Your Stack Is Someone Else’s Leverage
De-Risking Technology Dependencies in an Uncertain World
Here is something that should keep every senior leader up at night. The infrastructure your organization depends on (the cloud platforms, the chip architectures, the collaboration tools, the AI models) was not built to serve your interests. It was built to serve someone else’s. And in a world where geopolitical leverage is being recalibrated in real time, that distinction has moved from abstract risk to operational reality.
This is not a speculative future. The United States made it explicit in its 2025 National Security Strategy: technological control is the primary instrument of American power. Not trade agreements. Not military alliances. Technology. The systems on which the global economy runs. The platforms through which data flows. The chips without which nothing computes.
If your technology stack is concentrated in a single nation’s ecosystem, you are not just a customer. You are a dependency. And dependencies get leveraged.
American companies face their own version of this: semiconductor exposure to Taiwan, pharmaceutical supply chains running through China, growing regulatory friction in Europe. Concentration risk is not something one country does to another. We all built this system together. We are reconsidering it separately.
Last year I explored the diagnostic side of this question in a piece on the hidden geographic dependencies in your digital foundation. Every trend I flagged has accelerated. This article picks up where that one left off: not just where the dependencies are, but what you actually do about them.
The New Shape of Power
For decades, the operating assumption was that economic interdependence created stability. Trade made war expensive. Shared infrastructure made coercion impractical. That assumption is being tested now, and in several cases, it is failing.
Consider what the landscape actually looks like. US cloud providers hold roughly 85% of the European market. Nearly 90% of the world’s most advanced logic chips are manufactured in Taiwan. The AI models reshaping every industry are trained on infrastructure concentrated in a handful of US data centers. The collaboration tools most knowledge workers touch daily are subject to US jurisdiction, including the CLOUD Act, which allows American authorities to compel access to data held by US providers regardless of where that data physically sits.
None of this started as leverage. It became leverage because the world order shifted underneath it. And in February 2026, a US State Department cable made the subtext text: diplomats were instructed to push back against foreign data sovereignty laws that might limit the reach of American cloud and AI companies. Technology access is a bargaining chip. Nations that build alternatives are disrupting American interests. That was the message.
And this dynamic extends beyond digital infrastructure into physical supply chains. In biotech, the vast majority of US pharmaceutical companies depend on imported active ingredients, and China dominates global API supply for pharmaceuticals. The BIOSECURE Act, passed in late 2025, was designed specifically to sever that reliance. South Korea created a National Bio Committee to advance biotechnology sovereignty. The same pattern, playing out sector by sector: concentration creates leverage, and leverage eventually gets used.
This Is Not Just a US-China Story
The temptation is to frame this as a superpower contest. US versus China. That framing is comfortable, and it is incomplete.
Taiwan's semiconductor dominance creates a chokepoint that affects every nation on earth. Bloomberg Economics estimates that a conflict involving Taiwan would cost the global economy roughly $10 trillion, more than COVID-19. TSMC's advanced packaging capacity, critical for every major AI accelerator, is fully booked through 2026. The world's most important supply chain runs through a 180-mile-wide strait that is also one of the most contested waterways on the planet.
Europe is waking up to its own vulnerability, and the urgency is real. At the November 2025 Berlin Summit on Digital Sovereignty, President Macron was blunt: Europe must refuse to be a "vassal" of the US or China in technology. He warned that having the best regulations means nothing if you do not have the companies, and called for European preference to become the guiding principle in public procurement. At Davos in January 2026, he went further, cautioning against passively accepting the law of the strongest. Whether or not you share Macron's framing, the political momentum behind it is real. A head of state using the word "vassal" about the current technology relationship with the US is not diplomatic posturing. The ground has shifted.
The response is already underway. Denmark began piloting open-source alternatives to Microsoft Office for government employees. Gartner projects European sovereign cloud spending will more than triple to $23 billion by 2027.
To be clear, this is not a story of European helplessness. Europe has significant technology strengths of its own. SAP runs the ERP backbone for a vast share of the Fortune 500. ASML, a Dutch company, holds a total monopoly on the EUV lithography machines without which no advanced chip can be manufactured. Arguably more critical than TSMC, since TSMC itself cannot function without ASML's equipment. The problem is not that Europe lacks technology. The problem is that Europe's strengths sit in specific layers while its reliance on US platforms runs through the infrastructure underneath.
I also carry a memory that adds a caution. I worked in the Netherlands before the EU had fully taken shape, and I remember what the alternative looked like: competing national policies, protectionist instincts, duplicated infrastructure, slower growth. Integration was messy and imperfect. It was also better than what came before it, not just for Europe but for everyone who traded with it, built on it, or depended on it. Sovereignty is a legitimate goal. But it comes with a price that its loudest advocates rarely acknowledge: fragmented markets, duplicated effort, and slower innovation. Technology leaders will be the ones who absorb that cost.
Only about 16% of European technology leaders surveyed believe digital sovereignty is achievable within five years. And here is the central paradox that nobody has resolved: Europe wants to reduce its reliance on US technology while still needing US cooperation on trade and defense. You do not untangle that at a summit. You untangle it over a decade, if you start now.
The Honest Tradeoffs of Diversification
De-risking sounds straightforward. Spread your bets. Use multiple cloud providers. Source chips from diverse fabs. Build on open standards.
In practice, it is significantly harder than that, and I think we do each other a disservice by pretending otherwise.
Over 92% of large enterprises report operating across multiple cloud environments. That statistic sounds reassuring until you look underneath it. Operating across clouds is not the same as being portable across them. Most organizations have deep integration with a primary provider’s proprietary services: identity systems, data pipelines, serverless functions. Switching costs are enormous. True cloud-agnostic architecture (the kind that gives you a credible escape route, not just a backup plan) requires deliberate engineering investment that most organizations have not made and many CTOs cannot justify in a quarterly planning cycle.
The semiconductor picture is even starker. TSMC is investing $100 billion to build new fabs in the United States. Intel, Samsung, and others are expanding capacity globally. But a leading-edge fabrication plant takes three to four years to build and costs upward of $10 billion. TSMC’s Arizona facility will not reach 2nm volume production until 2030. Meanwhile, AI demand is making the concentration worse, not better.
There is also an irony worth sitting with. Taiwan’s semiconductor dominance is itself a deterrent, a “silicon shield” that makes military action against the island economically unthinkable. As manufacturing capability spreads globally, that shield weakens. The very diversification intended to reduce risk may reshape the calculus of conflict in ways we have not fully thought through.
Five Dimensions of Technology De-Risking
A practical framework for reducing geopolitical exposure in your technology stack.
Know your jurisdictional exposure
Most organizations know which vendors they use. Far fewer have mapped which legal jurisdictions actually govern those relationships. This matters in every direction. If your data sits in a European data center operated by a US-headquartered company, it is subject to US law. If you are a US company that licensed an enterprise platform headquartered in another country because the per-seat cost was lower or the engineering talent was cheaper, you may have opted into that nation's policy, legal, and trade framework without anyone in the room naming it as a risk. And the exposure does not stop at your direct vendors. If your European cloud provider runs on American hyperscaler infrastructure underneath, your sovereignty is a label, not a reality. Map beyond tier one. Before you can de-risk anything, you need an honest inventory: not just what you use, but who governs it, and who governs them.
Separate tactical from structural dependencies
Not all dependencies carry equal risk. A project management tool hosted in another jurisdiction is a tactical dependency, inconvenient to replace but survivable. Running your entire identity and access management layer on a single provider's proprietary platform is structural, the kind that creates existential switching costs. Focus your de-risking energy on the structural layer: compute, data, identity, and the AI models embedded in your products. And watch for tactical dependencies that quietly become structural through accumulation. A collaboration suite that starts as a convenience and ends up holding your institutional knowledge is no longer tactical.
Invest in portability, not just redundancy
Multi-cloud is necessary but insufficient. The real investment is in portability: container-based workloads, open APIs, abstracted data layers, infrastructure-as-code that deploys across environments. This is expensive, unsexy engineering work. But it is the difference between having a backup plan and having an escape route. Portability is also a people problem. If your entire team is certified, trained, and experienced in a single vendor's ecosystem, you can have perfectly portable architecture and still be unable to move. Skill concentration is a form of lock-in that does not show up in architecture diagrams. And watch the commercial layer: multi-year enterprise agreements, volume commitments, and punitive egress fees can make switching financially impractical even when it is technically feasible. Fund resilience as an explicit line item, not something squeezed into optimization budgets.
Design for regulatory divergence
The EU's AI Act, China's data localization requirements, national sovereignty laws, sector-specific compliance regimes: these are creating a regulatory patchwork that will only grow more complex. Build your architecture to accommodate divergence by design. Data residency controls, modular compliance layers, the ability to isolate workloads by jurisdiction. These are no longer nice-to-haves. They are architectural requirements.
Treat AI model dependency as a first-order risk
As organizations embed AI models into core products and decisions, they are creating deep dependencies on a small number of providers. What makes this different from other structural dependencies is the speed. AI adoption is outpacing most organizations' ability to evaluate the jurisdictional, contractual, and operational risks they are taking on. If a provider changes its terms, restricts access, or becomes subject to export controls, the downstream impact is immediate. This applies regardless of where you sit: a European company relying on American AI infrastructure faces the same structural risk as an American company dependent on foreign semiconductor supply. Evaluate whether your AI strategy allows for model substitution. Invest in abstraction layers. And pay serious attention to the open-source AI ecosystem, which may offer the most credible path to reducing single-provider concentration.
What You Actually Do About It
Whether you are a CIO in São Paulo, a CTO in Stockholm, or a technology director in Singapore, the challenge is the same. You need a way to evaluate and reduce technology exposure that is practical, not paranoid.
I keep coming back to five dimensions that matter most: jurisdictional exposure, the distinction between tactical and structural dependencies, genuine portability (not just redundancy), regulatory divergence, and AI model concentration. Each of these deserves serious attention, and I’ve laid out a more detailed framework alongside this article. But the dimensions themselves are not the hard part. Most technology leaders, once they see the list, recognize the gaps in their own organizations immediately.
The hard part is the question underneath: how much dependency are you willing to accept, and from whom?
Zero dependency is not achievable and probably not desirable. The global technology ecosystem is interconnected for good reasons. Specialization drives innovation. Shared infrastructure reduces costs. Interoperability enables collaboration. The goal is not autarky. It is what I’d call informed asymmetry, understanding where your dependencies lie, what leverage they create for others, and having credible alternatives for the ones that matter most.
This requires a shift in how we evaluate technology decisions. It is no longer sufficient to assess vendors on capability, cost, and reliability. You now need to evaluate them on jurisdiction, portability, and the geopolitical alignment of their home nation. A decade ago, that would have sounded paranoid. But it is an accurate description of the world we are operating in, and pretending otherwise does not make your organization stronger.
What Comes Next
Forrester’s 2026 outlook puts it well: volatility is no longer a temporary disruption. It has become the operating environment. The organizations that thrive will be the ones that stop treating geopolitical risk as someone else’s problem and start building it into the architecture of their technology decisions.
There is good news. Awareness is rising. European governments are investing at unprecedented scale. Over $450 billion in private semiconductor investment has been catalyzed by the US CHIPS Act. Open-source alternatives to proprietary platforms are maturing. Multi-cloud and cloud-agnostic patterns are becoming genuine engineering disciplines, not just conference talking points.
But the window for comfortable, incremental change is closing. The technology decisions you make in the next two to three years will shape your organization’s capacity to adapt for the next decade. Unlike most technology investments, these cannot be evaluated purely on a traditional ROI. They require a theory of the world, a view on which relationships will hold, which governments will act predictably, and which dependencies are worth the risk.
Your technology stack is not neutral. It never was. The question is whether you are making that choice deliberately, or having it made for you.
