For companies

The threats you are preparing for

Digital Preparedness

13 min read
Share
The threats you are preparing for
Photo by Gregoire Jeanneau / Unsplash

Not all disruptions are the same. Companies that prepare for "cloud going down" as a single scenario are preparing for the wrong thing. Disruptions differ in speed (how fast they hit), warning (whether you see them coming), duration (hours vs. months), reversibility (whether the situation resolves itself), and scope (one provider vs. the entire US tech stack). These differences determine which chapters of the guide matter most and how aggressively you should invest in each area.

The threats fall into two distinct families that demand fundamentally different responses.

Family 1: Environment poisoning

In these scenarios, the infrastructure still works. You can log in, deploy, and serve customers. But the conditions around your infrastructure have changed in ways that make it hostile, unsafe, or economically unviable. The disruption is often invisible or gradual, which makes it more dangerous: there is no single moment that forces action, only a slow degradation that becomes irreversible if ignored too long. The preparedness response is about optionality and strategic repositioning: retaining the ability to move before the window closes.

1A State-sponsored commercial espionage via cloud access

Scenario: Your company develops proprietary algorithms for industrial optimization. Eighteen months after a competitor launches a suspiciously similar product, a leaked intelligence document reveals that your cloud provider was served with a classified data access order under a foreign surveillance law. Your R&D data, customer lists, and strategic plans were accessed systematically. Your cloud infrastructure never went down. Your monitoring never triggered. There is no breach: neither technical nor legal. By the time you know, the damage is done and your competitive advantage has been transferred to a rival that had access to your roadmap for over a year.

A foreign government exploits its legal authority over domestic cloud providers to access company data for commercial purposes. Not national security, but industrial advantage. Data is exfiltrated silently, shared with domestic competitors, and used for IP theft, competitive intelligence, or talent poaching. The provider may be unaware, complicit, or legally compelled and gagged. The company discovers the breach months or years later, if at all.

Ex: In 2014, documents leaked by Edward Snowden revealed that the NSA had conducted surveillance operations against Airbus, intercepting internal communications related to major contract negotiations. The intelligence was reportedly shared with US competitors. More broadly, Section 702 of the US Foreign Intelligence Surveillance Act grants US intelligence agencies the legal authority to compel US-based cloud providers to disclose data belonging to non-US persons, without notifying the data owner and without requiring individual judicial approval. European companies storing sensitive data on US-controlled infrastructure are operating within a legal framework that explicitly permits this kind of access. 

This is the only scenario in this taxonomy where the threat is silent. It makes the data preparedness chapter relevant in a different way: not "can you retrieve your data?" but "should your most sensitive data be there at all?"

1B Punitive taxation or economic retaliation targeting digital services

Scenario: After the United States launches a hostile takeover attempt on ASML through a coerced acquisition mechanism, the EU retaliates with a 100% emergency levy on all payments to US-headquartered cloud and SaaS providers, effective within 90 days. Your annual AWS bill goes from €400K to €800K overnight. Salesforce, Microsoft, AWS, Stripe, Datadog, GitHub, Slack, every US SaaS subscription is now twice as expensive. No service is blocked. Everything still works. But your unit economics are destroyed, and your board is demanding a migration plan you do not have.

A government imposes sudden, aggressive taxation on foreign digital services. Not as gradual trade policy, but as a retaliatory or coercive measure in a broader economic conflict. The services do not disappear overnight, but they become economically unviable. Unlike sanctions, this does not trigger immediate provider compliance actions. Instead, it creates a slow squeeze: costs spike, margins collapse, and the business case for remaining on the platform evaporates.

Ex: In January 2026, as tensions escalated over Trump's renewed claims on Greenland, the European Union drew up a sanctions plan that could target major American technology companies including Google, Microsoft, Meta, and X, as well as US banks and financial institutions operating across the 27-member bloc. France pushed for the EU to invoke its Anti-Coercion Instrument, which could see the EU restrict US suppliers' access to the EU market, exclude them from public tenders, and impose export and import restrictions on goods and services. The situation de-escalated, but the contingency plans were drawn, the legal instruments identified, and the political appetite tested. The next crisis may not de-escalate.

The disruption is economic, not technical. Everything functions perfectly. You simply can no longer afford it.

1C Digital infrastructure throttling and resource discrimination

Scenario: Your product relies heavily on a US-hosted large language model for its core workflow. Over a period of weeks, you notice increasing latency, more frequent rate-limiting, and occasional "capacity unavailable" errors during peak US business hours. A competitor based in the US, using the same model, reports no issues. Then the provider announces a new "priority access" tier, available only to companies incorporated in the US or allied countries. Your access is not revoked, just deprioritized. Your product is now measurably slower than your competitor's, and your customers are starting to notice.

Read more