89% of digital disruptions originate not from the initial failure but from cascading effects across interdependent systems. The new joint report from ITU, UNDRR and Sciences Po provides the first systematic mapping of the physical risk vectors threatening global operational continuity.

Digital Dependence as Structural Vulnerability

In May 2026, the International Telecommunication Union (ITU), the United Nations Office for Disaster Risk Reduction (UNDRR) and Sciences Po published “When Digital Systems Fail: The Hidden Risks of Our Digital World”, a report developed by twelve senior experts mapping the physical vulnerabilities of global digital infrastructure across three domains: the Earth’s surface, the seabed, and space.

The report’s starting point is an uncomfortable but documented observation: modern societies have built a deep dependence on digital systems without ensuring the existence of operational analogue fallbacks or governance frameworks capable of managing failures at systemic scale. The disruptions analysed — from submarine cable cuts to solar electromagnetic disturbances — have already generated cascading effects that simultaneously impacted critical services across multiple sectors.

The document arrives at a moment when enterprise cybersecurity agendas are dominated by deliberate threat actors — ransomware, state-sponsored attacks, AI-enabled fraud — while the risks of unintentional, physically-originated disruption receive disproportionately less attention in business continuity planning.

Key Findings

1. The cascade effect is the rule, not the exception. Up to 89% of studied digital disruptions do not originate from the initial failure but from chained effects on adjacent and interdependent systems. The number of people affected can be up to ten times higher than those initially exposed to the original incident.
2. Three systematically underestimated physical risk layers. The report maps threats at the Earth’s surface (extreme weather events, power grid failures), on the seabed (submarine cable cuts carrying more than 95% of international data traffic), and in space (solar storms, communications satellite disruptions).
3. Loss of analogue competencies as an organisational risk. Accelerated digital transition has eroded organisations’ capacity to operate without connectivity. The absence of analogue backup systems — from manual procedures to alternative communication infrastructures — converts manageable interruptions into wider-scale crises.
4. Space and submarine infrastructure: the planning blind spot. Only 9% of cybersecurity executives surveyed in the WEF Global Cybersecurity Outlook 2026 identified space technologies as a relevant cybersecurity impact factor. The ITU report identifies this deficit as an urgent governance gap.
5. Six-priority preparedness roadmap. Deepen vulnerability and interdependency knowledge, modernise legal risk management frameworks, strengthen standards and backup systems, improve multi-sector coordination on high-impact risks, build societal and organisational resilience, and foster cross-border trust and collaboration.

Chart 1 — Origin of digital disruptions. Source: ITU-UNDRR-Sciences Po (2026)

What Changes for Organizations

Operational Management and Continuity

Organisations managing distributed operations have progressively shifted coordination to digital systems — from production planning to supplier management. This transition expands operational capabilities while introducing dependencies on infrastructure whose systemic fragility is rarely assessed with the same rigour applied to deliberate threats.

The report compels a review of Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP) from a broader perspective than is currently standard. Most organisations’ failure scenarios focus on deliberate cyberattacks or localised hardware failures. The ITU-UNDRR analysis adds physically-originated disruption scenarios — meteorological, geomagnetic, underwater seismic — whose statistical probability is comparable to that of cyberattacks but whose cascading impact can have greater territorial and temporal reach.

Competitive Positioning

The publication of this report creates a genuine opportunity for organisations that wish to differentiate themselves in terms of operational resilience. Building architectures with geographic redundancy, maintaining degraded-mode operating capabilities, and documenting analogue contingency procedures are not high-cost measures relative to the risks they mitigate.

The risk of inaction is equally clear. Companies that do not incorporate these vectors into their risk assessments are exposed to disruptions they will, by definition, not have anticipated. In B2B environments where contracts include service-level agreements (SLA) and penalty clauses, an unplanned interruption — whatever its technical or physical origin — can have significant legal and commercial consequences.

Chart 2 — Amplification factor of disruption impact. Source: ITU-UNDRR-Sciences Po (2026)

Context and Comparative Perspective

The ITU-UNDRR report is published in a context where attention to digital risks is polarised towards deliberate threats. The WEF Global Cybersecurity Outlook 2026, published in January, documents that 94% of cybersecurity executives identify AI as the primary driver of change in the threat landscape, and that 64% of organisations now assess the security of their AI tools — double the figure from 2025.

This concentrated focus on AI as a threat vector, while legitimate, can create a blind spot in risk management. The ITU report serves as a necessary counterweight: it reminds us that the digital risk surface includes physical layers that do not respond to the same mitigation frameworks as cyberattacks. Submarine cables, satellite ground stations, data centres in seismic zones or areas exposed to extreme weather — these are critical infrastructures whose vulnerability cannot be managed solely from a Security Operations Center (SOC).

At the sectoral level, the WEF Technology Convergence report, published on 28 April, similarly notes that the integration of physical and digital technologies — characteristic of Industry 4.0 — simultaneously expands operational capabilities and the surface of exposure to systemic risk. Both reports point to the same conclusion: digital resilience in industrial environments requires risk management that operates across both the logical and physical layers of infrastructure.

Chart 3 — CISOs identifying space infrastructure risk. Source: WEF Global Cybersecurity Outlook 2026

Key Recommendations and Best Practices

1. Update critical dependency mapping. Identify which operational processes and services depend on external digital infrastructure — connectivity, cloud, third-party services — and map their dependency chains down to the physical infrastructure provider level. Explicitly ask providers about their contingency plans for submarine cable interruptions or space weather events.
2. Include physical disruption scenarios in business continuity exercises. BCPs and DRPs must address unintentional, geographically broad disruption scenarios, not only localised failures or deliberate attacks. Simulation exercises should include prolonged connectivity degradation scenarios.
3. Review and document analogue operating procedures. For critical processes — production, logistics, order management — maintain documented procedures enabling operation without connectivity for defined periods. The erosion of these capabilities is one of the most undervalued risks identified in the report.
4. Require physical infrastructure transparency from cloud and connectivity providers. Beyond standard compliance certifications, request information on data centre physical locations, connectivity routes and contingency plans for force majeure events of physical origin.
5. Align with the insurance sector on systemic digital risk coverage. The ITU-UNDRR report explicitly recommends updating legal and risk management frameworks to treat unintentional digital disruptions as an insurable risk comparable to natural disasters. This is the moment to review cyber-risk policies with this extended scope.

Chart 4 — Physical risk coverage in BCPs. Based on ITU-UNDRR 2026 framework

Conclusions

“When Digital Systems Fail” is not a speculative prospective document. It is an evidence-based analysis that identifies a systematic gap in digital risk management: the underestimation of physical interruption vectors and the cascading effects they generate. For industrial and B2B enterprises, the message is operational: digital resilience cannot be reduced to conventional cybersecurity. It requires risk management that covers the entire dependency chain — from internal processes to the global physical infrastructure on which they run.