Geopolitics and related crises are revealing how quickly disruption can cascade across cloud, telecoms and supply chains – forcing CIOs to rethink Disaster Recovery.
Geopolitical tensions have increased around the world. While the Russian-Ukrainian conflict initially did little to change disaster recovery practices in ‘safe’ locations, the war in the Middle East served as the ultimate wake-up call, causing more CIOs to reexamine the scope of their Disaster Recovery (DR) plans. CIOs are discovering that the assumptions behind these plans no longer hold.
Traditional planning often underestimates rare and extreme events because it is built around ‘known knowns’ – predictable risks and timeframes. Meanwhile, geopolitical disruptions are rarely constrained. A failure in one domain can rapidly escalate into supply chain constraints, regulatory changes and connectivity issues.
The illusion of an infinite cloud and the physical density of infrastructure
Most organisations have based their resilience on hybrid cloud architecture, believing in its reliability. In recent years, giants such as Microsoft Azure, Google Cloud and AWS have invested in building massive data centres around Warsaw. While this increases local digital capacity and provides data residency, the density of these centres makes the entire region highly vulnerable to service disruption.
From the point of view of military strategy, such a concentration of critical infrastructure is an attractive target for sabotage operations. Incidents such as drone damage to cloud facilities in the Middle East demonstrate that the line between nation-state and private enterprise dynamics has blurred irrevocably. No organisation – from the Big Tech sector to local businesses – should consider itself safe from a direct hit.
Enterprises have redundancy, but rarely test the ultimate scenario: what happens when everything fails at once? The six-hour Cloudflare outage of 2025 made the industry realise that the loss of one commonly used network node cripples thousands of seemingly unrelated applications. Getting the infrastructure up and running completely from scratch from physical backups in a new location can take six months to a year, rather than a few days as optimistic plans assume.
Shock to supply chains and the race for resources
Another surprise for DR plans is the drastic infrastructure constraints. A world where computing capacity seemed limitless has given way to the reality that silicon and power are being rationed. Due to the rise of artificial intelligence, organisations are facing massive deficits in graphics processing units (GPUs). This phenomenon is compounded by the ongoing supply shock – after Russia’s aggression in Ukraine, nearly half of Polish companies indicated broken supply chains, forcing the search for hardware replacements and new suppliers.
The answer to these pain points must be radical operational optimisation. Sophisticated companies are beginning to treat computing power as a fluid resource, dynamically moving workloads between providers based on cost and availability. IT inference and operations are becoming ‘geo-agnostic’ – workloads must be able to migrate freely wherever resources are most stable at any given time.
Hybrid threats: fragile fibre optics and satellite communications
In the CEE region, threats go far beyond digital borders. Reports from the Baltic Secret Service warn of systematic reconnaissance by foreign intelligence in the energy and telecommunications sectors. The pre-positioning technique involves infecting industrial systems with malware long before a conflict erupts. At the point of escalation, the impact is simultaneous.
The physical sabotage of fibre optic and gas pipelines at the bottom of the Baltic Sea further proves how fragile the basic transport layer of the internet is. Commercial disaster recovery environments become useless when power and connectivity are lacking in the region. Therefore, in today’s geopolitical climate, business continuity plans must include technologies that are independent of terrestrial infrastructure.
A prime example of this is the role of satellite constellations – the Polish state donated nearly 30,000 Starlink terminals to the warring Ukraine, becoming its largest supplier and securing the continuity of the infrastructure there. This wartime lesson means that satellite communications are now permanently entering civilian business continuity textbooks.
Regulatory tsunami: Cyber security as a board responsibility
The new reality forced powerful changes in the law, which ultimately transformed DR plans from an IT support function into a business responsibility. In April 2026, an amendment to the Polish law on the National Cyber Security System (KSC2) came into force, implementing the EU NIS2 directive.
Thousands of Polish companies in more than a dozen new sectors (including postal, food, waste or digital services) have been affected by the regulations.Company boards can no longer shift full responsibility to CIOs. The new law requires executives to personally approve and supervise cyber security policies.
The penalties for disregarding the business continuity obligation are gigantic – up to €10 million for key entities. There are also severe financial penalties directly hitting the personal assets of board members , and there are discussions at EU level about temporary bans on executives in extreme cases of violations. At the same time, the financial sector faces the rigours of the DORA regulation, which enforces Threat-Led Penetration Testing (TLPT) to verify banks’ preparedness for simulated attacks by sophisticated hacking groups.
Disaster Recovery – Resilience as a cross-functional capability
True operational continuity in an era of polycrisis depends on an organisation’s ability to redistribute work quickly. If a region becomes conflict-ridden, the priority becomes the safety of employees and their swift relocation (as evidenced, for example, by the Poland Business Harbour programme supporting the evacuation of talent from the East, even given its subsequent framework and suspensions).
Cascading failures must now be assumed as a standard element of operational risk. A greater risk today is the naive belief that an IT incident will be quickly brought under control than the physical outbreak of the conflict itself.
