Cloud Computing Policy Analysis

A newly released legal analysis by the University of Cologne, commissioned by the German Interior Ministry provides a clear conclusion: US authorities retain broad and extraterritorial access rights to cloud-stored data, even when that data resides in EU data centers. This includes access under FISA §702, the Stored Communications Act (incl. CLOUD Act), and Executive Order 12333. Key findings: ➡️ US jurisdiction follows control, not location. If a cloud provider is US-based—or effectively controlled by a US parent—its EU-hosted data can still be subject to US disclosure orders. ➡️ Encryption is not a complete safeguard. While strong client-side encryption helps, US process law (e.g., preservation duties, spoliation standards) can still impose obligations that limit “self-blind” architectures. ➡️ Even EU providers may fall under US jurisdiction if they maintain substantial US business activities. ➡️ EO 12333 enables intelligence collection abroad without provider involvement or judicial oversight. What this means for GDPR compliance 😤 The analysis heightens the tension between EU data protection requirements and US surveillance law: 📃 Data transfers relying on the EU–US Data Privacy Framework remain lawful for now, but the underlying structural issues identified in Schrems I & II persist. 🌩️ Organizations using US-controlled cloud services must assume potential US access and carefully document this in TIAs, SCCs, and DPIAs. 🏥 For sensitive sectors—public authorities, critical infrastructure, health—reliance on US-controlled clouds becomes significantly harder to justify under GDPR’s “essentially equivalent” standard. 🇪🇺 Long-term strategies will increasingly need EU-based, non-US-controlled cloud options or robust technical isolation (true client-side key control, pseudonymization). 👉 The report reinforces a growing reality: EU data residency alone does not neutralize US access rights. Compliance strategies must explicitly account for extraterritorial US law, and in some cases, reconsider the choice of cloud provider altogether.

🚀 New paper out! Excited to share my policy paper for the IE University Center for the Governance of Change “Towards Competitive Cloud Ecosystems: Strategic Responses for Europe’s Digital Future.” Cloud computing is the backbone of Europe’s digital economy — but without effective competition, we won’t be able to fully capture its competitiveness gains. Lower adoption rates among firms and public administrations, and less efficient and secure cloud strategies, will hold Europe back. I explore: 🔹 The contractual, technical, strategic, and structural barriers that limit effective competition in EU cloud markets 🔹 Strategic adaptation by dominant players through software licensing and product bundling, often circumventing new regulations 🔹 The urgent need to strengthen enforcement of Articles 101 and 102 TFEU to tackle evolving market practices 🔹The importance of identifying and covering blindspots in the Data Act and DMA 🔹 How smart public procurement can help level the playing field and enhance competition 🔹The strenghts, weaknesses, opportunities and threats the EU is facing in cloud computing 📌 Final takeaway: this is not about excluding non-EU companies — it’s about ensuring real competition, so Europe can be more competitive and innovative. Read the full paper here 👉 https://lnkd.in/d4GnGN9e Thanks to Irene Blázquez Navarro and Carlos Luca de Tena Piera for the opportunity and to Alex Roche, Irene Pujol Chica and Darío García de Viedma for very good cooperation. Juan Espinosa García Jorge Morillo Renata Sánchez de Lollano Caballero Juan Luis Redondo Maillo Nuria Talayero Adrián González Bahamonde CEPS (Centre for European Policy Studies) Andrea Renda María Canal Fontcuberta Beatriz Alvargonzalez Largo #CloudComputing #CompetitionPolicy #EUtech #Competitiveness #PolicyInnovation

Dear colleagues, On behalf of Extrema Ratio, we are pleased to present an in-depth strategic analysis that reveals one of the most significant and least understood developments in the current geopolitical landscape: the new wave of standardization in Chinese cloud computing. Until yesterday, standards might have seemed like a technical, almost ancillary topic. Today, however, they represent the silent battlefield on which the balance of power of the future will be decided. China, with its "Guidelines for the Comprehensive Standardization System of Cloud Computing (2025 Edition)," has not simply updated technical standards; it has drawn up a strategic map for its technological rise and global projection. This analysis will take you on a journey starting from the heart of China's digital economy, showing you how the cloud has become the backbone of Artificial Intelligence (AI) and an unstoppable driver of what Beijing calls the "New Quality Productive Forces." We will examine the national cloud giants, state programs, and the strategic synergy between universities, research, and defense, providing you with a comprehensive intelligence picture of Beijing's ambitions and capabilities. The focus of our study is an in-depth examination of internal standardization rules: we will explain what they are, what they are used for, and, above all, how they have become an essential tool for ensuring technological autonomy (自主可控) and cybersecurity (网络安全) from a holistic national security perspective. We will also take a clear and critical look at the global geopolitical context: we will position this standardization offensive within the broader competition between the United States and China. We will analyze the structural vulnerabilities of the Chinese model, in particular its dependence on advanced semiconductors and the implications of the complex situation in Taiwan, factors that represent potential points of friction in this clash for technological supremacy. Finally, we will clarify how China's entire regulatory framework—from the Cybersecurity Law to the National Intelligence Law—creates a legal umbrella that not only protects but also guarantees the state pervasive control over data and cloud infrastructure. This analysis by Extrema Ratio is designed to give you a clear and practical understanding of the dynamics at play, providing you with the tools to interpret the future of digital competition. We invite you to explore these pages carefully to grasp the challenges and opportunities of an era in which the cloud is the new center of global power. Read our analysis here: https://lnkd.in/dmbK7Ktd #ChinaCloud #CloudComputing #TechGeopolitics #DigitalSovereignty #AIStrategy #CyberSecurityChina #ChinaStandards #USChinaTechWar #TechAutonomy #IntelligentCloud

Cloud governance faces a crucial juncture with the rapid adoption of Infrastructure as Code (IaC). Gartner's report, "Cloud Governance and Self-Service Through Infrastructure as Code" by Lydia Leong, emphasizes the critical need for standardized frameworks, deterministic tooling, and automation to match the evolving complexity of modern cloud environments. Key Insights: - Effective IaC strategies demand robust governance and compliance to mitigate configuration drift, security vulnerabilities, and operational disarray at scale. - Automation plays a pivotal role—integrating policies directly into code guarantees compliance and minimizes manual intervention. - Embracing deterministic, audit-ready tools is favored over generative solutions for consistent and secure outcomes. - Establishing centralized visibility and control across multi-cloud environments is now a fundamental requirement for enterprise cloud teams. It's exciting to witness Gomboc AI’s recognition by Gartner analysts for providing precisely what is needed: a deterministic, policy-centric platform that ingrains organizational controls throughout the IaC lifecycle. Gomboc.ai facilitates the delivery of compliant and secure infrastructure at scale and velocity by automating policy enforcement and ensuring auditability across diverse cloud platforms. For those assessing their cloud governance approach, delving into Gartner's insights and exploring solutions tailored to address complex challenges is highly recommended. #CloudGovernance #IaC #DevSecOps #Gartner #AI #CloudSecurity #GombocAI

CSPs just admitted they can access your data. Following my recent post on data sovereignty, I promised to go deeper into what it actually means for infrastructure modernization strategy. AWS's recent blog on the US CLOUD Act revealed more than intended. Hidden in their defensive "five facts" is a business-critical admission every executive needs to understand. The evidence is mounting: ❌ AWS admits "technical ability" to access data while completely ignoring FISA 702 intelligence powers ❌ Microsoft executive testifies under oath: "cannot guarantee" sovereignty ❌ Queen Mary researchers: hyperscaler claims are "sovereign in name only" ❌ US/UK CLOUD Act Agreement: 20,000+ surveillance requests, demands for weakening of global encryption The business risk—single-platform modernization creates regulatory concentration risk, negotiating position erosion, and innovation constraints that affect your entire operation. Platform independence isn't just compliance—it's business resilience. My full (researched) analysis in the article below. As always, if of interest, please repost/share to your network, and post any insights, comments or questions below, and we'll do our best to respond. #mainframeModernization #dataSovereignty #COBOL #PL1 Heirloom Computing ISG (Information Services Group) IBM Kyndryl Amazon Web Services (AWS) Microsoft Cloud Google Cloud Oracle Cloud STACKIT OVHcloud

I recently teamed up with the brilliant Michelle Nie, Nicholas P. Garcia, and Elise P. to reflect on the nature of cloud computing as a central part of our lives and regulation as a public utility. Perhaps no technology underpins more the everyday functioning of our increasingly digital world than cloud computing. We rely on the cloud every day to access government, healthcare and educational services. We access our government benefits, file taxes, schedule doctor’s appointments, bank online and access educational materials all through the cloud. We increasingly depend on the cloud to communicate with each other. Where we once relied on the telephone system and federated self-hosted email servers, now millions of Americans communicate daily over cloud-based apps, such as web-based email services like Gmail, WhatsApp, Messenger and Zoom. And now, with the advent of artificial intelligence, nearly all Americans use either AI-specific products, such as AI chatbots, or AI-enabled services such as social media, weather forecasting apps or shopping websites. These products and services require processing powers, not only to train the underlying AI models, but also to deploy them to end users. What “the cloud” even is remains obscure to many people. There are many different service offerings and business models in the industry, but it is most simply understood as companies that offer computing resources — access to big storage servers and processing power — as a service. Cloud providers build, rent or manage the physical infrastructure to do all the computing, and then sell access to it to all the many individuals and businesses that need it. But unlike other essential infrastructure services — including electricity, water, and gas — cloud companies are treated like any other firm, rather than a firm that provides a clear public good or service, like water or electricity. The “big three” cloud providers in the world, Amazon Web Services, Microsoft Azure and Google Cloud, dominate the market, collectively controlling nearly two-thirds of global cloud infrastructure. This concentration of power allows cloud providers to set terms of access, pricing and service without meaningful accountability or transparency. These dynamics also undermine competition from small businesses, locks in consumers and threaten innovation and access to critical information. The cloud market is too important to our economy and society to operate without appropriate regulation and direct oversight by democratic institutions. While cloud providers are subject to some existing regulations, the current regulatory structure fails to recognize their role as essential infrastructure and does not impose the public interest obligations necessary to serve the public good. Access to compute power is becoming the essential service of the AI and digital future, and now may be the time to establish the next generation of public utilities to govern these services for the public good.