The issue of vendor lock-in has never disappeared.
It has merely been evaluated differently.

For years, vendor lock-in was primarily treated as a cost and migration question:
How expensive would a switch be?
How complex would a re-platforming initiative become?

Today, the question is more fundamental. Vendor lock-in increasingly intersects with regulatory fragmentation, geopolitical tensions, and extraterritorial legal frameworks.

The risk is no longer purely technical or financial. It is structural.

1. When Vendor Lock-in Became Acceptable

Cloud adoption and SaaS standardization were based on rational trade-offs:

  • Faster time to value
  • Reduced infrastructure complexity
  • Access to innovation velocity
  • Transfer of operational risk

Deep integration into platform ecosystems was often a deliberate decision.

Vendor lock-in was tolerated because the environment was perceived as stable.

That assumption is becoming increasingly fragile.

Two developments are particularly relevant.

The U.S. CLOUD Act (2018) clarifies that U.S.-based providers may, under lawful request, be required to provide access to data — even if that data is stored outside the United States.

At the same time, organizations operating within the European Union are bound by GDPR requirements and national data protection regulations.

In multinational corporate structures, this can create areas of tension where parent-company jurisdiction intersects with local regulatory obligations.

The issue is not necessarily enforcement itself.
The issue is structural complexity.

Schrems II and Uncertainty in Data Transfers

The 2020 Schrems II ruling by the Court of Justice of the European Union invalidated the EU-U.S. Privacy Shield framework.

The decision highlighted that cross-border data transfers are subject to legal and political change.

Even though subsequent regulatory mechanisms have been introduced, one insight remains:

International data governance is not static.

For organizations heavily dependent on global platform ecosystems, this introduces an additional planning variable.

3. Concentration in Platform Economies

Modern enterprise architectures increasingly consolidate critical functions with a limited number of hyperscale providers.

Identity management, collaboration, infrastructure, analytics, AI services, and developer ecosystems often reside within the same vendor environment.

This results in:

  • Technical dependency
  • Operational dependency
  • Contractual dependency
  • Jurisdictional exposure

The risk does not lie in platform instability.

The risk lies in reduced strategic maneuverability under changing external conditions.

4. Data Localization vs. Actual Control

A common assumption is:

“If data is stored in the EU and the contracting entity is a European subsidiary, it is fully protected.”

In practice, corporate structures and overlapping legal regimes are more complex.

In cases of conflicting legal claims, resolution may require court proceedings, regulatory review, or international coordination.

From an architectural perspective, the decisive factor is not the political scenario itself.

It is the presence of structural uncertainty.

Uncertainty is a governance variable.

5. Implications for Enterprise Architecture

The management of vendor lock-in is not primarily an ideological issue.

It is a governance variable.

Architectural responses do not consist of categorically avoiding major platforms, but of deliberately managing exposure.

Possible considerations include:

  • Transparent mapping of dependency concentration
  • Clear definition of system-of-record ownership
  • Separation of data portability from application-specific logic where feasible
  • Scenario modeling for regulatory or geopolitical disruption
  • Jurisdiction-aware risk assessment in platform selection

Strategic optionality does not require permanent redundancy.

It requires conscious trade-offs.

Conclusion

The management of vendor lock-in has become strategically relevant again because the surrounding environment has changed.

In stable regulatory environments, deep integration maximizes efficiency.

In fragmented and dynamic legal contexts, concentration without visibility increases exposure.

The central question is not:

“How quickly could we migrate?”

It is:

“What assumptions are embedded in our dependency model — and are we consciously accepting them?”

Enterprise architecture does not eliminate risk.

It ensures that dependency remains a deliberate decision — not an unintended outcome.

References

  • U.S. Clarifying Lawful Overseas Use of Data Act (CLOUD Act), 2018
  • Court of Justice of the European Union, Schrems II (Case C-311/18), 2020
  • Regulation (EU) 2023/2854 (EU Data Act)
  • Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR)