For most of its short history, the Internet was seen as a borderless space – a unified ecosystem in which innovation and capital could flow freely regardless of geographical barriers. Today, however, this utopian vision is being drastically fragmented. Policy makers and governments are increasingly interfering with the network architecture, which has led to the creation of the so-called “Splinternet” – a phenomenon that divides the global digital world along political and ideological lines of demarcation.
For the Polish IT services sector, which has spent the past decades building its position on free global trade, exporting US$16.85 billion worth of services in 2023, the coming years 2026-2030 imply the need for a complete transformation. Previous cost arbitrage is exhausting its possibilities, and certified security and sovereignty are becoming the only currency to maintain the highest margins in Western markets.
Compliance costs: Regulatory tsunami from Brussels
Regulatory risk management has ceased to be the domain of legal departments alone, becoming a key factor affecting the profitability of software houses. The European Union, in its quest for independence, has imposed an unprecedented legal corset on companies.
As of the beginning of April 2026, the amended law on the National Cyber Security System (KSC), implementing the EU NIS2 directive, came into force in Poland. A key change is the shift of responsibility far beyond the boundaries of the organisation itself – straight into the supply chain. Key and important entities must now rigorously audit their IT suppliers, shifting the burden of security requirements to Polish software companies and enforcing precise contractual clauses on audits or incident reporting.
On the other hand, the Cyber Resilience Act (CRA) is looming – a law that not only covers corporate infrastructure, but the software itself. It enforces the absolute application of Security by Design in all products with digital elements sold within the EU `. From September 2026, software manufacturers will be required to report security vulnerabilities and incidents within 24 hours of discovery. The risks are powerful – fines for non-compliance with the CRA could reach €15 million or 2.5% of global turnover, forcing dramatic changes to the software development life cycle (SDLC).
The cost of adaptation for small and medium-sized enterprises (SMEs) in IT will be astronomical. It is estimated that vulnerability analyses, tool upgrades (e.g. purchase of vulnerability scanners) and continuous monitoring (SOC) alone are operational and capital expenditures that can easily exceed the barrier of several hundred thousand euros in the first year of implementation `[4]`.
The geopolitics of source code: Open source software under the magnifying glass of counterintelligence
Network fragmentation is not just about data flows – it goes to the absolute basics of building today’s applications. The foundation of modern IT is open-source code, on which more than 90% of Fortune 500 corporations rely. Unfortunately, in the reality of deep geopolitical tensions, this is the Achilles’ heel of Western economies.
A Western analyst-validated security audit of component materials (SBOMs) commonly used in the US energy sector found that as many as 90 per cent of the products examined contained code fragments contributed by developers with links to Russia and China. Such vulnerabilities are ticking bombs in software supply chains. For this reason, contracts with US corporations are now saddled with Cyber Supply Chain Risk Management (CSRM) requirements, and platforms using OSINT to track the possible Russian or Chinese connections of each component are employed to audit vendors in Central Europe.
Talent management versus ‘Geofencing’: The new Berlin Wall
Poland has been a great beneficiary of eastern engineering talent for years. The full-scale invasion of Ukraine and the grip of the regime in Minsk have intensified the phenomenon of migration of skilled programmers. At the beginning of 2024 alone, there were nearly 116,000 Belarusian citizens with residence permits in Poland, and the number of Ukrainian specialists and companies has grown dramatically.
However, this competence resource faces a tough digital wall. Countries such as the UK and the US are implementing drastic access (Security Clearance) for defence projects and critical infrastructure. The US Department of Defence has implemented the updated CMMC 2.0 certification (came into effect on 10 November 2025), which categorically eliminates from access to sensitive data (CUI) entities that do not meet the strictest technical isolation requirements . Similarly, the British typically only grant their key Security Check (SC) certificate to individuals who have continuously resided in the UK for at least five years. This has the effect of completely excluding refugees from eastern markets from working on such projects.
Western governments are even paranoid about protecting themselves from uncontrolled proliferation of access. The shock to the British public was the recent scandal when it emerged that some of the software supporting the infrastructure of nuclear submarines had been designed under covert subcontracting by developers located in Minsk and Siberia. A consequence of such crises is enforced ‘geofencing’ – a strict policy of blocking access to repositories, development tools and production environments based on the geolocation of IP addresses from excluded countries. Polish software houses wishing to retain lucrative contracts for Anglo-Saxon defence or banking institutions must create so-called “Clean Rooms” – segregated, rigorously controlled working environments exclusively for engineers with documented Western credentials.
Winning Strategy: Moving from Nearshoring to Trust-shoring
Despite all these regulatory and geopolitical burdens, the Splinternet and the fragmentation of global commerce is not only a threat to the Polish IT industry, but a huge opportunity to rise to the top league of service providers.
The tariffs imposed by the US on China, among others, exceeding 100% on many components, have effectively killed the previous 30-40% cost advantage of Asian markets. Western giants, in a panic, are diversifying risks, shifting operations to safer waters as part of a strategy of so-called ‘friend-shoring’ – i.e. locating production and services within the borders of allied countries sharing the same geopolitical values. Poland, as a mature democracy and a strong member of NATO and the EU, is an absolute beneficiary of this trend.
However, in order to capitalise on this opportunity in the 2026-2030 horizon, Polish technology organisations need to forget about competing based solely on price or providing cheap labour (body leasing). The new strategy is ‘Trust-shoring’. Managements must translate the massive certification costs resulting from CRA and NIS2 directly into service price lists, communicating them to customers as a prepaid policy guaranteeing uninterrupted operational continuity. Customers in New York, London or Paris will pay a technology premium without reluctance for supply chains that are resilient, intelligence ‘clean’ and completely transparent. Those in CEE who are quickest to adapt the rigours of the Digital Iron Curtain into their structures will seize the market pot left by the global slowdown in Eastern markets.
