17/11/2025
We live in an extremely volatile world where political power struggles are increasingly spilling into cyberspace. Nation-states and their proxies now routinely wield cyberattacks as weapons in geopolitical conflicts.
We’ve seen state-sponsored hackers shut down electric grids to plunge cities into darkness, cripple hospital networks with ransomware (even causing life-threatening delays in care), and hijack media outlets to spread propaganda and disinformation. A recent EU analysis found that nearly 66% of recorded DDoS (Denial-of-Service) attacks in 2022–2023 were driven by political motives — often retaliations or sanctions in international disputes.
In essence, cyberspace has become a new battleground where national interests clash without regard for borders. This convergence of geopolitics and IT security raises an urgent question for every organization: How geopolitically resilient is your IT? If a conflict erupts or sanctions hit a supplier, will your business operations withstand the shock?
Why Geopolitics Is Now an IT Issue
Political tensions aren’t just concerns for diplomats; they now directly impact corporate networks and data.
A key concept is digital sovereignty: controlling your own data and tech stack so it isn’t vulnerable to foreign interference. Data sovereignty means data is subject to the laws of the country where it’s stored. If your customer data or critical workloads reside on servers in another country, they fall under that country’s jurisdiction and could be exposed or restricted due to geopolitical actions.
For example, European policymakers have grown uneasy with heavy reliance on U.S.-based cloud and technology providers, worrying that it threatens Europe’s digital independence. Similarly, many countries fear that dependency on foreign telecom or hardware vendors (whether American, Chinese, or others) could become a strategic liability if international relations deteriorate. These concerns are driving calls for more local control over data and tech — essentially, don’t put all your IT eggs in someone else’s basket. Even Jensen Huang, Founder of Nvidia, said during Vivatech 2025 “You cannot afford to oursource your intelligence”.
Geopolitics also exposes the global supply chain vulnerabilities in IT. Modern businesses rely on a complex web of software, hardware, and cloud services sourced worldwide. If one link in that chain is compromised — whether by a state-backed attack or an export ban — it can cascade into global disruption.
A Look Back In Time
The notorious 2017 NotPetya cyberattack is a case in point: it was a Russian military malware strike aimed at Ukraine that raced beyond its initial target and crippled companies around the world, from hospitals in the U.S. to a shipping giant and a pharmaceutical company, causing over $10 billion in damages globally. What began as a local cyber war quickly became, in the words of one U.S. official, “the equivalent of using a nuclear bomb to achieve a small tactical victory”, illustrating how a politically motivated attack can inadvertently devastate ordinary businesses across continents.
Even in peacetime, organizations are noticing the tide: nearly 60% of companies say their cybersecurity strategy is now influenced by geopolitical tensions, and 16% have even changed tech vendors or partners in response (for instance, avoiding software from certain countries or diversifying cloud providers). Threat reports also show the overall volume of cyber attacks is surging amidst global instability — 2024 saw 3,541 major incidents worldwide, a 27.4% increase over the previous year.
Italy, as one example, has become an epicenter: it suffered 10% of all global cyberattacks in 2024, and was hit by about 80 geopolitically motivated attacks (29% of the world’s such incidents) in that year alone.
The Bottom Line
Geopolitics has become an IT issue because adversarial nations can and will reach for digital means to apply pressure. Whether it’s espionage, sabotage, or influence campaigns, businesses might find themselves caught in the crossfire, especially if their data, vendors, or infrastructure are tied to a region in turmoil.
Knowing this, companies must evaluate their exposure to geopolitical risk: Which nation’s laws govern your data? Which suppliers might be constrained by sanctions? Could a distant conflict knock out your critical systems? These questions now belong on every CIO’s and CISO’s agenda.
What Regulation Now Demands
Governments worldwide aren’t standing idle. Spurred by high-profile incidents and escalating threats, new regulations are coming into effect to enforce cybersecurity and resilience, with real teeth in terms of penalties. In particular, the European Union has introduced several major rules aimed at shoring up defences amid geopolitical risks. Key examples include:
NIS2 Directive
An update to the EU’s Network and Information Security directive, NIS2, dramatically expands the scope of cybersecurity obligations. It now covers a wide range of “essential” and “important” entities across sectors (energy, healthcare, transport, banking, tech, public sector, and more). Companies in scope must implement strict risk management measures and report significant cyber incidents within tight deadlines (as fast as 24 hours for the initial notification in some cases).
NIS2 also imposes accountability at the top: corporate management can be held liable for failing to meet security duties. Crucially, non-compliance will carry hefty fines of up to €10 million or 2% of global turnover (whichever is higher) for essential entities.
In short, NIS2 forces organizations to uplift their cybersecurity posture (from technical controls to board-level oversight) or face punitive consequences. It aims to create a baseline of resilience across the EU, recognizing that one weak link can endanger the whole network.
DORA (Digital Operations Resilience Act)
Effective from January 2025 in the EU, DORA is a regulation focusing on the financial sector’s resilience. Banks, insurance firms, investment companies, and even critical ICT providers serving them are all covered. DORA requires these entities to have robust continuity and disaster recovery plans, conduct regular digital stress tests, and closely manage risks from third-party tech providers.
Regulatory oversight will increase: For example, “critical” cloud or software providers for banks may be subject to direct supervision by European authorities. Penalties under DORA are significant as well, and EU states must impose “effective, proportionate, and dissuasive” penalties for violations. This could include administrative fines, orders to remediate, and even personal sanctions on managers, similar to NIS2.
Notably, critical ICT suppliers that fall afoul of DORA’s requirements might face daily fines of up to 1% of average daily worldwide turnover until issues are fixed.
EU AI Act
While not a pure security law, the forthcoming Artificial Intelligence Act has a sovereignty and safety angle. This landmark EU legislation (expected to be finalized in 2024) will regulate AI systems, especially “high-risk” uses (like AI in critical infrastructure, healthcare, or law enforcement). Companies deploying such AI will have to conduct risk assessments, ensure human oversight, and be able to explain and control their AI’s decisions.
Why does this matter for geopolitics? Because the AI Act also reflects Europe’s push for digital sovereignty, reducing unchecked reliance on foreign AI technologies and preventing misuse (including by authoritarian regimes or for malicious purposes). The Act comes with severe penalties for non-compliance. For instance, using prohibited AI systems or violating data requirements could draw fines up to €30–35 million or 6–7% of global annual turnover, which is even steeper than GDPR fines.
Such high stakes underscore the intent to set a global standard for trustworthy AI. Businesses worldwide that operate in Europe (or serve European customers) will effectively need to meet these rules, which are driving investment in compliance and AI risk management.
Regulations Outside the EU
Across the globe, similar moves are underway, from the U.S. strengthening critical infrastructure cyber rules to countries like China enforcing strict data localization and security review laws. The upshot for businesses is a growing compliance challenge: You must not only defend against threats, but also navigate an evolving maze of cybersecurity regulations. Failure to do either can result in devastating breaches and regulatory penalties.
The NIS2, DORA, and AI Act trio exemplify the new era of compliance-driven security, where governments are actively pushing organizations toward better resilience and punishing those who don’t measure up. For companies, it means investing in governance, reporting processes, and controls now, rather than scrambling after an incident or a fine. (For example, under NIS2, you’ll need workflows to report an incident within 24 hours (something hard to improvise on the spot.) Staying ahead of these regulations can become a competitive advantage, proving to clients and partners that you take security seriously in a turbulent world.
Resilience Strategies for Companies
Facing this nexus of cyber and geopolitical risk, what can businesses do? The goal is to build resilience. This goes beyond basic cybersecurity and into robust business continuity and flexible architecture decisions. Here are key strategies to consider:
- Adopt multi-cloud and distributed infrastructure: Don’t bet your business on a single cloud provider or data center. By spreading workloads across multiple cloud platforms or hosting in multiple data centers (and ideally in different regions), you greatly reduce the chance that one incident will take you completely offline. A well-implemented multi-cloud strategy can ensure that even if one provider has an outage or comes under attack, your services stay up elsewhere.
- Diversify vendors and supply chains: Just as prudent investors diversify their portfolios, resilient companies diversify their tech suppliers. Relying too heavily on any one software vendor, hardware manufacturer, or telecom carrier can be dangerous if that supplier gets embroiled in a geopolitical conflict or faces sanctions. By using a mix of vendors (and ensuring no critical component is sole-sourced from a high-risk region), you mitigate exposure.
- Invest in continuity planning: Technological defenses alone aren’t enough; organizations need robust business continuity (BC) and disaster recovery plans that account for cyber warfare scenarios and geopolitical disruptions. A BC plan should answer, “If X goes down, how do we keep running?” – whether X is a data center, a cloud service, or a supply route. Make sure these plans cover extreme cases like prolonged internet outages, ransomware crippling systems, or key staff being unreachable.
By implementing these strategies, companies can significantly close the “security gap” created by geopolitics. You can’t stop a nation-state from launching a cyberattack, but you can harden your environment so that even if you’re targeted or suffer collateral damage, you’ll recover quickly with minimal harm. Resilience is the new competitive advantage in an era where both chaos and compliance are on the rise.
Getronics as Your Safety Net
Building and maintaining all the above capabilities can be daunting. This is where an experienced partner like Getronics comes in. With decades of know-how in cybersecurity and IT services, Getronics acts as a safety net for organizations facing complex security challenges.
Today, we have a global team of over 3,700 professionals across 20 countries, supporting clients in more than 180 countries worldwide. Our reach and depth mean we understand local nuances, from EU regulations to regional threat actors, and can provide 24/7 coverage around the globe.
What We Offer
Getronics delivers end-to-end security and continuity solutions, tailored to help your business navigate geopolitical risks and meet regulatory demands. Our services range from comprehensive risk assessments and compliance consulting to 24/7 threat monitoring and rapid incident response. In practice, that means we can audit your IT landscape for vulnerabilities or sovereignty issues, advise on complying with laws like NIS2 or DORA, and implement the necessary safeguards.
Through our Security Operations Centre (SOC) services, we provide constant watch over your environment, detecting intrusions, hunting threats, and responding immediately to incidents to contain damage. We also help develop and test business continuity and disaster recovery plans, ensuring your organization is prepared for the unexpected. All these services are delivered following industry best practices and frameworks (like NIST and ISO27001) and can be tailored to your specific industry and jurisdiction.
Ultimately, partnering with Getronics means you gain an extension of your team, one that brings strategic insight, technical muscle, and around-the-clock vigilance to protect your business. We pride ourselves on building trusted relationships and long-term continuity with clients. In an environment where threats are global and constant, having a partner who has “seen it all” can be the difference between business as usual and business in crisis.
Act Now to Strengthen Your Geopolitical Resilience
In a world where digital threats ignore national borders, companies must recognize that security doesn’t stop at your national border – neither does your IT. Your network, data, and processes likely span countries and continents, and so do the risks. The intersection of cyber defence and geopolitics is now one of the biggest security gaps — but it’s a gap you can close with the right approach and partners. By staying informed, investing in resilience, and aligning with forward-looking experts, you turn a potential vulnerability into a strength.
Getronics invites you to take the next step toward bolstering your defense and continuity posture. Consider booking a thorough security assessment or a business continuity strategy review with our experts. We will help you evaluate how geopolitically resilient your IT truly is, identify any weak links, and develop a roadmap to reinforce your defences end-to-end.
Contact Getronics to schedule a consultation and ensure that when it comes to cyber security and sovereignty, your business is always ahead of the curve. Your continuity, compliance, and peace of mind are our mission. Let’s achieve them together.
