Cloud Infrastructure & Data Hosting in India: Regulations, Data Localization & FDI

India's Cloud and Data Hosting Market: Scale and Opportunity

India's data center market is valued at approximately USD 9.8 billion in 2025 and is projected to reach USD 21 billion by 2031, growing at a compound annual growth rate of 13.6%. The market is attracting unprecedented foreign capital: global technology companies and infrastructure investors have committed approximately USD 67.5 billion over the next five years for cloud and data center infrastructure in India.

Microsoft announced its largest investment in Asia — USD 17.5 billion over four years (2026-2029) — specifically for cloud and AI infrastructure in India. Blackstone has committed over USD 20 billion cumulatively, including USD 11 billion in long-term deals signed in 2025. The Indian government's Union Budget 2026-27 announced a 20-year tax holiday (until 2047) for eligible foreign cloud service providers operating through India-based data center infrastructure, a landmark incentive designed to make India a global hub for cloud and AI workloads.

For foreign companies, the opportunity extends beyond providing cloud services to India. Data localization requirements under the DPDP Act and sector-specific regulations are compelling companies across every industry to establish or contract for data hosting capacity in India. This guide covers the complete regulatory framework governing cloud infrastructure, data hosting, and foreign direct investment in India's digital infrastructure sector.

FDI Policy for Cloud Infrastructure and Data Centers

Foreign investment in cloud infrastructure and data hosting in India benefits from a highly liberalized FDI regime across all relevant sub-sectors.

Sectoral FDI Rules

Infrastructure Status Benefits

Data centers with at least 5 MW capacity housed in a dedicated building received "infrastructure" status in 2022 when they were added to India's Harmonized Master List of Infrastructure Sub-Sectors. This classification provides significant benefits:

• Eligibility for long-tenor infrastructure lending from banks and NBFCs at priority sector interest rates
• Access to the Foreign Venture Capital Investment (FVCI) route for foreign fund investments
• Eligibility for infrastructure investment trusts (InvITs) for listing and capital raising
• Preferential treatment under state industrial policies and single-window clearance systems

Entity Structure for Foreign Data Center Operators

Foreign cloud and data center companies typically enter India as a wholly-owned subsidiary — a private limited company incorporated under the Companies Act, 2013, with 100% foreign shareholding. The incorporation process follows the standard SPICe+ route, with FC-GPR filing within 30 days of share allotment.

For companies evaluating whether to establish a subsidiary or operate through a branch office, our branch office vs subsidiary comparison covers the structural, tax, and regulatory differences in detail.

The DPDP Act 2023: India's Data Protection Framework

The Digital Personal Data Protection Act, 2023 (DPDP Act), enacted on August 11, 2023, and operationalized through the DPDP Rules, 2025 (notified on November 14, 2025), establishes India's comprehensive data protection framework. For cloud infrastructure and data hosting providers, the DPDP Act creates both compliance obligations and commercial demand drivers.

Key DPDP Act Provisions for Data Hosting

• Consent-based processing: All personal data processing must be based on explicit, informed, free, specific, and unconditional consent from the data principal (individual), unless a legitimate use exemption applies
• Purpose limitation: Personal data can only be processed for the specific purpose for which consent was obtained
• Data retention limits: Personal data must be erased when the purpose of processing is fulfilled or when the data principal withdraws consent
• Data breach notification: Data fiduciaries must report breaches to the Data Protection Board of India (DPBI) and affected data principals without delay
• Children's data protections: Enhanced protections for processing personal data of children under 18, including verifiable parental consent

Implementation Timeline

Penalty Structure

The DPDP Act imposes significant penalties for non-compliance:

Data Localization: What Must Stay in India

Data localization — the requirement to store and process certain categories of data within Indian borders — is the single most significant regulatory driver for cloud infrastructure investment in India. The localization framework operates through multiple legal instruments, each with different scope and stringency.

DPDP Act: The "Negative List" Approach

The DPDP Act adopts a "blacklist" model for cross-border data transfers. By default, personal data may be transferred to any country except those specifically restricted by the Central Government. Key provisions:

• The government may notify a list of countries to which personal data cannot be transferred — no countries have been blacklisted as of March 2026
• Significant Data Fiduciaries (SDFs) — entities designated by the government based on data volume and sensitivity — face additional restrictions. The government can specify categories of personal data that SDFs must process exclusively within India
• The specific categories of data restricted from cross-border transfer have not yet been notified, but healthcare data, financial data, and government data are widely expected to be included

RBI Data Localization (Financial Sector)

The Reserve Bank of India mandates that all payment system data must be stored exclusively in India. The RBI's April 2018 circular requires:

• All data related to payment transactions processed through payment systems operated in India must be stored in systems located within India
• If data is processed outside India, the data must be deleted from foreign servers and brought back to India within 24 hours
• The RBI is launching the Indian Financial Services (IFS) Cloud in 2025-26 — a dedicated cloud infrastructure operated by IFTAS (an RBI subsidiary) — for banks, NBFCs, and regulated financial entities

CERT-In Cybersecurity Requirements

The Indian Computer Emergency Response Team (CERT-In), operating under MeitY, imposes binding cybersecurity obligations on all entities operating digital infrastructure in India:

• Incident reporting: All cybersecurity incidents must be reported to CERT-In within 6 hours of detection — one of the strictest reporting timelines globally
• Log retention: All ICT system logs must be retained within India for a rolling period of 180 days and made available to CERT-In upon request
• NTP synchronization: All ICT systems must synchronize their clocks with the Network Time Protocol (NTP) server of the National Informatics Centre (NIC) or National Physical Laboratory (NPL)
• KYC for cloud/VPN/VPS providers: Cloud service providers, VPN providers, and virtual private server providers must maintain validated KYC records of their subscribers for a period of 5 years after account closure

Sector-Specific Data Localization Requirements

Licensing and Approvals for Cloud and Data Center Operations

Establishing and operating cloud infrastructure in India requires approximately 30 regulatory approvals from various authorities. The major ones include:

Telecom and OSP Licensing

• ISP licence: If the data center operator provides internet connectivity to customers, an Internet Service Provider (ISP) licence from the Department of Telecommunications (DoT) is required. Category A ISP licences cover the entire country; Category B covers a specific telecom circle; Category C covers a district
• OSP registration: Cloud service providers operating as Other Service Providers (OSPs) — including call centers, BPOs, network operation centers — must register with DoT. The 2021 OSP reforms eliminated security deposits and bank guarantees, significantly simplifying the process
• IP-1 registration: Infrastructure Providers Category-I (IP-1) registration is required for companies providing passive infrastructure (dark fibre, duct space, towers) for data center operations

Electrical and Environmental Approvals

• Electrical Inspector approval: For high-voltage power installations (data centers typically require 11-33 kV power supply), approval from the state electrical inspectorate is mandatory
• Environmental clearance: Large data centers (particularly those using diesel generators above 5 MW cumulative capacity) may require environmental clearance under the EIA Notification 2006
• CPCB/SPCB consent: Consent to Establish and Consent to Operate under Air and Water Acts for diesel generator emissions and cooling tower water discharge
• Fire safety NOC: Mandatory fire safety certification from the state fire services department, particularly for facilities housing lithium-ion battery backup systems

Building and Zoning Approvals

• Building plan approval: Municipal/development authority approval for construction of data center facilities, including structural safety, parking, and access compliance
• Land use/zoning compliance: Data centers must be located in zones designated for IT/commercial/industrial use. Agricultural land requires conversion approval
• Height and FAR compliance: Data centers with multiple floors must comply with local Floor Area Ratio (FAR) and height restrictions

Tax Incentives for Data Center Investment

India has introduced substantial tax incentives to attract data center investment from foreign companies:

20-Year Tax Holiday (Budget 2026-27)

The Union Budget 2026-27 announced a tax holiday until 2047 for eligible foreign cloud service providers operating through India-based data center infrastructure. Key conditions:

• The data center must be located in India and serve global cloud workloads
• Minimum investment thresholds apply (details being finalized through implementing rules)
• The tax holiday covers corporate income tax on profits derived from qualifying cloud operations

Standard Corporate Tax Rates

Data center and cloud companies not qualifying for the tax holiday are subject to standard corporate tax rates:

• Standard rate: 22% (effective 25.17%) under Section 115BAA
• New manufacturing company rate: 15% (effective 17.16%) under Section 115BAB (window for new manufacturing companies closed on 31 March 2024) — applicable if the data center involves manufacturing of IT hardware

State-Level Incentives

Multiple states offer dedicated data center policies with incentives including:

Data Center Infrastructure: Technical Compliance Standards

Foreign data center operators must comply with Indian standards for facility design, electrical systems, and safety:

Bureau of Indian Standards (BIS)

• IS 16966: Indian standard for data center facilities — covers design, construction, and operational requirements
• IS/ISO 27001: Information security management system certification — while not legally mandatory, it is a practical prerequisite for serving enterprise and government customers in India
• IS 1893: Seismic design criteria — applicable to data center structures in seismic zones

Uptime Institute and TIA Standards

While not legally required, most enterprise-grade data centers in India target Tier III or Tier IV certification from the Uptime Institute or comply with TIA-942 standards. These certifications are market expectations rather than regulatory requirements, but they are essential for winning enterprise contracts and government empanelment.

Cybersecurity Compliance Framework

Cloud and data hosting providers in India operate under multiple overlapping cybersecurity compliance requirements:

CERT-In Directions (2022, as amended)

The binding CERT-In directions require all service providers, intermediaries, data centers, and cloud providers to:

• Report cybersecurity incidents to CERT-In within 6 hours
• Maintain logs of all ICT systems for 180 days within India
• Designate a Point of Contact (PoC) for CERT-In coordination
• Maintain subscriber KYC records for 5 years after account closure

RBI Cybersecurity Framework (Financial Sector)

If the data center hosts financial sector workloads, additional RBI cybersecurity mandates apply:

• Zero Trust Architecture (ZTA) implementation — mandatory for banks and NBFCs from 2025
• Board-level accountability for cybersecurity risk management
• Regular vulnerability assessment and penetration testing (VAPT) at prescribed intervals
• Incident reporting to RBI's CSITE (Computer Security Incident Response Team) in addition to CERT-In

SEBI Cybersecurity Framework (Capital Markets)

Data centers hosting capital markets workloads (stock exchanges, depositories, mutual funds) must comply with SEBI's cybersecurity framework, including mandatory SOC-2 compliance, DR site requirements, and data encryption standards.

Cross-Border Data Transfer Compliance for Cloud Providers

Foreign cloud providers operating in India face a unique compliance challenge: they must comply with Indian data localization requirements while maintaining their global service architecture.

Practical Compliance Strategies

• India region deployment: All major hyperscale providers (AWS, Azure, GCP) now operate multiple availability zones within India. Deploying workloads in India regions ensures compliance with data residency requirements
• Hybrid cloud architecture: Companies are increasingly adopting hybrid models — storing sensitive and regulated data locally in Indian data centers while processing non-sensitive data globally
• Data classification frameworks: Implementing automated data classification tools to identify personal data, financial data, and other regulated categories and route them to India-hosted infrastructure
• Contractual safeguards: Cloud service agreements must include specific provisions addressing Indian data localization requirements, audit rights, and incident notification obligations

Common Compliance Mistakes by Foreign Cloud Companies

1. Assuming Global Compliance Frameworks Are Sufficient

GDPR compliance does not automatically satisfy Indian data protection requirements. The DPDP Act has unique provisions — including the negative-list approach to cross-border transfers, the Significant Data Fiduciary classification, and the 6-hour CERT-In incident reporting requirement — that are not covered by European or American compliance frameworks.

2. Overlooking CERT-In KYC Requirements

The mandatory 5-year KYC retention requirement for cloud, VPN, and VPS subscribers catches many foreign providers off guard. This requires validated customer identity verification — not just billing information — and the records must be maintained in India and produced to CERT-In on demand.

3. Ignoring State-Level Data Center Policies

Data center incentives vary dramatically by state. Choosing a location without analyzing state-level policies can mean missing capital subsidies of up to INR 200 crore, electricity duty exemptions worth crores annually, and simplified clearance processes through dedicated IT zones.

4. Inadequate Transfer Pricing Documentation

Foreign cloud companies with Indian subsidiaries must ensure that intercompany charges — for technology licensing, platform access, management services, and brand usage — are priced at arm's length with contemporaneous documentation. Indian tax authorities actively scrutinize technology service charges in the IT sector.

5. Not Planning for the DPDP Act May 2027 Deadline

Organizations have until May 13, 2027 to achieve full DPDP Act compliance. Given the breadth of required changes — consent management systems, data principal rights infrastructure, breach notification procedures, and Data Protection Impact Assessments — cloud providers should begin implementation no later than H2 2026.

Investment Structuring for Data Center FDI

Foreign investors structuring data center investments in India should consider:

Direct Investment vs Holding Company Route

Direct investment from the foreign parent into the Indian subsidiary is straightforward and avoids holding company complexity. However, routing through an intermediate holding company in a treaty-friendly jurisdiction (Singapore, Netherlands, Japan) can provide DTAA benefits on dividend withholding tax — typically reducing the rate from 20% (domestic law) to 10% (treaty rate). India's GAAR provisions require that the holding company has genuine economic substance and is not established solely for treaty shopping.

REIT/InvIT Structures

Data centers with infrastructure status are eligible for Infrastructure Investment Trust (InvIT) listing, which provides a tax-efficient structure for foreign portfolio investors and institutional investors. InvITs offer pass-through tax treatment on interest income and capital gains, making them attractive for yield-seeking infrastructure investors.

For comprehensive guidance on FDI structuring, our FDI advisory service covers entity selection, regulatory compliance, and tax optimization for technology sector investments in India.

Significant Data Fiduciary (SDF) Obligations

The DPDP Act creates a special category of regulated entities — Significant Data Fiduciaries (SDFs) — based on factors including the volume and sensitivity of personal data processed, risk to data principals, and potential impact on India's sovereignty and integrity. Cloud providers and data center operators serving large enterprise customers may be classified as SDFs by the Central Government.

Enhanced SDF Obligations

• Data Protection Impact Assessment (DPIA): SDFs must conduct DPIAs before undertaking any significant new data processing activity
• Data Protection Officer (DPO): SDFs must appoint a DPO based in India who acts as the point of contact for the Data Protection Board
• Independent data auditor: SDFs must engage an independent auditor to evaluate compliance with the DPDP Act at prescribed intervals
• Data localization (future): The government may notify specific categories of personal data that SDFs cannot transfer outside India — this provision is expected to be activated for healthcare, financial, and government data categories

Consent Manager Registration

Starting November 2026, Consent Managers — entities that enable data principals to manage, review, and withdraw consent — must register with the Data Protection Board. Cloud providers offering consent management tools as part of their platform will need to ensure their Consent Manager modules meet the prescribed registration requirements and interoperability standards.

Key Takeaways

• 100% FDI is permitted under the automatic route for cloud services, data center operations, and IT/BPM services — data centers with 5+ MW capacity have infrastructure status
• The DPDP Act 2023 creates a comprehensive data protection framework with penalties up to INR 250 crore per violation and a full compliance deadline of May 13, 2027
• Data localization requirements vary by sector: RBI mandates strict payment data localization, while the DPDP Act takes a more flexible negative-list approach for general personal data
• CERT-In requires 6-hour incident reporting, 180-day log retention within India, and 5-year KYC records for cloud subscribers — among the strictest cybersecurity mandates globally
• Budget 2026-27 announced a 20-year tax holiday for foreign cloud providers using India-based data centers, alongside state-level capital subsidies of up to INR 200 crore