Cybersecurity, Data Sovereignty & Technology Risk

Feb 5, 2026
Ewan Powell
The Digital Balkanization

The Digital Balkanization…

If you work with technology, finance, operations, or even legal, you’ve probably felt it: the internet doesn’t feel “global” anymore. Attacks that once looked like random ransomware now line up neatly with political tension. Rules about where you can store data and who can access it change from one border to the next. What used to be a fairly unified digital space is quietly breaking into blocs.

In this blog, let’s talk about how this “digital balkanization” is reshaping cybersecurity, data governance, and technology strategy. Cyberattacks are now used as geopolitical tools. Data is treated as something closer to a national asset than a business resource. Companies are spending serious money just to live inside this new reality, and the choices they make today, about where to host, how to segment, and what to automate, will decide how resilient they are when the next wave of shocks hits.

Cyber Risk Goes Geopolitical

Cyber Risk Goes Geopolitical

Cyber risk used to be framed mostly as a criminal problem: stolen cards, hijacked accounts, encrypted servers. That hasn’t vanished, but something more strategic has layered on top of it. Nation-states now use cyber operations the way they once used trade restrictions or covert influence, slowly, quietly, and with specific targets in mind.

Microsoft’s 2023 threat intelligence reporting makes that shift painfully clear. They track thirty-four nation-state actors actively going after multinational organizations, up from twenty-one just a few years earlier. That isn’t background noise; it’s a sign that governments now see corporate infrastructure as fair game in geopolitical contests.

At the same time, data sovereignty rules are driving up the cost of simply existing as a global business. IBM has estimated that complying with differing national data requirements has added roughly $1.8 billion in extra infrastructure expenses across major players. That is money spent not to innovate, but to avoid being in legal trouble.

So the risk landscape now looks like this:

  • More motivated attackers with political goals, not just financial ones.
  • Legal frameworks that treat data location as a matter of national interest.
  • Organizations caught between attackers on one side and regulators on the other.

You can’t treat cyber as a purely technical issue in that environment. It’s tied directly to where you operate, which markets you serve, and how you move information around the world.

When Data Chooses Sides

“Where do we store this?” used to be a design question. Now it’s also a sovereignty question: whose rules govern this data, and who can force us to hand it over? That’s the heart of data sovereignty.

Governments are no longer comfortable with critical data floating around “somewhere in the cloud.” Many now insist that certain categories, health records, financial data, government information, large citizen datasets, must remain within their borders or within clear legal reach. That has pushed providers to build sovereign cloud offerings in specific countries.

A good example is how Google has approached some Middle Eastern markets. In places such as Saudi Arabia and the UAE, they’ve developed cloud regions where local partners or authorities control encryption keys. That means any data access request from outside the country can’t be fulfilled unilaterally from abroad; it requires local approval. The infrastructure might be global, but the legal control is deliberately local.

For customers, this creates a trade-off:

  • Upside: more confidence that their data will not be exposed to foreign legal fishing expeditions.
  • Downside: more fragmented architectures, more complexity, and higher operating costs.

Once you accept that data “chooses sides” by virtue of where it lives and whose law applies, you can’t pretend all regions are interchangeable anymore. Your architecture has to reflect that reality.

Real World Industry Adjustments

Real-World Industry Adjustments

The impact of this digital balkanization really comes into focus when you look at specific industries and the concrete steps they’re taking.

Technology giants

  • Google’s “sovereign cloud” regions in places like Saudi Arabia and the UAE are set up so that local entities hold the keys. U.S. authorities can’t simply request access; they have to go through local decision-makers. That structure is designed to satisfy regional regulators who want stronger control over their citizens’ data.

Financial services

  • JPMorgan has reportedly carved its payment systems into isolated environments across around twelve countries. Access into some of these zones requires physical VPN tokens, not just passwords or apps. In China, they run local AI models on Huawei chips, classifying those chips as non-strategic so they can be used without tripping strategic export controls. It’s a very literal example of doing high-tech work while threading a regulatory needle.

Manufacturing and industrial operations

  • Siemens USA has experimented with dual operational technology networks. One network runs the live plant; the other mirrors traffic and behavior for security monitoring, the so-called “ghost shift cybersecurity.” Running these twin environments is estimated to increase operating costs by about eight percent, but it lowers the chance that ransomware can bring a factory to a complete stop.

Energy and utilities

  • Duke Energy has pursued a microgrid-style model for parts of its infrastructure. Grid controls are segmented into semi-autonomous units, each with its own security perimeter. If one part of the grid is attacked, others can keep functioning, a “hydra effect” where cutting off one head doesn’t kill the whole creature.

Each of these examples shows the same pattern: the world outside the company is fragmented, so the internal technology has to fragment in controlled, deliberate ways too.

Architectures Built For Friction

In a simpler era, many organizations pushed toward a single, global, unified technology stack. It was cleaner, more efficient, and easier to manage. Under digital balkanization, that same simplicity becomes a liability. If one component fails, or one jurisdiction changes its rules, your entire operation can be exposed.

Modern architectures are starting to assume friction rather than fight it. Typical patterns include:

  • Regional pods instead of one core
    Instead of one big system serving everyone, companies build regional pods: self-contained environments with their own data, keys, and access controls.
  • Tightly controlled bridges
    Data doesn’t move freely between these pods. It passes through gateways that log, inspect, and sometimes require human approval for sensitive transfers.
  • Redundant critical functions
    Payment processing, authentication, and control systems often have fallback instances in different legal jurisdictions, so a regulatory change or outage in one country doesn’t halt key services.
  • Segmentation based on legal risk
    Systems are grouped according to which country’s laws apply to the data they handle. That segmentation is reflected in security policies, monitoring, and incident response plans.

It’s more complex than a pure “one-stack-to-rule-them-all” approach. But for many organizations, it’s the only model that makes sense when both attackers and regulators are working on a country-by-country basis.

Zero Trust Under Pressure

In a fragmented world, the old idea of a trusted internal network doesn’t hold up. Users connect from everywhere, attackers move laterally quickly, and legal obligations differ from one region to another. That’s why zero trust has gone from trend to necessity.

Zero trust starts with a blunt assumption: no user, device, or network segment is inherently safe. Every request has to earn its access based on identity, context, and policy. Some big players have already internalized this mindset in visible ways. Cisco, for instance, enforces national data boundaries inside its own operations, treating country borders as policy lines. Internal data isn’t allowed to cross those lines without explicit, logged approvals.

On the risk transfer side, cyber insurance is quietly raising the bar too. AIG and other major carriers now expect clients to have serious recovery capabilities. One of their recurring requirements is the presence of offline or isolated backups, sometimes informally called “cyber bunkers.” If you can show that you can restore key systems quickly from these clean sources, your premiums can go down. If you can’t, your coverage may shrink or your costs may spike.

So zero trust and cyber insurance are pulling in the same direction:

  • Design as if compromise is inevitable.
  • Prove you can recover fast.
  • Show that your data flows are intentional, not accidental.

That’s not a theoretical framework anymore; it’s a condition for operating in high-risk, highly regulated markets.

Sovereign Clouds And Ai

Sovereign Clouds And AI

The sovereignty conversation has moved up the stack from storage into intelligence. It’s no longer enough to say, “The data stays here.” Governments and sensitive sectors now ask, “Where does the AI run? Who can see its inputs and outputs? Under whose law?”

To answer those questions, vendors have started offering sovereign AI options. Salesforce’s Einstein GPT-Sovereign is a good example. It’s designed to run entirely on-premises or within tightly controlled sovereign environments for government and defense clients. That means the organization keeps physical and legal control over the models and the data they see, even if it gives up some of the flexibility and cost savings of shared cloud AI.

The data embassy idea pushes sovereignty in another direction. Amazon, for instance, provides arrangements where data belonging to European users of U.S. companies is stored in Switzerland. That data sits under Swiss law, not directly under U.S. or EU authority. If someone wants access, they have to go through Swiss courts. For companies trapped between overlapping legal demands, this kind of neutral legal “territory” inside the cloud can be a practical escape valve.

None of these solutions are cheap or simple. But they all reflect the same fact: in a world of digital balkanization, control over where data and AI live—legally and physically—is no longer optional. It’s central to trust and long-term risk management.

Navigating A Fractured Future

Digital balkanization isn’t a temporary phase the world will “grow out of.” It’s the direction things are going: more borders, more controls, more expectations that companies will quietly enforce policy through their technology. That can feel overwhelming, but it doesn’t have to be paralyzing. The first step is to admit that the map really has changed.

Once you see the fractures clearly, you can design for them. You can decide where to accept duplication, where to invest in sovereign setups, where to insist on clear recovery plans, and where to say no to certain markets because the legal and cyber exposure is too high. Organizations that do that hard thinking early will be the ones that stay resilient when the next geopolitical shock plays out as a cyber incident or a sudden regulatory shift.

In the end, cybersecurity, data sovereignty, and technology risk all boil down to one hard question: Can you keep operating—and keep trust—when parts of the digital world become unavailable, hostile, or suddenly off-limits? There’s no way to answer that perfectly. But the companies that lean into the question now, rather than waiting for a crisis, are the ones most likely to still be standing when the dust settles.

Some Q&As

Q1. What does “digital balkanization” actually mean for my business?

It means the digital environment is no longer one smooth, global space. Different countries have different rules about data, access, and security, so your systems and processes will likely need to differ from region to region as well. In practice, that can mean separate environments, stricter controls on cross-border data flows, and region-specific incident and recovery plans.

Q2. Is data sovereignty just another word for data residency?

Not exactly. Data residency is about where the data physically sits. Data sovereignty is about which country’s laws and institutions have authority over that data. You could host information in one location but structure things so that a different legal system governs access. For risk management, sovereignty is usually the more important concept because it determines who can compel you to produce data.

Q3. What is a realistic first step if we feel behind on all of this?

Start with a simple, honest map. Identify your most important systems and datasets, where they are hosted, which countries’ laws apply, and who accesses them from where. Then look for obvious red flags: sensitive data crossing borders without clear safeguards, critical systems with no regional redundancy, or environments that fall under multiple legal regimes with no documented plan. Even that basic mapping exercise gives you a concrete starting point for improving security, compliance, and resilience in a fractured digital world.