Recent threat assessments from Danish military intelligence highlight a structural shift in the global technology and security landscape. Public statements and communications from the U.S. executive leadership have reinforced this assessment, leaving little doubt about a willingness to pursue national interests unilaterally, including actions that undermine established alliances.
For European companies, this shift has immediate implications for how critical digital infrastructure is sourced, governed, and controlled. A significant share of corporate digital infrastructure is concentrated with U.S. technology providers operating under U.S. jurisdiction.
This is not a question of past decisions being wrong. Previous technology and sourcing strategies were rational under a different geopolitical reality, driven by functionality and efficiency, shaped by default market choices and vendor pressure, rather than deliberate strategic positioning or long term value creation. That reality no longer holds. Dependencies that were once considered acceptable now constitute direct strategic exposure. For Danish and EU companies, this requires explicit risk reassessment and, where relevant, renewed risk acceptance at board level, extending beyond an IT driven focus on functionality and preference.
The Danish Defence Intelligence Service’s Udsyn 2025 identifies three developments of particular relevance to corporate leadership:
- Technology as a geopolitical lever – Economic and technological dependencies are increasingly used to influence allied states and organisations, undermining assumptions of neutrality and insulation from political pressure.
- Long term exposure of encrypted data – Adversaries are already collecting encrypted information for future decryption once quantum capabilities mature. For organisations with long data retention horizons, this is a present risk, not a future one.
- Escalating cyber and hybrid threats – Cyber operations and hybrid influence are now persistent features of the security environment, making digital resilience a board level responsibility.
Taken together, these developments provide a clear indication that a structured risk assessment is the minimum required to understand organisational exposure. For financial services institutions and other operators of critical infrastructure, EU regulatory frameworks such as DORA and NIS2 make this a board level governance requirement.
The assumption that large U.S. technology providers operate independently of U.S. state interests is increasingly difficult to defend. U.S. technology providers, including their senior leadership, operate under U.S. jurisdiction and government authority, with no realistic capacity to resist binding political or legal directives.
Denmark is not uniquely exposed. The same dependencies exist across the EU. Denmark has articulated the risk openly. The exposure is shared.
Implications for the Board and Executive Management
This development requires a reassessment of technology strategy through a sovereignty and resilience lens, specifically whether the organisation can maintain control and continue operations independently under adverse geopolitical conditions. This is a shared responsibility between the board and executive management, with clear expectations on governance, risk ownership, and execution.
At Conformance, we have acted on this assessment by migrating core services away from U.S. Big Tech toward European providers, including German T Systems, and by engaging with Danish DCAI Gefion to support sovereign workloads in regulated industries.
Boards should expect management to:
- identify critical dependencies on non European technology
- assess exposure to jurisdictional and geopolitical risk
- present credible European alternatives where appropriate
- treat digital sovereignty as a strategic risk topic, not an IT preference
Failure to address this is not a technical oversight. While organisations remain free to choose their approach, inaction itself constitutes a risk. At a minimum, a structured risk assessment is required to understand the specific exposure of the individual organisation.
How We Can Help
At Conformance, we are uniquely positioned to support financial services institutions and NIS2 regulated organisations in addressing these issues. We combine deep technical insight with hands on experience working with sovereign European providers, senior executive experience, and a strong understanding of corporate governance, operating models, and regulatory requirements. This enables us to provide an independent, pragmatic outside in perspective, free from IT bias and vendor driven preferences.
We support organisations both in establishing a clear and defensible risk acceptance position and in defining pragmatic paths to reduced dependency. Our role is not to promote or exclude specific vendors, but to assess whether risks can be adequately controlled, including scenarios where services can be operated on sovereign infrastructure without external jurisdictional control. The objective is improved control, regulatory defensibility, and executive level clarity.
We can help, just reach out.