Hidden Geographic Dependencies in Your Digital Foundation

Technology Strategy
Written By Jason Conyard

Updated March 2026. Originally published April 2025.

When I wrote this piece nearly a year ago, geography as a strategic variable in tech felt like an important conversation to start. The argument was clear: in a digital world, we're fooling ourselves if we think location doesn't matter. What's happened since then has turned that argument from important to urgent.

The World Still Isn't Flat, and the Stakes Just Got Higher

The core truth holds: where your technologies and data are developed, hosted, governed, and supported shapes your resilience in ways most organizations haven't fully mapped. But the picture has become more complex, and more consequential.

Semiconductor concentration hasn't changed. Taiwan still produces approximately 65% of the world's chips and around 90% of the most advanced. What has changed is the urgency. US tariff escalations and trade tensions throughout 2025 exposed how fragile global tech supply chains are when political conditions shift quickly. Organizations that thought they had buffer time to address these dependencies discovered they didn't.

Cloud infrastructure remains dominated by US-based providers. AWS, Microsoft Azure, and Google Cloud continue to control roughly 65% of global capacity. But the story has gotten more complicated. The EU's push for digital sovereignty has accelerated, with the AI Act's prohibited practices provisions taking effect in February 2025 and broader enforcement for high-risk AI systems arriving in August 2026, sooner than most organizations planned for. European companies are actively building alternatives. Non-European companies operating there are paying fines and rethinking architectures under live pressure, not in anticipation of future risk.

The most significant development since I wrote this piece is AI. When this article was first published, the assumption was that AI capability was essentially a US phenomenon: a handful of providers, all headquartered in America, controlling access to frontier models. DeepSeek changed that calculus in January 2025. High-capability models are no longer a US monopoly. That's genuinely good for competition, but it introduces a new and underappreciated dependency. You now have to ask not just where your data lives, but whose model is reasoning over it, under what legal jurisdiction, and with what government access.

Regional Risk Is Now Operational Reality

The examples I used in the original piece were illustrative. The examples available now are live and ongoing.

US tariff policy in 2025 forced real-time supply chain decisions for companies that had built lean, regionally concentrated procurement strategies. Organizations with flexible, multi-region sourcing adapted. Those without it scrambled. The difference wasn't luck. It was whether anyone had asked the geography question before the disruption arrived.

The EU AI Act's phased enforcement has made regulatory geography a primary constraint on how quickly organizations can deploy AI-driven systems across borders. Companies that assumed they'd address compliance when it became required discovered that "when" arrived faster than their planning cycles.

And the US-China technology bifurcation, already underway in semiconductors, has extended into AI, software, and cloud services. Organizations operating across that divide aren't managing regulatory differences anymore. They're managing fundamentally incompatible technology ecosystems, with real decisions to make about which side of a dividing line their architecture lives on. That's not a future scenario. It's the decision in front of them right now.

The Leadership Question Still Stands

It's still the right question:

Is your tech strategy built to withstand regional disruptions? Or are you betting your organization's stability on someone else's roadmap?

The difference now is that the answer can't be deferred. The organizations that treated geographic dependency as a future risk management question are answering it today, under pressure, with less time and fewer options than they'd have had if they'd started earlier.

Building Resilience With Geography as a Strategic Input

Resilience isn't about eliminating geographic dependency. That's not realistic, and attempting it wholesale is expensive and disruptive in its own right. It's about making the dependency visible, understanding the exposure, and building decisions with the tradeoff in mind.

That means knowing where your critical systems are hosted and which legal jurisdictions they fall under: not in theory, but in documented, maintained maps that your architecture and sourcing decisions actually reference. It means building contracts and vendor relationships with room to pivot, so that changing course is a managed decision rather than a crisis response. And it means applying a geographic lens specifically to AI: knowing not just where your data lives, but which model is processing it, under which jurisdiction, and what that means for your obligations and your exposure.

Most organizations have partial answers to these questions. Few have complete ones. The gap between partial and complete is where disruption lives.

What Comes Next

In the coming weeks, I'm publishing a longer piece that pulls the geography and AI threads together: what resilience by design actually looks like in 2026, for organizations navigating fragmented infrastructure, bifurcated AI ecosystems, and the accelerating reality of digital sovereignty. I'll share that on my website when it's ready.

Has your organization's approach to geographic risk shifted in the last year? What triggered it? What's missing?

Jason Conyard https://www.jasonconyard.com
Previous

Is Generative AI Empowering Us—or Making Us Dependent?
Next

Balancing AI Innovation: Human Touch in Customer Engagement