Technologie En

Non-EEA IT vendors – growing challenges in the face of geopolitical change

10 June 2025 | Knowledge, News, The Right Focus

The global political landscape is changing rapidly, and the directions of these changes can often be surprising. This has been clearly demonstrated by the recent, hard-to-understand decisions of the US administration, and is one of the reasons why the question of cooperation with IT service providers from outside the European Economic Area is becoming an issue of strategic importance. It is thus worth taking a closer look at the implications of such cooperation, especially in critical infrastructure sectors, including banking.

Global challenges in IT supply chains

International unrest is calling into question the stability of global supply chains, particularly in the technology services sector. Analysts at Reuters Events (October 2024), point out that while supply-related processes have always been subject to uncertainty, recent years have seen disruptions on an unprecedented scale.

American technology companies dominate the global market in this area, providing key solutions such as:

  • cloud infrastructure
  • analytical tools
  • data management systems
  • cybersecurity solutions
  • other technologies essential for modern financial institutions

It should be noted that the activities of these companies are subject to strong political influence, in particular, decisions taken by the US authorities.

Legal regulations and their implications

An example of a regulation that affects IT service providers is the US Cloud Act, which allows the US government to access electronically stored communications data on the basis of a court order.

“Entities from the European Union may be subject to the Cloud Act if they use services related to the US or provided by companies based in the US,” says Natalia Kotłowska-Wochna.

It should also be noted that data transfers between the EU and the US are currently governed by the Data Privacy Framework, which was established in response to the CJEU ruling in the Schrems II case. However, when adopting this framework, the United States did not repeal Section 702 of the FISA Amendments Act, which grants intelligence services powers over non-US persons located outside the United States. This creates a risk that the validity of the Data Privacy Framework could be challenged by the CJEU.

The EU Data Act is another piece of legislation impacting the IT services industry. From 12 January 2027, it will prohibit cloud service providers from charging for the transfer of customer data to another provider, regardless of the company’s location. This provision may have contributed to the decision by some global providers to waive data transfer fees (so-called egress fees).

Risk mitigation strategies

As geopolitical tensions rise, critical infrastructure organisations will undoubtedly focus on mitigating the risks associated with using IT services from non-EEA providers.

One way to achieve this goal will be to diversify providers, which will minimise the risks arising from potential political decisions or regulatory changes. As part of such a strategy, it is possible to switch to European providers whose solutions not only comply with EU standards, but are also adapted to local risks and their latest updates, which results in a higher level of security.

“The DORA Regulation, which introduces a comprehensive framework for managing the risks associated with ICT third-party service providers, is proving to be a significant support for banks,” says Natalia Kotłowska-Wochna.

DORA requires financial institutions to develop a policy for managing the risks associated with ICT third-party service providers. This policy should be implemented in accordance with the principle of proportionality, taking into account the nature, scale and complexity of the technological reliance and the criticality of the service to ensuring the continuity of financial operations.

The Regulation also requires a preliminary assessment of ICT concentration risk and a periodic review of ICT service risks, taking into account the organisation’s risk profile and the complexity of its services.

Non-EEA IT vendors –  our recommendations for banks

In summary, as geopolitical tensions rise, critical infrastructure organisations should implement risk mitigation measures such as:

  • Diversifying IT service providers
  • Investing in local solutions
  • Conducting regular regulatory compliance audits
  • Strengthening cyber security controls
  • Developing advanced business continuity plans
  • Implementing backup solutions
  • Giving priority to recovery actions
  • Implementing comprehensive training schemes
  • Monitoring of risks
  • Regularly updating plans to reflect changing market and geopolitical conditions

 Any questions? Get in touch with us

Natalia Kotłowska-Wochna

Latest Knowledge

Protecting designs exhibited at trade fairs

How can intellectual property and designs that have already been presented to the public, for example at trade fairs, be protected? All you need to do is exercise your exhibition priority right. This mechanism allows you to file an application for such a design at a later date without affecting its novelty. Let’s see how it works in practice.

Contractual practices prohibited under the Data Act 

One of the key aspects of the Data Act is the introduction of provisions on prohibited contractual practices. These provisions are intended to protect businesses operating within the broadly understood digital industry that have a weaker contractual position.

Those who have data have power. The Data Act redistributes this power

The EU Data Act, which came into force in September 2025, represents a breakthrough in the regulation of data access and use. Data generated by devices, ranging from agricultural tractors and industrial machinery to solar panels and transport fleets, is no longer the sole property of manufacturers. Other market participants now have the opportunity to access and use this data to develop new, innovative products and services. The Data Act marks a departure from business models based on data monopolisation, to one requiring data to be shared in accordance with its rules. We are therefore entering a completely new reality.

KSeF and transfer pricing: a new era of transparency and operational challenges

The introduction of the National e-Invoice System (KSeF) represents one of the most significant challenges for group companies in recent years. Although the KSeF is intended to simplify the invoicing process and reduce tax abuse, it also has a significant impact on transfer pricing, particularly with regard to the documentation and settlement of TP adjustments.

Contributing assets to a family foundation – what to keep in mind

A family foundation is a legal entity whose purpose is to manage wealth effectively and ensure its succession without the risk of dispersing assets accumulated over generations. Therefore, a key issue related to the activities of such an organisation is the contribution of this wealth to the foundation in the form of various types of assets that will work for the beneficiaries. Let’s take a look at what this process involves in practice.

Cloud migration after the Data Act: new rights, lower costs and greater freedom

The Data Act requires a significant change in approach to cloud services. Companies should review their contracts and start planning updates immediately. It is crucial to introduce appropriate switching provisions and remove or renegotiate exit fees. Companies must also prepare their infrastructure, both technically and organisationally, for interoperability and migration in accordance with the new regulations.

A decade of sustainable development

Ten years ago, the international community adopted the 2030 Agenda for Sustainable Development with 17 Sustainable Development Goals (SDGs). As a signatory, Poland committed itself to implementing measures in the areas of economy, society and the environment. A decade on, and it is a good time to summarise our achievements and the key ESG regulations that have shaped the legal landscape in Poland and throughout the European Union.

Banking sector overview | Banking today and tomorrow | October 2025

According to estimates by the Polish Bank Association (ZBP), the last four months of 2025 may bring banks operating in Poland another PLN 10 billion in profits. This would set a new record, probably marking the last such good year. Forecasts for 2026 suggest that bank profits will decline to PLN 35 billion.

Contact us:

Natalia Kotłowska-Wochna

Natalia Kotłowska-Wochna

Attorney-at-Law / Head of New Tech M&A / NewTech Practice Group / Head of the Poznan Office

+48 606 689 185

n.kotlowska@kochanski.pl