Awareness

7 Policy Dimensions Shaping Our Digital Future

Published  ·  15 min read

There have been large changes to the Internet in the last few decades. Twenty years ago the focus of digital policy was on spam filtering and domain names. Ten years ago digital policy was about net neutrality and copyright issues.

Today’s digital policy decisions could have an effect on whether your private information can be moved across international borders or if an AI has the right to deny you a business loan, as well as whether companies will be held responsible for the things their users post.

Governments aren't catching up to technology anymore because they are actively creating the future of technology.
There are seven policy dimensions that will affect our lifestyles, job security, and personal security in the digital environment.

Dimension 1: Data Sovereignty – Where Is My Data Stored?

Data sovereignty indicates the impact on how your company's data (whether stored in a particular location) will be treated by the data laws of that country. 

What's changed?
Countries are now requiring that data pertaining to their citizens remain in their own country. Both Russia and China have required that data be stored locally for some time, and now there are constantly more countries such as the European Union, India, Brazil, and many other developing countries, making the same demands of businesses. 

India's Digital Personal Data Protection Act requires all sensitive (but not all) data to be stored within India; Brazil's Lei Geral de Proteção de Dados Act (LGPD) has similar requirements; as do an increasing number of states (CA & VA) in the USA.

Why it matters for your business:

Challenge

Implication

Data localization

You cannot centralize global data in one region

Cross-border transfers

Moving data between countries requires legal mechanisms (SCCs, BCRs)

Cloud vendor selection

Your cloud provider must offer in-region storage

Incident response

Breach notification deadlines vary by country


What is coming:
The trend for countries to establish their own data protection laws will continue. Rather than harmonising data protection laws internationally, fragmentation will continue to be the dominant trend. Your organisation will need a robust method for mapping and routing data based on user location.

Dimension 2: Governance of AI – Who Regulates What AI Can Do do

AI Governance is the set of regulations that govern the creation, deployment and oversight of AI Systems.

What is changing:
The AI Act of the EU will be the world's first all-encompassing regulatory framework for AI. It will classify AI Systems according to risk.

Risk Level

Examples

Requirements

Unacceptable

Social scoring, real-time biometric surveillance

Prohibited

High-risk

Hiring algorithms, credit scoring, medical diagnosis

Conformity assessments, human oversight

Limited

Chatbots, deepfakes

Transparency obligations

Minimal

Spam filters

No additional requirements

China has introduced a set of regulations concerning deepfake technology, which includes both watermarking and the need to supply your real name as part of the registration process. In response to the risks associated with Artificial Intelligence (AI), the United States has created new executive orders concerning AI safety and has obtained voluntary compliance from many of the major artificial intelligence (AI) developers regarding their products.

This will impact your business because if you are using AI for hiring, customer service support, or to moderate user content, you are legally required to adhere to applicable laws. If you use high-risk AI, you will also have increased responsibilities to record your AI use, explain the operation of AI and assess AI risk and if humans should have involvement in decision-making. You could face large fines for not complying with these rules.

What is coming:
More jurisdictions will continue to pass legislation regarding AI. The EU's method of assessing risk for AI will be adopted in additional jurisdictions. Therefore, organisations will require to develop an inventory of their AI and a governance framework before the commencement of enforcement.

Dimension 3: Platform Accountability – Who Is Liable for User Content

Determining how accountable online platforms are regarding user posted content.

What's Changing:
For decades, the US Communications Decency Act Section 230 has provided platforms with protection. The protection afforded under this statute has been eroding over time, due to recent legislative measures such as EARN IT Act, SAFE TECH Act and in some states removal of immunity from certain kinds of content.

The EU's Digital Services Act (DSA) has taken a different approach by requiring platforms:
1. To remove illegal content within 24 hours after receiving notice
2. To publish transparency reports regarding their Content Moderation processes
3. To submit to annual risk management audits
4. To provide access to data to researchers

The UK's Online Safety Act contains a duty of care obligation upon platforms to reduce the incidence of illegal or harmful content.

Importance to your Business:
If you have any online platform that allows user-generated content, such as forums, reviews, comments or social features, you will have new liabilities associated with that service. The requirement to moderate user-generated content is no longer an optional service offered by a platform, but rather a mandatory service under the law.

What's Next:
The global trend is toward increase platform liability rather than decrease; therefore, expect to see a development of a standardized process regarding notice and action and a required risk assessment for more significant platforms.

Dimension 4: Cross-Border Data Movement – Splintering of the Internet

International data flow regulations will establish free transfer of information across borders.

What is going on at this time: The EU-U.S. Data Privacy Framework (DPF) provides a new way for the EU and the U.S. to share data across the Atlantic since the National Security Agency's (NSA) data collection program, known as the Privacy Shield Program also has recently been struck down by a court.

The Data Protection and Privacy (DPF) have not yet been implemented, making it a legal case in the courts.

China has now enacted its Personal Data Protection Law (PIPL) that prohibits the transfer of any data outside China without government approval and similarly, in Russia, all data belonging to Russian citizens must remain in Russia. In India, new legislation has been enacted to safeguard Indian citizens’ data and regulate transfers of personal data to other countries. Many other nations have also either passed such laws, or are working to create them, in order to ensure the protection of their own citizens' data.

How this affects your organization:
Regional compliance waters may be a concern for you if you rely on global vendors (cloud-computing), provide products that are sold globally (SaaS) or do business in countries that follow a regional legislation approach to data protection. Since information/data flows from your HR system, CRM, and analytical tools through jurisdictions of differing country/region authorities, you cannot afford to break the data transfer regulations in any of the countries in which you conduct business.

You have three alternatives to comply with the data transfer requirements:
1. Standard Contractual Clauses (SCCs) - European Union-approved standard contracting documents.
2. Binding Corporate Rules (BCRs) - Standards for internal data transfer for multinational corporations.
3. Adequacy decisions – Countries the EU deems "safe" (limited)

What is coming:
Data transfers will become slower and more expensive. "Data friction" is the new reality. Organizations should design systems that keep data in region by default and move only what is legally permitted.

Dimension 5: Cybersecurity Regulation - From Voluntary to Mandatory

Cybersecurity regulation is going from being best practice guidance to having legal requirements that can be enforced with penalties.

What is changing:
The EU is expanding current regulations for more companies and industries through the NIS2 Directive. This includes: reporting cybersecurity incidents within 24 hours of occurrence; supply chain security; and executives will be held liable for noncompliance.

Hardware and software manufacturers will be required to provide security patches for products, as well as report any exploited vulnerabilities under the Cyber Resilience Act (CRA).

In the US, public companies will now be required to report to the SEC any material cyber incidents within four days of their occurrence. Under the CIRCIA law, critical infrastructure entities will be required to report incidents to CISA.

Why this is a concern for your company:
Cybersecurity has gone from optional to a mandatory requirement for all organizations. This includes many smaller organizations as well. Supply chain requirements will become an issue as you'll need to ensure that your suppliers are also secure. Executives will be personally liable for their organization's compliance.

What's on the horizon:
Mandatory software vulnerability disclosure programs, secure by default requirements for software, and stricter timelines for incident reporting are anticipated. Cybersecurity budgets will change from primarily reactive to being primarily compliance driven.

Dimension 6: Digital Identity Standards – Who Proves You Are Who You Are

Digital identity policies define how someone authenticates themselves online and who has access to their identity information.

Changes occurring:
The EU will implement eIDAS 2.0 requiring member states to provide interoperable digital identity wallets allowing citizens to hold and share personal information (e.g., age, address, qualifications) while keeping any other potentially identifying information private.

The Indian government has issued over 1.3 billion Aadhaar cards allowing users to authenticate themselves for banking, filing taxes, and receiving government assistance. Privacy issues arise from lack of transparency regarding how the information is shared.

The Australian government has created the Trusted Digital Identity Framework to establish a standard for how individuals authenticate themselves in both the public and private sectors.

Importance to YOUR Business:
If your business authenticates users (log in, age verification, credential checks) via an identity or user credential, digital identity standards will impact how you implement them. If digital wallets are made available through government agencies, such as the UK and the EU, centralized identity providers (e.g., Google, Apple, Facebook) could lose a significant portion of their business.

Future direction:

We can expect to see greater adoption of decentralized digital identities (DIDs) and verifiable credentials as users choose to store their identity data on their devices instead of on a corporate server. This reduces your risk of a data breach while necessitating new technical architecture.

Dimension 7: Critical Infrastructure Protection- Securing What Society Needs to Function

Policies Regarding protecting our Critical Infrastructure will outline the variety of important systems, how those systems will be protected, as well as, how much protection is adequate to safeguard these systems.

What is changing:
The definition of critical infrastructure is broadening; no longer are only power facilities and water facilities considered critical. IVANs, data centers, communication networks, and even software supply chains are now considered critical infrastructure.

The EU has replaced the previous EPCIP (The European Programme for Critical Infrastructure Protection) with the EU's Common Emergency Response (CER) directive which has a broader scope than EPCIP. In the United States, CISA has defined 16 critical sectors of infrastructure; some of these include new kinds of infrastructure like space (NASA) and AI (Artificial Intelligence).

Why this is important for your business:
Even though you may not be considered a utility, you may also be a supplier to utilities (USA) in the form of a vendor of software, healthcare services, financial services, and energy-related products/parts/materials. In other words, many of the same requirements imposed on utilities through regulations imposed on those vendors could impact those vendors in future direct transactions with government jurisdictions.

What will be coming:
Requirements to report/cyber incident to government agencies; mandatory security audits for qualified organizations; minimum security requirements for vendors and contractors.

The Interconnectedness of Seven Policy Dimensions

The seven policy dimensions are not discrete entities. They may collaborate and compete.
1. Data sovereignty (dimension 1) impacts cross-border data flow (dimension 4), which is threatening to create an increasingly fragmented Internet because of countries requiring locally stored data.

2. AI governance (dimension 2) has similarity to platform accountability (dimension 3) where its incorporation into AI may create a situation in which someone, or some organisation, can be held liable for chatbot usage of AI to recommend harmful content.

3. Digital identity (dimension 6) affects cybersecurity (dimension 5). A centralized identity system may be easy to use, but creates a single point of failure in cybersecurity.

4. Critical infrastructure (dimension 7) is dependent on software purchased from vendors outside of the country, and this software is subject to cross-border data regulations (dimension 4).

Understanding these seven separate policies will not provide enough information; understanding how the policies interact with each other is also required.

What Leaders Need to Do Now

For CISOs and Security Leaders:
1. Categorize where each country sends its data, how it processes that information, as well as the location of data storage.
2. Create and implement classification/routing controls for sensitive data (once classified) to ensure sensitive data resides only in its respective region by default.
3. Prepare to report Incidents in 24-72 hours of their occurrence. Your response plan needs to be faster than this time frame.
4. Vet your software supply chain. You are responsible for vendor security.

For Compliance and Legal Leaders:
1. Track legislative developments in every country where you operate.
2. Build a policy inventory. Which laws apply to which business functions?
3. Engage with industry associations on rulemaking. Policy is still being written.
4. Plan for fragmentation. Do not assume global harmonization.

For Executives and Boards:
1. Treat digital policy as strategic, not technical. Compliance is a board-level issue.
2. Budget for regional infrastructure. Data localization means local servers, local staff.
3. Expect slower international data movement. Factor "data friction" into business plans.
4. Prepare for enforcement. Regulators are moving from guidance to fines.

Conclusion: Tech Policy in Golden Age of Technology 

Internet was used for two decades with no government regulation part of that time period has ended.

The government has taken control of the following - data, artificial intelligence (AI), Platforms (Social Media), Identity, and Security. The digital future will not be determined only engineers, but will also include input from Legislators, Regulators, and the Courts. 

You cannot ignore policy as an Organization; It is not just a compliance checkbox; It is also a Strategic Limitation on how you operate as a business. 

To be successful going forward, Organizations must incorporate Policy into Product Design, Infrastructure Planning and Risk Management. 
The digital future is being created now, make sure your organization has an opportunity to be involved in how the future ends up being created.

FAQ Section

1. What is the Digital Future Policy and why is it important? 
The Digital Future Policy consists of the regulations/laws/rules that outline how people will use technologies (ex. Data, AI, Digital Platforms) moving forward. It will significantly influence how you may be able to use/ store/ secure data and who is responsible for the problems resulting from that use. In the current business environment, being out of compliance with a policy can result in significant business risk rather than just a legal technicality.

2. How Do Data Sovereignty Laws Affect The Operation Of Cloud Computing?
Data Sovereignty laws specify that data must be stored in a certain physical area, ie. country/jurisdiction. For instance, if an American company was to store the data of EU citizens on a data centre located in the United States, the American company would need to justify the storage of that data.

Therefore, American businesses will have three methods available to them to store that information: (1) by utilizing the Cloud Service with a provision for storing the information in-country (e.g. Europe) (2) acquiring express permission from the Data Subject to transfer the data, or (3) using Standard Contractual Clauses (SCC) upon each occurrence of transferring the data.

3. What Is The Difference Between Data Sovereignty And Data Localization?
Sovereignty is about the geographical area/country that has laws for governing (or sanctioning) the data of that area/country while localization is the actual physical location of the data of the individual at a specific point in space represented by that location. 
Sovereignty would also include Data Localization data while incorporating other concepts associated with access to data, such as data access, processing access, and transferring, as part of the definition of Data Sovereignty.

4. What can organizations do to prepare themselves for newly established AI Governance Regulation?
Organizations should build an inventory of their entire AI portfolio starting with each individual AI by establishing what purpose/placement each AI has within their operations and what identified risk level each AI poses along with where the AI receives its source data. A high-risk AI would have to follow up with the reporting of Human Judgement or Oversight to keep and maintain an up-to-date record of every single HR Decision made with/through its use; and lastly to be tested every so often for Bias.

Since the EU's new AI Governance Regulation sets forth a baseline global standard for AI usage, organizations with customers located outside of the EU can take comfort in knowing that they should operate under the same guidelines for their AI usage as organizations would if they had customers that were located in the EU.

5. Will there be a convergence of digital policies and legislations globally or are they likely to become independent of one another? 
As countries each have their own ways by which privacy, AI and digital platforms are regulated; policies and regulations will most likely remain fragmented instead of converging; also companies that do business in multiple countries will continually face (multiple) disparate, and in some cases contradictions, within the different countries’ regulators. Henceforth, “data friction” will become a way of life, and insofar as this is true, it will not eventually improve, but become worse over time.

Sources:
Freshfields (Global Law Firm)
Sullivan & Cromwell (Global Law Firm)
The Future of Privacy Forum (FPF)
Garrigues (Global Law Firm)
Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067