Technologie En

Non-EEA IT vendors – growing challenges in the face of geopolitical change

10 June 2025 | Knowledge, News, The Right Focus

The global political landscape is changing rapidly, and the directions of these changes can often be surprising. This has been clearly demonstrated by the recent, hard-to-understand decisions of the US administration, and is one of the reasons why the question of cooperation with IT service providers from outside the European Economic Area is becoming an issue of strategic importance. It is thus worth taking a closer look at the implications of such cooperation, especially in critical infrastructure sectors, including banking.

Global challenges in IT supply chains

International unrest is calling into question the stability of global supply chains, particularly in the technology services sector. Analysts at Reuters Events (October 2024), point out that while supply-related processes have always been subject to uncertainty, recent years have seen disruptions on an unprecedented scale.

American technology companies dominate the global market in this area, providing key solutions such as:

  • cloud infrastructure
  • analytical tools
  • data management systems
  • cybersecurity solutions
  • other technologies essential for modern financial institutions

It should be noted that the activities of these companies are subject to strong political influence, in particular, decisions taken by the US authorities.

Legal regulations and their implications

An example of a regulation that affects IT service providers is the US Cloud Act, which allows the US government to access electronically stored communications data on the basis of a court order.

“Entities from the European Union may be subject to the Cloud Act if they use services related to the US or provided by companies based in the US,” says Natalia Kotłowska-Wochna.

It should also be noted that data transfers between the EU and the US are currently governed by the Data Privacy Framework, which was established in response to the CJEU ruling in the Schrems II case. However, when adopting this framework, the United States did not repeal Section 702 of the FISA Amendments Act, which grants intelligence services powers over non-US persons located outside the United States. This creates a risk that the validity of the Data Privacy Framework could be challenged by the CJEU.

The EU Data Act is another piece of legislation impacting the IT services industry. From 12 January 2027, it will prohibit cloud service providers from charging for the transfer of customer data to another provider, regardless of the company’s location. This provision may have contributed to the decision by some global providers to waive data transfer fees (so-called egress fees).

Risk mitigation strategies

As geopolitical tensions rise, critical infrastructure organisations will undoubtedly focus on mitigating the risks associated with using IT services from non-EEA providers.

One way to achieve this goal will be to diversify providers, which will minimise the risks arising from potential political decisions or regulatory changes. As part of such a strategy, it is possible to switch to European providers whose solutions not only comply with EU standards, but are also adapted to local risks and their latest updates, which results in a higher level of security.

“The DORA Regulation, which introduces a comprehensive framework for managing the risks associated with ICT third-party service providers, is proving to be a significant support for banks,” says Natalia Kotłowska-Wochna.

DORA requires financial institutions to develop a policy for managing the risks associated with ICT third-party service providers. This policy should be implemented in accordance with the principle of proportionality, taking into account the nature, scale and complexity of the technological reliance and the criticality of the service to ensuring the continuity of financial operations.

The Regulation also requires a preliminary assessment of ICT concentration risk and a periodic review of ICT service risks, taking into account the organisation’s risk profile and the complexity of its services.

Non-EEA IT vendors –  our recommendations for banks

In summary, as geopolitical tensions rise, critical infrastructure organisations should implement risk mitigation measures such as:

  • Diversifying IT service providers
  • Investing in local solutions
  • Conducting regular regulatory compliance audits
  • Strengthening cyber security controls
  • Developing advanced business continuity plans
  • Implementing backup solutions
  • Giving priority to recovery actions
  • Implementing comprehensive training schemes
  • Monitoring of risks
  • Regularly updating plans to reflect changing market and geopolitical conditions

 Any questions? Get in touch with us

Natalia Kotłowska-Wochna

Latest Knowledge

How to structure a family foundation wisely

One of the key advantages of a family foundation is the flexibility to shape its internal structure as required. The legislature has granted the founders considerable freedom in this respect, enabling the foundation to be adapted to specific financial, family and business needs.

New rules for employing foreigners

The long-awaited Act on the Conditions for the Admissibility of Entrusting Work to Foreigners in the Republic of Poland came into force on 1 June 2025, replacing the previous legislation on employment promotion and labour market institutions.

The UDER2 draft: (theoretically) strengthened principle in dubio pro tributario

This principle, which states that doubts should be resolved in favour of the taxpayer, is set out in Article 2a of the General Tax Code and applies only in cases involving vague regulations. In practice, this leaves the tax authorities with considerable leeway for arbitrary application in proceedings where factual findings are crucial.

The Polish Deposit and Return System: a guide to the legal and tax rules

The Polish Deposit and Return System launches on 1 October. This is a real revolution for businesses, whether they are producers, importers, distributors or traders. Indeed, its implementation brings with it a number of challenges, including, perhaps less obviously, concerning VAT. Here is a brief guide to the most important issues relating to the Polish Deposit and Return System.

Act Amending the Labour Code or Poland’s response to the Equal Pay Directive

On 3 April 2025, a new draft Act Amending the Labour Code appeared on the website of the Sejm. Prepared by the Extraordinary Committee for Codification Amendments, it differs significantly from the original parliamentary draft implementing the Directive (print no. 934), the first reading of which took place on 6 February 2025. On 9 May 2025, the Sejm adopted the bill without amendments.

How a family foundation can protect itself from ‘black sheep’

Every family may unfortunately have members who can be confrontational, aggressive and uncooperative, who are in addition convinced that they are always right and that the world is always against them. They can create chaos and confusion, are a source of constant conflict or simply do not fit into the overall harmony. Sometimes we call them ‘black sheep’ because they cause difficult situations, place stress on relations or fail to meet expectations.

Key changes in tax scheme reporting (MDR)

The significant changes in the tax environment and the growing expectations for fiscal transparency have prompted the legislature to streamline the existing provisions on the system for reporting tax schemes (MDR), thereby eliminating some procedural ambiguities. According to ministerial announcements, the main aim of the amendments is to improve the readability, clarity and consistency of the reporting system and more closely align it with that in force in the wider EU.

Contact us:

Natalia Kotłowska-Wochna

Natalia Kotłowska-Wochna

Attorney-at-Law / Head of New Tech M&A / NewTech Practice Group / Head of the Poznan Office

+48 606 689 185

n.kotlowska@kochanski.pl