The IAPP's Navigate Digital Risk Index 2025 charts the top digital risks as selected by global leaders in the digital space. The DRI blends the technical with the human, highlighting that digital risk is not just a matter of external threats but also of perspective and context.
One of the most compelling takeaways from discussions on the DRI at the Navigate: A Digital Policy Leadership Retreat is that, while digital risks are broadly shared, their intensity, framing and risk management priorities vary significantly across sectors and roles.
Shared risks across the board
Many risks resonate across industries and positions. Although the manner of risk varies, cybersecurity stands out as a genuine area of concern for organizations of all types.
Ropes & Gray Partner for Data, Privacy and Cybersecurity Edward McNicholas, CIPP/US, describes the danger in cyberattacks that seek results other than an immediate monetary payment. McNicholas explains that "the hostilities with Iran will continue to pose new risks of destructive cyberattacks designed to inflict harm without any other economic motive. Ransomware attacks present at least the possibility of negotiation. Attacks by Iran or its proxies would be designed simply to destroy infrastructure, disrupt supply chains and terrorize people."
Fabienne Tegeler, head, section liaison office and legal affairs at Federal Office for Information Security and chair of the European Union Agency for Cybersecurity Management Board, reflected that the top reported geopolitical risks on the DRI "underscore the need for organizations to strengthen cyber resilience, improve threat detection and reassess geopolitical exposure. At the same time, 51% point to the growing dependency on third-party vendors as a major technological risk, highlighting the importance of robust vendor risk management, supply chain transparency and contingency planning."
To Tegeler's point, results on growing dependence on third-party vendors show a competing risk priority for many sectors. "Third-party risk management is the sleeping giant for AI governance," PricewaterhouseCoopers Principal Jay Cline, CIPP/US, said. "Companies have to assume all their suppliers are using AI to deliver their services and need to be risk-tiered. At the same time, few of those suppliers are going to have robust-enough AI governance to accurately answer your risk questionnaires or provide evidence of compliance with your AI contract addendums."
The sectoral divide
Despite the many digital risks that resonate among various sectors, industry preeminently dictates the perception and urgency of risk. Take, for instance, a company in the creative or media sector. For a product designer, AI may represent a creative tool with disruptive potential. However, the risks they're most attuned to are more likely to center on brand reputation, misinformation or unauthorized content generation. Data privacy may be on their radar, but only in the capacity of consumer trust and user experience. Here, these digital risks feel fluid, reputational and fast-moving.
Now contrast that example with a regulator or public agency. In these environments, AI isn't just a disruptive tool; it is a policy frontier. Concerns for regulators likely lean heavily toward accountability, transparency and compliance frameworks. The focus is often on how to apply existing legal standards to emerging technologies and enforce guardrails in environments where public trust and fairness are paramount.
For others, AI risks are more foundational. At the Navigate retreat, International Telecommunication Union Director and Representative to the U.N., Head of U.N. Affairs Ursula Wynhoven highlighted that "globally, we still have 2.6 billion people who have never ever been online. In high income countries, 93% of the population uses the internet, while in low-income countries only 27% of people are online." Because of this digital divide, those not online "are not yet part of the digital revolution let alone the AI revolution." For that reason, the U.N. secretary-general has urged all to join forces to ensure AI never stands for "Advancing Inequality," a markedly different risk perception than those of the product designer.
Among survey respondents who shared demographic details, further insights emerge into how industry affiliation influences risk perception. Although 58% of total respondents identified "Risk to privacy and data protection" as a top digital risk, that number falls to 47% when the respondent works in technology or telecommunications. On the other hand, it jumps to 76% when the respondent works in government. More results and discussion on these breakdowns can be found in the IAPP's upcoming Digital Governance Report 2025.
These divergences are not surprising. Each organization responds to its own incentives, pressures and mission. But the differences are worth pause and reflection. What looks like a reputational nuance to one team can manifest as a systemic governance risk to another.
Position shapes perspective
The survey also suggests a clear difference in how digital risk is viewed depending on one's role. Executives, not surprisingly, tend to see risk through a strategic and tactically comparative, if not competitive, lens. For them, digital risks are often tied to long-term outcomes: regulatory readiness, reputational integrity and resilience in the face of changing expectations. For executives, business leaders and product owners, risks are always one part of the ledger, balanced by opportunities that often emerge, especially through effective risk management and strong governance.
Operational teams, by contrast, may focus more on the immediacy of implementation challenges. Risk occurs in the day-to-day: inconsistent data handling, legal action arising from perceived injuries, or the complexity of managing cross-border data flows. Yet, these same risks are seen at different altitudes.
While 30% of respondents identified disruption to cross-border data flows as a top digital risk, from the perspective of Travis LeBlanc, global co-chair of the cyber/data/privacy practice at Cooley and former Civil Liberties Oversight board member, data flows are a high-ranking risk on the leaderboard. "Whether due to changes in the leadership in the U.S. and Europe, the increasing rift of western democracies with China, or concerns of U.S. isolationism, there is no question that 2025 continues to pose evolving risks to cross-border data flows as the year unfolds."
Similarly, Technology Industries of Finland Director of EU Regulation Jussi Mäkinen, CIPP/E, remarked that it was somewhat surprising that the risk of "concentration of, dependency on or unequal access to foreign technology, services and resources" did not rank higher. From his perspective, "No major trading bloc is completely self-sufficient in AI capabilities when it is broken down to computing resources, data and skills. Many (38-98%) of the supply chains for critical raw materials are either originating from or controlled by China. High-scale AI development is heavily dependent on U.S. and EU chips and know-how, although manufacturing takes place elsewhere. On communication technologies, EU and China are shaping the market. Building sovereignty requires realistic, long-term development paths, building on innovation capacity."
This isn't to say one view is more accurate than another. They are complementary. The tension between strategic foresight and operational friction is part of what makes digital risk management both challenging and important.
Why risks matter
The DRI does not universality prescribe solutions when it comes to digital risk. It is a snapshot of he lived and felt experience inside organizations. The report reveals that risk is not just technical or regulatory. It's cultural. It's contextual. It's shaped by how a constituency of people see their work and the world around them in so far as it pertains to their organization's use of digital technologies.
While identifying risks is an important step, it is not the last one. In that sense, the DRI is more than a report. Like a map, it can help organizations start better conversations about risk in their teams, in the boardroom and across the entire enterprise.
Cheryl Saniuk-Heinig, CIPP/E, CIPP/US, is a former research and insights analyst at the IAPP.
