Technologie En

Non-EEA IT vendors – growing challenges in the face of geopolitical change

10 June 2025 | Knowledge, News, The Right Focus

The global political landscape is changing rapidly, and the directions of these changes can often be surprising. This has been clearly demonstrated by the recent, hard-to-understand decisions of the US administration, and is one of the reasons why the question of cooperation with IT service providers from outside the European Economic Area is becoming an issue of strategic importance. It is thus worth taking a closer look at the implications of such cooperation, especially in critical infrastructure sectors, including banking.

Global challenges in IT supply chains

International unrest is calling into question the stability of global supply chains, particularly in the technology services sector. Analysts at Reuters Events (October 2024), point out that while supply-related processes have always been subject to uncertainty, recent years have seen disruptions on an unprecedented scale.

American technology companies dominate the global market in this area, providing key solutions such as:

  • cloud infrastructure
  • analytical tools
  • data management systems
  • cybersecurity solutions
  • other technologies essential for modern financial institutions

It should be noted that the activities of these companies are subject to strong political influence, in particular, decisions taken by the US authorities.

Legal regulations and their implications

An example of a regulation that affects IT service providers is the US Cloud Act, which allows the US government to access electronically stored communications data on the basis of a court order.

“Entities from the European Union may be subject to the Cloud Act if they use services related to the US or provided by companies based in the US,” says Natalia Kotłowska-Wochna.

It should also be noted that data transfers between the EU and the US are currently governed by the Data Privacy Framework, which was established in response to the CJEU ruling in the Schrems II case. However, when adopting this framework, the United States did not repeal Section 702 of the FISA Amendments Act, which grants intelligence services powers over non-US persons located outside the United States. This creates a risk that the validity of the Data Privacy Framework could be challenged by the CJEU.

The EU Data Act is another piece of legislation impacting the IT services industry. From 12 January 2027, it will prohibit cloud service providers from charging for the transfer of customer data to another provider, regardless of the company’s location. This provision may have contributed to the decision by some global providers to waive data transfer fees (so-called egress fees).

Risk mitigation strategies

As geopolitical tensions rise, critical infrastructure organisations will undoubtedly focus on mitigating the risks associated with using IT services from non-EEA providers.

One way to achieve this goal will be to diversify providers, which will minimise the risks arising from potential political decisions or regulatory changes. As part of such a strategy, it is possible to switch to European providers whose solutions not only comply with EU standards, but are also adapted to local risks and their latest updates, which results in a higher level of security.

“The DORA Regulation, which introduces a comprehensive framework for managing the risks associated with ICT third-party service providers, is proving to be a significant support for banks,” says Natalia Kotłowska-Wochna.

DORA requires financial institutions to develop a policy for managing the risks associated with ICT third-party service providers. This policy should be implemented in accordance with the principle of proportionality, taking into account the nature, scale and complexity of the technological reliance and the criticality of the service to ensuring the continuity of financial operations.

The Regulation also requires a preliminary assessment of ICT concentration risk and a periodic review of ICT service risks, taking into account the organisation’s risk profile and the complexity of its services.

Non-EEA IT vendors –  our recommendations for banks

In summary, as geopolitical tensions rise, critical infrastructure organisations should implement risk mitigation measures such as:

  • Diversifying IT service providers
  • Investing in local solutions
  • Conducting regular regulatory compliance audits
  • Strengthening cyber security controls
  • Developing advanced business continuity plans
  • Implementing backup solutions
  • Giving priority to recovery actions
  • Implementing comprehensive training schemes
  • Monitoring of risks
  • Regularly updating plans to reflect changing market and geopolitical conditions

 Any questions? Get in touch with us

Natalia Kotłowska-Wochna

Latest Knowledge

Banking sector overview | Banking today and tomorrow | June 2026

According to a statement published by GPW Benchmark, the reference rate administrator, and the Polish Financial Supervision Authority (KNF), which oversees the administrator, 31 December 2036 will be the last day on which the WIBID and WIBOR rates will be provided for all key fixing periods: 1 month (1M), 3 months (3M) and 6 months (6M).

How to correctly calculate length of service from 1 May 2026

New rules for calculating length of service have applied to private sector employers since the beginning of May 2026. With companies continuing to express concerns about the new framework, the Ministry of Family, Labour and Social Policy has addressed the most common questions. We look at the issues that are (still) troubling employers and how we can help.

Tax settlement agreement: A new tool in the General Tax Code

A draft bill amending the General Tax Code (No. UDER110) has been submitted for consideration by the Council of Ministers. The bill introduces the tax settlement agreement, a new form of amicable dispute resolution between taxpayers and the tax authority. The draft is open for inter-ministerial review and public consultation until 19 June, with the proposed date of entry into force being 1 January 2028. Below, we examine who may apply for a settlement agreement, when, and on what terms, and how the process may work in practice.

A revolutionary reform of Poland’s capital market – ETFs and the Qualified Investment Fund

Poland’s capital market is on the cusp of one of the most significant reforms in recent years, which will fundamentally reshape the regulatory framework for ETFs and introduce an entirely new investment vehicle: the Qualified Investment Fund (QIF/KFI). This is a response to market demands and presents an opportunity for Poland to close the gap with countries such as Luxembourg and Ireland, with the overarching objective of boosting competitiveness and stemming the outflow of investment capital abroad. The new regulations aim to deliver greater flexibility for investors and fund managers alike, while also aligning with current market trends and European standards. We examine what is changing in practice and what it means for all market participants.

Directive 2024/825 – the European Union’s response to greenwashing

Greenwashing poses one of the most significant challenges to the consumer protection framework in the European Union. As customers become increasingly environmentally conscious, brands are ever more inclined to leverage this interest by invoking the language of environmental protection, sustainable development and climate neutrality. Yet these claims do not always reflect the actual characteristics of their products or services. The EU has sought to bring systemic order to this area by clarifying the information obligations of traders and broadening the list of practices deemed unfair. We consider what these changes mean for businesses in practice.

GLI – AI, Machine Learning & Big Data 2026: The Polish perspective on artificial intelligence law

Global Legal Insights (GLI) is a series of international publications by the Global Legal Group (GLG), authored by legal practitioners from around the world. It offers an up-to-date and highly practical guide to the applicable regulatory landscape, complemented by expert commentary on specific areas of law across different jurisdictions. In short: legislation and actionable know-how in one place.

Banking sector overview | Banking today and tomorrow | May 2026

“The end of the dream of free housing” – this is how the Polish Bank Association (Związek Banków Polskich) has characterised Thursday’s judgments of the Court of Justice of the European Union in cases concerning whether the claims of financial institutions against CHF mortgage borrowers have become time-barred.

Return deposits like VAT? The elephant in the room: the risks of the deposit-return system

The deposit-return system was supposed to be simple. Eco-friendly. Leak-proof. Tax-neutral. However, it took just a few months for serious doubts to emerge. The first loopholes are no longer just theoretical, they are in plain sight. The mechanisms for abuse can be described quite precisely, and the scale of potential losses may be much greater than anticipated. Below, we examine where the system is losing control and how this can be addressed.

Contact us:

Natalia Kotłowska-Wochna

Natalia Kotłowska-Wochna

Attorney-at-Law / Partner/ New Tech, IP, Trade & Logistics Practice Group / Head of New Tech M&A

+48 606 689 185

n.kotlowska@kochanski.pl