Technologie En

Non-EEA IT vendors – growing challenges in the face of geopolitical change

10 June 2025 | Knowledge, News, The Right Focus

The global political landscape is changing rapidly, and the directions of these changes can often be surprising. This has been clearly demonstrated by the recent, hard-to-understand decisions of the US administration, and is one of the reasons why the question of cooperation with IT service providers from outside the European Economic Area is becoming an issue of strategic importance. It is thus worth taking a closer look at the implications of such cooperation, especially in critical infrastructure sectors, including banking.

Global challenges in IT supply chains

International unrest is calling into question the stability of global supply chains, particularly in the technology services sector. Analysts at Reuters Events (October 2024), point out that while supply-related processes have always been subject to uncertainty, recent years have seen disruptions on an unprecedented scale.

American technology companies dominate the global market in this area, providing key solutions such as:

  • cloud infrastructure
  • analytical tools
  • data management systems
  • cybersecurity solutions
  • other technologies essential for modern financial institutions

It should be noted that the activities of these companies are subject to strong political influence, in particular, decisions taken by the US authorities.

Legal regulations and their implications

An example of a regulation that affects IT service providers is the US Cloud Act, which allows the US government to access electronically stored communications data on the basis of a court order.

“Entities from the European Union may be subject to the Cloud Act if they use services related to the US or provided by companies based in the US,” says Natalia Kotłowska-Wochna.

It should also be noted that data transfers between the EU and the US are currently governed by the Data Privacy Framework, which was established in response to the CJEU ruling in the Schrems II case. However, when adopting this framework, the United States did not repeal Section 702 of the FISA Amendments Act, which grants intelligence services powers over non-US persons located outside the United States. This creates a risk that the validity of the Data Privacy Framework could be challenged by the CJEU.

The EU Data Act is another piece of legislation impacting the IT services industry. From 12 January 2027, it will prohibit cloud service providers from charging for the transfer of customer data to another provider, regardless of the company’s location. This provision may have contributed to the decision by some global providers to waive data transfer fees (so-called egress fees).

Risk mitigation strategies

As geopolitical tensions rise, critical infrastructure organisations will undoubtedly focus on mitigating the risks associated with using IT services from non-EEA providers.

One way to achieve this goal will be to diversify providers, which will minimise the risks arising from potential political decisions or regulatory changes. As part of such a strategy, it is possible to switch to European providers whose solutions not only comply with EU standards, but are also adapted to local risks and their latest updates, which results in a higher level of security.

“The DORA Regulation, which introduces a comprehensive framework for managing the risks associated with ICT third-party service providers, is proving to be a significant support for banks,” says Natalia Kotłowska-Wochna.

DORA requires financial institutions to develop a policy for managing the risks associated with ICT third-party service providers. This policy should be implemented in accordance with the principle of proportionality, taking into account the nature, scale and complexity of the technological reliance and the criticality of the service to ensuring the continuity of financial operations.

The Regulation also requires a preliminary assessment of ICT concentration risk and a periodic review of ICT service risks, taking into account the organisation’s risk profile and the complexity of its services.

Non-EEA IT vendors –  our recommendations for banks

In summary, as geopolitical tensions rise, critical infrastructure organisations should implement risk mitigation measures such as:

  • Diversifying IT service providers
  • Investing in local solutions
  • Conducting regular regulatory compliance audits
  • Strengthening cyber security controls
  • Developing advanced business continuity plans
  • Implementing backup solutions
  • Giving priority to recovery actions
  • Implementing comprehensive training schemes
  • Monitoring of risks
  • Regularly updating plans to reflect changing market and geopolitical conditions

 Any questions? Get in touch with us

Natalia Kotłowska-Wochna

Latest Knowledge

Length of service now includes periods of self-employment

The length of service no longer depends solely on work carried out under a contract of employment. The amendment to the Labour Code introduces significant changes, as work carried out under civil law contracts or as part of business activity will now also be included when calculating service, which affects employees’ rights. What will this mean for employees and employers?

Banking sector overview | Banking today and tomorrow | February 2026

The Polish banking sector is undergoing intense reshuffling on a scale not seen for years. Large banks are changing owners, foreign players are shifting their strategies and new investors are entering the market. The question is whether these are just temporary shifts in capital or the beginning of lasting change in the industry’s balance of power.

31 January. Don’t forget about the DAC7 Directive

The deadline for meeting the obligations under the DAC7 directive and the Polish regulations implementing it is fast approaching. Online platform operators must fulfil their reporting obligations by 31 January 2026 at the latest with regard to 2025 data. For many, this is the final opportunity not only to prepare the required information, but also to verify whether DAC7 obligations apply to them and, if so, to what extent.

The New Consumer Credit Act – extensive regulation with a broad market impact

In 2025, the Polish financial market entered another phase of adjustments to EU legislation. The draft new Consumer Credit Act implementing the CCD2 Directive, alongside the regulations on distance financial services, represents one of the most comprehensive attempts to standardise the rules for providing finance to consumers. The changes are so extensive that they cover all stages, from advertising and customer acquisition to the assessment of creditworthiness, the structure of agreements, the scope of the lender’s liability, withdrawal rules and the detailed organisation of remote sales.

Energy Radar 2026: Your roadmap to energy transition

Energy is no longer the exclusive domain of engineers and politicians; it is becoming the foundation of the business strategy of any company that wants to remain competitive. And 2026 will see a multitude of legislative changes that will fundamentally alter the current approach to the rules for grid connection, energy trading and reporting obligations.

Banking sector overview | Banking today and tomorrow | January 2026

On 1 January, new regulations came into force that increased the income tax rate paid by banks. The rate will be 30% in 2026. However, entities starting their business, credit and savings unions (SKOKs), small entities, and banks undergoing restructuring will pay less.

2025 in the banking sector: legal and tax changes, and strategic challenges

The Polish banking sector underwent profound reforms and new regulatory obligations in 2025. Despite achieving record financial results, banks were faced with mounting tax pressures and changes in benchmarks, as well as the implementation of EU regulations concerning operational security, anti-money laundering, digital payments, the use of artificial intelligence, environmental issues, ESG reporting and green transformation. Against this backdrop, we also observed market consolidation, partly driven by growing competition from new banks. In this article, we explore how these factors have transformed the Polish financial institution market.

Contact us:

Natalia Kotłowska-Wochna

Natalia Kotłowska-Wochna

Attorney-at-Law / New Tech, IP, Trade & Logistics Practice Group / Head of New Tech M&A

+48 606 689 185

n.kotlowska@kochanski.pl