China’s decision to restrict or phase out cybersecurity products from companies such as VMware, Palo Alto Networks, Fortinet, and Check Point was framed domestically as a matter of technological sovereignty. Official statements emphasized supply-chain security, data control, and the need to reduce dependence on foreign infrastructure in critical systems.
For China, this approach was consistent with a broader model: a tightly regulated digital ecosystem in which the state exerts decisive control over networks, platforms, and vendors. The exclusions were not merely commercial decisions but extensions of national policy, aligning cybersecurity with industrial strategy and internal security.
The move reverberated beyond China’s borders, raising a pointed question for other digitally ambitious nations: could they—or should they—adopt similar measures?
India’s Authority to Act—and Its Constraints
India, like China, possesses the legal authority to restrict foreign technology in the name of national security. Its information technology laws, critical infrastructure protections, and executive powers allow the government to regulate or exclude vendors from sensitive sectors such as defence, telecommunications, banking, and energy. In practice, India has already exercised this authority, most visibly in the banning of certain foreign mobile applications and the tightening of rules around telecom equipment procurement.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
Yet India’s political and economic context differs sharply. As a democratic system with an open internet and deep integration into global trade, India operates under judicial scrutiny, World Trade Organization commitments, and the imperative to maintain investor confidence. A sweeping, nationwide ban on global cybersecurity firms would risk legal challenges, diplomatic friction, and disruption to private enterprises that rely on globally integrated security stacks.
As a result, India’s power to act is real but selectively applied—more calibrated than categorical.
Regulation by Design, Not Declaration
Rather than issuing headline-grabbing bans, Indian policymakers have favored quieter mechanisms that achieve similar ends. Government procurement rules can render certain vendors ineligible without naming them publicly. Compliance requirements—ranging from data localization and audit access to incident-reporting mandates—can effectively exclude companies unwilling or unable to conform.
Critical Information Infrastructure guidelines further allow authorities to prescribe what technologies may be used in systems deemed essential to national functioning. In these domains, exclusion is often procedural, not rhetorical. The effect, however, can be decisive: a vendor absent from government and critical-sector contracts may find its market access sharply limited.
This approach reflects India’s attempt to balance security with openness—asserting control over sensitive environments while avoiding the appearance of economic protectionism.
Diverging Models in a Fragmenting Digital Order
The contrast between China and India highlights a broader divergence in how states navigate cybersecurity in an era of geopolitical tension. China’s model prioritizes sovereignty through exclusion and substitution, accelerating domestic alternatives behind a controlled digital perimeter. India’s model, by contrast, leans toward conditional participation—allowing foreign firms to operate so long as they meet evolving standards of trust, transparency, and accountability.
Both strategies are responses to the same reality: cybersecurity has become a matter of national resilience, not just corporate risk management. But where China moves through centralized mandates, India advances through regulation, procurement leverage, and incremental indigenization.
As global cyber risks intensify and technological blocs harden, these choices will shape not only market access for multinational vendors but also the character of the digital state itself—how much it sees security as a function of control, and how much as a product of managed interdependence.
