The concentration of risk in centralised technological ecosystems in a worsening threat landscape will be a top risk for organisations in 2025. The 2024 CrowdStrike downtime resulted in an estimated USD 5.2 bn loss. That was an error by a benign actor. A deliberate, malicious attack in 2025 could be catastrophic.
Concentrating services and capabilities among a few major providers escalates the threat of systemic risks and global disruptions. The proliferation of connected and autonomous devices in critical infrastructure and consumer products will create new vulnerabilities for disruptive cyber attacks. The traditional model of operational control is rapidly becoming obsolete, replaced by a pressing need for adaptability, innovation and resilience in the face of relentless disruption.
Digital concentration risk in 2025 has three main drivers:
Emboldened nation state threat actors
Encouraged by escalating confrontations in Europe and the Middle East, state actors are foregoing previous norms of behaviour in the digital space. As more red lines are crossed in 2025, state actors will continue to deploy systemically disruptive cyber operations against critical infrastructure and centralised technology providers to gain military, political and economic advantage over their adversaries.
2025 will mark the year where state actors forego the use of non-attributable proxy groups for operations in the digital space, further increasing the likelihood of tit-for-tat escalations in the digital domain.
Vulnerable critical targets
Critical components of our digital ecosystems are the natural target. Concentrated cloud services will provide the biggest returns for emboldened, risk-prone, belligerent threat actors in the digital domain. Exploiting vulnerable technology stacks through supply chain compromises and update poisoning will bypass most defences. The continued adoption of emerging technologies including AI and industrial robotics will exacerbate concentration risks in 2025. The paradox of technological democratisation with lower implementation costs but higher concentration of manufacturing, design and deployment in the hand of a few global providers is fundamentally intensifying the risks associated with digital concentration. The designers and owners of these concentrated ecosystems in turn, have little incentive for cross-compatibility with their rivals. Without cross-compatibility of ecosystems, infrastructure and applications, resilience becomes a costly exercise in duplication. This is prohibitive for most organisations, creating an unprecedented set of conditions for globally disruptive digital risks in 2025.
Ineffective government responses
Most governments have realised the systemic risks that concentrated digital ecosystems pose to their societies but have failed to respond effectively. Regulations such as the EU’s NIS2 and DORA bring tangible obligations for companies to manage their own digital resilience, but also that of their suppliers. The US has already issued similar guidelines, and China has actively sought to preserve the security of critical digital technologies for years.
Unfortunately, these efforts have proved ineffective at reducing the exposure of most companies to disruptive concentration risks. Worse, they have impeded the ability of some to build resilience through diversification of suppliers and unwittingly fostered the concentration of the development of critical technologies to a handful of players globally. Although some regulators are calling for the potential breakup of these players, the likelihood of this is extremely small.
What it means for business
The concentration of digital ecosystems has forced companies to relinquish control over their most critical assets. Few will have the ability to protect their own networks; fewer still will be able to manage their critical technology dependencies. Belligerent threat actors are no longer held by previously unspoken norms in the digital space. Companies will have to brace for global system failures. Agility and resilience will define those that manage their impact, versus those that suffer continuous operational downtime throughout the years to come.