbe/