TPCRM
May 12, 2026

Digital sovereignty and fragmentation: understanding the impacts on third-party cyber risk management

The conversations surrounding digital sovereignty have gained considerable traction recently, with many countries launching initiatives to develop local technologies and encouraging businesses to adopt them. In the more extreme examples, governments have outright banned the use of specific technology vendors or vendors based in certain countries.

Now, there are certainly parallels between the concept of digital sovereignty and the kind of trade policies that can unfold into geopolitical risks for businesses. Usually, trade restrictions are enacted due to commercial or policy disagreements. Digital sovereignty, however, is often focused on a slightly different goal: protecting the autonomy to create and enforce policy.

Many nations are hesitant to give up control over critical infrastructure, their currency, or resources, so they limit or outright forbid foreign entities from operating in these sectors. It doesn't matter if a business comes from an allied country or a country with fair marketing regulations, because this type of regulation isn’t concerned with trade or the markets.

From that perspective, it can be argued that technology, much like natural resources and critical infrastructure, can impact a country's ability to independently decide its policies. It follows that, without some control over the technology stack, the behavior of the technology will constrain the effects of national policies.

Why the framing of digital sovereignty matters

The geopolitical climate since the COVID-19 pandemic has given more weight to the concept of digital sovereignty, alongside other supply chain concerns. The transition to cloud computing, which has resulted in a few big names controlling a significant portion of the global IT infrastructure, has also contributed to this discussion. One thing seems to have become clear in all the noise: it's much harder to remain competitive in other industries if your technology stack is tied to someone else.

At first it’s tempting to group digital sovereignty initiatives with other policies that limit the selection of tech vendors, but the concept of sovereignty has significant emotional weight that separates it from other restrictions. While the United States creates lists of adversaries and sanctioned entities due to national security concerns, "digital sovereignty" is the foundation for comparable measures in places like the European Union and Brazil.

To put it more succinctly, digital sovereignty has the potential to bring supply chain control to the mainstream in geopolitics. This is not a defense of the idea (we are not here to make any judgments on that), but an analysis of why it may find political success, even against the odds.

Technology fragmentation and its challenges

IT infrastructure was not always as commoditized as it is today. Each corporate network used to look completely different.

Software and hardware vendors went to great lengths to standardize products across the globe. Open protocols defined the internet almost from its inception and ended up taking over corporate networking, too, but that is just one piece of the groundwork that had to be established to get us to where we are today.

Internationalization (i18n) and localization (i10n) improved significantly, allowing for software that can work with any language, date format, or time zone. Hardware was consolidated into a handful of compatible platforms, sometimes with strong emulation capabilities for running software made for other architectures. Unicode and web standards gained incredible momentum, replacing regional text encoding and proprietary extensions that used to be widespread up to the mid-2000s.

Today, we are a web search away from finding a GitHub repo that addresses a niche problem, sparing us the trouble of creating another incompatible solution. On the other hand, this means we quickly jump at the opportunity to reuse code, dependencies, and everything else.

This homogeneity in IT infrastructure has its issues, but it's extremely convenient. Businesses can hire talent from all over the world, and it's easier to get things started and connected. Global businesses have built data lakes and dashboards, centralizing data that comes from systems that remain similar no matter how distant they are from each other.

When businesses cannot freely select their technology vendors, the result is akin to Balkanization, as each country or bloc builds an infrastructure that is potentially incompatible with its neighbors. This is not the same as going back to the past, however, as many of the difficulties we faced back then were rooted in processing limitations and lackluster communication. These advancements will remain, but they will bring something different.

Instead of building on top of a code repository, we might get more complete forks, as is already the case with some projects in Europe. Additional processing will be needed to unify incompatible data if we don't find a way to use it locally. Businesses might need dedicated staff for software and hardware that they must use in certain regions.

As whole technology stacks lose their luster due to these limitations, technology sprawl and shadow IT could become bigger problems than they are today.

Of course, if a business needs more regional vendors, then managing a larger pool of smaller vendors is a challenge on its own. Smaller vendors are more likely to be below the security poverty line. Although we hope that digital sovereignty initiatives will not overlook cybersecurity requirements, this might not be the case in every jurisdiction.

The basics still have a say

Regardless of how fragmented IT becomes, the fundamentals of cybersecurity remain relevant.

Credential misuse and theft are still a problem, no matter if they are a user/password pair, MFA keys, or OAuth tokens. Network segmentation and the principle of least privilege are also very important to isolate the corporate network from the myriad vendors that might be needed to remain compliant with regional regulations.

For third-party cyber risk management, relying on great technology to obtain trustworthy data on cybersecurity posture will be just as relevant, if not more.

As external infrastructure becomes more detached from internal IT, inside-out monitoring of third-party infrastructure can yield great outcomes. This can be paired with segmentation and "kill switches" to dynamically disconnect third parties that are exposing the business to unacceptably high levels of risk, mitigating the dangers of technology sprawl or the negative effects of having too many vendors in different countries.

Beyond regional borders and any tech islands that might arise from their digital sovereignty efforts, a business still needs to address operational concerns, protect itself from cyberattacks, and have controls to mitigate risks that are not directly tied to regulations or industry standards.

As businesses move away from security questionnaires and standard audits in pursuit of higher efficiency and automation for managing a pool of regional vendors, bringing third parties closer for collaboration will help level the playing field and address the real-world issues, regardless of where they are.

Share
Latest Posts
What "Inside-Out" Actually Means in Third-Party Security
The term "inside-out" appears across third-party risk platforms but describes very different technical realities. This post explains what authorized API-based infrastructure monitoring means versus questionnaire correlation.
Read more
Moving beyond compliance theater and guiding third parties to better cybersecurity outcomes
Read more
CISA Says Harden Intune. Here's What That Means for Your Third Party
After attackers wiped tens of thousands of Stryker devices through Microsoft Intune, CISA issued a hardening advisory. Most coverage focuses on internal security. The real question: what if Stryker is your vendor?
Read more