Cybersecurity in the Age of the Fragmenting Internet

The fragmentation of the internet, or “splinternet,” refers to the breakdown of a once-globally unified internet into localized, regulatory-driven networks. As nations prioritize data sovereignty, political security, and cultural autonomy, they create distinct “splinternets” that diverge from the global web by enforcing unique regulations on data privacy, content access, and cybersecurity ¹. Understanding this trend is important for companies seeking global expansion, as it affects everything from market access to operational security ².

Today, the impact of this movement is becoming increasingly evident, with countries and regions developing personal data protection standards that restrict the free exchange of information across borders and pose compliance challenges for multinational companies. 
‍

Foundations of Internet Fragmentation

‍

One of the earliest and most prominent examples of Internet fragmentation is the “Great Firewall” in China. Initiated as part of the Golden Shield Project in the 1990s, the censorship system hampered global conferences. It analyzes resources on the Internet to ensure that Chinese people only receive officially approved information. The Great Firewall effectively isolates China’s Internet from the rest of the world, limits international forums, and encourages local strategies that conform to domestic laws Such regulatory controls allow China to exert strong influence over its digital environment, shaping public discourse and limiting foreign influence within its borders. ³

Similarly, the European Union’s General Data Protection Regulation (GDPR), which came into force in 2018, has reshaped global standards for data privacy. By imposing stringent requirements on how information is collected, stored and transferred, GDPR has forced companies around the world to make changes, especially with regards to data flowing across borders. While GDPR promotes individual privacy and data security, it also contributes to a compartmentalized internet experience by making it harder for companies to share data freely across regions.^4
‍

The Rise of IT Sovereignty in Geopolitical Conflict

‍

Internet fragmentation has gained new urgency in recent years as global conflicts highlight the role of private tech companies in geopolitical dynamics. A notable example occurred in early 2022, following Russia’s invasion of Ukraine. For instance, within days of Russia’s invasion of Ukraine on February 24, 2022, Apple suspended product sales and limited Apple Pay in Russia.⁵ Microsoft paused new sales of products and services, and SAP and Oracle suspended all sales and services in Russia.⁶ These actions were later followed by a wide range of IT software and infrastructure providers, including: Adobe, Cisco, Dell, IBM, Intel, Samsung, and Nokia.⁷

This unprecedented corporate response revealed the significant influence that tech providers hold in a geopolitical crisis. Beyond simply suspending services, such actions underscore the potential risks for countries relying on foreign technology during periods of political instability. Governments could find themselves vulnerable if cut off not only from new software but also from essential updates and security patches that protect critical systems from exploitation. This scenario underscores the need to reassess dependencies on international providers for national security agencies and public infrastructure relying on these technologies.

The question of IT sovereignty has thus expanded beyond network infrastructure to include “Layer 7” applications—end-user applications and the underlying software supply chain that support them. Security technology providers must now consider how internet fragmentation and IT sovereignty requirements affect their ability to operate across borders. This has also led to the creation of a cottage industry of specialists who understand and participate in the evolution of the concept of sovereignty — a community that we at Rilian are proud to participate in.

‍

Sovereignty at Scale: The United States Government Clouds

‍

In the United States, government sovereignty over information technology has been fostered through initiatives like the Federal Risk and Authorization Management Program (FedRAMP) and the establishment of U.S. Government Clouds (GovClouds). These programs promote a standardized approach for technology providers seeking to serve both public and private sectors within a secure, regulated environment.⁸

FedRAMP, though not perfect, enables “dual purpose” technology providers to architect platforms that are compliant with government standards while preserving flexibility to serve commercial clients. The leadership team at Rilian has experienced this first hand, both running large defense contractors operating within FEDRAMP and Department of Defense cloud environments and overseeing investments in dual-purpose technology providers weighing the costs and benefits of expanding into the public sector.

While FedRAMP strengthens national security, it also exemplifies how internet fragmentation arises through controlled digital environments. Only U.S.-approved cloud providers can operate within FedRAMP-compliant systems, creating a segmented regulatory space optimized for domestic government needs but limiting broader international cloud collaboration. In 2020, the FedRAMP Authorization Act was proposed to solidify FedRAMP into law, further underscoring the trend of building “splinternets” centered on national security.⁹

‍

Fragmentation in the Gulf Cooperation Council (GCC) and Latin America

‍

The fragmentation of the internet is also apparent in the Gulf Cooperation Council (GCC) region, where countries like Saudi Arabia, the United Arab Emirates (UAE), and Qatar have enacted their own data privacy regulations. These laws reflect both international standards, such as GDPR, and local priorities that align with national security needs. For instance, Saudi Arabia’s Personal Data Protection Law (PDPL), effective as of September 2023, regulates data handling and mandates explicit consent for data collection aims to protect the personal data of residents and includes requirements such as explicit consent, data subject rights, and restrictions on cross-border data transfers.¹⁰ Overseen by the Saudi Data & Artificial Intelligence Authority (SDAIA), the PDPL positions Saudi Arabia as a leader in regional data privacy, drawing inspiration from the GDPR model while ensuring data governance that aligns with the country’s national priorities.

The UAE has taken a similar approach with its Federal Decree-Law No. 45 of 2021, which established the UAE Data Office as a federal regulator with authority over data protection and enforcement of compliance standards. Regions within the UAE, like the Dubai International Financial Centre (DIFC) and the Abu Dhabi Global Market (ADGM), have their own data laws, emphasizing the country’s adaptability to meet both domestic and international expectations.¹¹

Qatar also followed suit with its Personal Data Privacy Protection Law (PDPPL), introduced in 2016. As the first comprehensive data protection law in the GCC, it set a precedent for the region by mandating explicit consent requirements, rights for data subjects, and mandatory breach notifications. The PDPPL further requires organizations to conduct Data Protection Impact Assessments (DPIAs) for activities that may risk harm to individuals, illustrating Qatar’s commitment to upholding international data protection standards.¹²

The trend of internet fragmentation is evident in Latin America as well, with Brazil's General Data Protection Law (LGPD) being a key example. Effective since 2020, the LGPD is a comprehensive regulation modeled after the EU’s GDPR. It sets strict data collection, processing, and storage standards, with significant emphasis on cross-border data transfers. International companies must comply with these rules or face fines of up to 2% of their annual revenue in Brazil, capped at R$ 50 million (approximately USD $10 million) per violation.¹³

In addition, Brazil’s focus on digital sovereignty includes encouraging data localization, with a push for international companies to store data locally or ensure it meets Brazilian standards. This aligns with broader trends in Latin America, where countries like Argentina and Mexico are also tightening data privacy regulations.

Each of these regulatory frameworks is continuously evolving, and they often lack the close integration with global cloud service providers (CSPs) that domestic governments enjoy with their local CSPs. As a result, technology providers looking to access the GCC (and many other emerging markets) face a difficult decision: either limit their service offerings in regions that cannot be supported by public cloud infrastructure or design their platforms to operate within secure, compliance-driven containers that address most regulatory requirements. In some jurisdictions, CSPs are collaborating with governments to create hybrid solutions, applying region-specific regulations while still leveraging a majority of cloud-native services.  However, this is still a relatively new initiative, and the rules of engagement are not as clearly (nor transparently) defined as those in the United States.
‍

Conclusion

‍

As internet fragmentation grows, the technical friction created by regulatory requirements poses a challenge to international expansion. Yet companies can mitigate these challenges by considering global standards early in the development process, reducing the need for costly reengineering later. Organizations experienced with FedRAMP¹⁴ and similar U.S.-based compliance frameworks will find familiarity with certain elements abroad, but the nuances of each region’s regulatory landscape require targeted expertise.

Partnering with knowledgeable local partners can accelerate this process, enabling precise return on investment (ROI) analysis and a more strategic approach to market entry. With the right guidance, businesses can successfully navigate the fragmented internet, seizing opportunities in new markets while maintaining robust compliance.

At Rilian, we have been working with various businesses to navigate cross-border regulations and ensure seamless global expansion. Check out our solutions here. (Link)

‍

Citations and Footnotes

‍

1. What Is a Splinternet? And Why You Should Be Paying Attention, Internet Society Link
2. Mackenzie, L. (2020). The Splinternet and Digital Sovereignty: Nation-State Control in the Global Internet. International Journal of Communication, 14, 3553-3573. Link
3. "Great Firewall of China," The Guardian, Link 
4. "What is GDPR, the EU’s new data protection law?" GDPR.EU, Link
5. “Apple Halts Product Sales in Russia Following Ukraine Invasion." Bloomberg, March 1, 2022. Link
6. "Microsoft Suspends Russia Sales Amid Ukraine Conflict." Microsoft On the Issues, March 4, 2022. Link
7. "Apple, SAP and Other Vendors Responded to Russia Following Ukraine Invasion." ChannelWeb, March 2022. Link
8. "FedRAMP: Federal Risk and Authorization Management Program," U.S. General Services Administration, Link
9. "FedRAMP Bill Headed to Senate Floor." FedScoop, March 2022 Link

10. "Personal Data Protection Law." Saudi Data and Artificial Intelligence Authority (SDAIA), April 23, 2023. Link
11. "Data Protection Laws." UAE Government Portal. Link
12. "Qatar Personal Data Protection Law." Securiti.ai. Link
13. "Lei Geral de Proteção de Dados (LGPD) - Brazil's General Data Protection Law." LGPD Brazil. Retrieved from Link
14. FedRAMP was initiated in December 2011 by the U.S. government to create a standardized approach for assessing, authorizing, and monitoring cloud services for federal agencies. This program enforces strict security and compliance standards for cloud service providers (CSPs) handling government data, leading to a segmented, secure ecosystem separate from the global internet. With its requirements, FedRAMP reinforces data localization by sometimes mandating that high-impact data be stored within U.S. borders, and it restricts interoperability by approving only a subset of highly secure, government-compliant services. Major milestones in FedRAMP’s evolution include the release of the first baseline standards in 2012, the FedRAMP Accelerated initiative in 2016 to streamline the authorization process, and the transition to FedRAMP’s Continuous Monitoring (ConMon) program, emphasizing ongoing compliance checks.

‍