Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherJoin the NetworkGet StartedSubscribeSupport
Contact Us
Search
Close

US Infrastructure as a Service Providers (IaaS) – New Know-Your-Customer Requirements?

By Jack Hayes, Cherie Tremaine, Brian Egan & Peter Jeydel on February 1, 2021
Email this postTweet this postLike this postShare this post on LinkedIn

On January 19, 2021, President Trump issued Executive Order (EO) 13984, “Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities” (86 Fed. Reg. 6,837 (Jan. 25, 2021)), taking further action under the national emergency declared by President Obama in Executive Order 13694 of April 1, 2015.  EO 13984 directs the US Department of Commerce (Commerce) to: (1) promulgate know-your-customer (KYC)-type identification and recordkeeping obligations on US “Infrastructure as a Service” (IaaS) providers engaging in foreign transactions, and (2) consult with other US government agencies to impose “special measures,” i.e., restrictions, on foreign jurisdictions and persons, i.e., actors, determined to be using US IaaS to engage in significant malicious cyber activities.

The EO describes IaaS as “products to provide persons the ability to run software and store data on servers offered for rent or lease without responsibility for the maintenance and operating costs of those servers,” and includes a lengthy definition of different types of IaaS products that are covered by the EO. Although some reports have focused on the impact that EO 13984 may have on cloud service providers, the EO’s broad definition for IaaS could sweep in other information technology service providers operating in the US.

The EO is not effective immediately, and may not go into effect for several months or longer.  The EO directs Commerce “to propose for notice and comment” regulations within 180 days implementing the KYC and “special measures” directives described above.  In addition, EO 13984 was issued by President Trump at the very end of his administration, and it is possible that the Biden Administration will delay implementation for a longer period of time as it reviews the legal and policy implications of the EO.

More specifically:

  • Section 1 of the EO directs Commerce to issue proposed rules within 180 days requiring US IaaS providers to verify and maintain records documenting the identity of foreign persons that open and maintain “Accounts” or lease or sub-lease them.
    • The section directs adoption of minimum standards for identity verification procedures and the maintenance of records, such as name, address, nationality identity number, point of contact, payment, and Internet Protocol information, among other data requirements.
    • US IaaS providers are also responsible for implementing measures to safeguard such information and limit all third-party access to the information, except where permitted under applicable law.
    • Commerce is permitted, in consultation with the US Secretary of Defense, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence, to exempt US IaaS providers, or any specific type of Account or lessee, from these requirements, such as for compliance with security best practices to deter abuse of IaaS products.
  • Section 2 of the EO directs Commerce to issue proposed rules within 180 days imposing “special measures” on foreign persons or foreign jurisdictions engaged in malicious cyber-related activities, including the prohibition of, or conditions on, the opening or maintaining of an “Account,” including a “Reseller Account,” with any US IaaS provider or otherwise located in the United States.
    • Foreign persons or foreign jurisdictions may be subject to special measures if Commerce, in consultation with the Secretary of State, the Secretary of the Treasury, and the other US government agencies identified above, determines, based on “reasonable grounds,” that:
      • a foreign jurisdiction has a significant number of foreign persons offering US IaaS products for, or directly obtaining US IaaS products for use in, malicious cyber-enabled activities; or
      • a foreign person has established a pattern of conduct of offering US IaaS that are used for, or directly obtaining United States IaaS products for use in, malicious cyber-enabled activities.

The EO identifies a number of factors to be applied in deciding whether a foreign jurisdiction or foreign person has engaged in malicious cyber-enabled activities using IaaS.

  • Upon making such a finding, Commerce is permitted to impose “special measures,” including prohibition of, or conditions on, the opening or maintaining with any US IaaS provider or in the United States of an “Account,” including a “Reseller Account”:
    • By any foreign jurisdiction found to have any significant number of foreign persons offering or using US IaaS products for malicious cyber-enabled activities; and
    • For or on behalf of any foreign person found to be offering or directly obtaining US IaaS products used in for use in malicious cyber-enabled activities.
  • These special measures are roughly analogous to the provisions of Section 311 of the USA PATRIOT Act of 2001, as amended, applicable to foreign jurisdictions, financial institutions, transactions, and accounts of “primary money laundering concern,” as well as KYC requirements for US financial institutions.

Finally, Section 3 of EO 13984 directs the US government to recommend measures to deter the abuse of US IaaS products, Section 4 authorizes the identification of funding requirements and sufficient resources to execute the EO, and Section 5 provides definitions for certain terms.

In a letter to Congress regarding the Executive Order on January 19, President Trump explained that “[f]oreign actors use [IaaS] for a variety of tasks in carrying out malicious cyber-enabled activities, which makes it extremely difficult for United States officials to track and obtain information through legal process before these foreign actors transition to replacement infrastructure and destroy evidence of their prior activities.”

To date, the Biden Administration has not taken any formal position with regard to EO 13984, which was one of several Presidential and Executive agency national security-related regulatory actions taken during the last few days of the Trump Administration.  On January 20, 2021, White House Chief of State Ron Klain issued a memorandum, “Regulatory Freeze Pending Review,” that instructed agencies to take a number of actions with respect to freeze or delay implementation of regulations that were pending as of the end of the Trump Administration.  While the Klain memorandum does not directly impact the timeframes for rulemaking in EO 13984, it signifies an intent by the Biden Administration to take a close look at any regulatory policy changes that were initiated at the end of the Trump Administration.  It is possible, therefore, that there may be some additional delay in Commerce’s implementation of EO 13984.

Issuance of the Executive Order does not immediately change the regulatory landscape, but sets the stage for Commerce to propose regulations for notice and comment in the coming months.  Accordingly, US IaaS providers, including those offering Accounts and Reseller Accounts, and their customers should monitor regulatory developments in this area.

Photo of Jack Hayes Jack Hayes

Jack Hayes has extensive experience providing clients with advice and assistance under ITAR and EAR, as well as US economic sanctions and anti-boycott regulations. Jack frequently handles complex export control matters, including voluntary disclosures, internal investigations of apparent export control violations, pre-closing and…

Jack Hayes has extensive experience providing clients with advice and assistance under ITAR and EAR, as well as US economic sanctions and anti-boycott regulations. Jack frequently handles complex export control matters, including voluntary disclosures, internal investigations of apparent export control violations, pre-closing and post-closing acquisition export compliance due diligence, export control audits, and assessments of compliance obligations and risks in accordance with relevant international trade regulations. He also provides guidance on brokering requirements and reporting obligations for certain fees, commissions, and political contributions related to sales of defense articles and defense services, prepares export and reexport license and agreement applications for submission, undertakes commodity jurisdiction and export classification analyses of items and services under the ITAR and EAR, drafts registration material change notifications, and develops compliance policies, programs, and training materials.

Read Jack’s full bio.

Read more about Jack HayesEmail
Show more Show less
Photo of Brian Egan Brian Egan

Brian Egan advises on a number of international legal issues that affect US and foreign clients, including economic sanctions, export controls, and anti-money laundering programs; national security trade and investment reviews; international arbitration and other cross-border disputes; international cybersecurity and data privacy; and…

Brian Egan advises on a number of international legal issues that affect US and foreign clients, including economic sanctions, export controls, and anti-money laundering programs; national security trade and investment reviews; international arbitration and other cross-border disputes; international cybersecurity and data privacy; and issues of public international law. He has worked in various senior legal positions for the US government, giving him keen insight into domestic and international legal matters that influence US government national security and foreign relations policies and programs. Before joining Steptoe, Brian served as the Legal Adviser to the US Department of State, the Legal Adviser to the National Security Council, Deputy White House Counsel, and Assistant General Counsel for Enforcement and Intelligence with the US Department of the Treasury. Brian has regularly appeared in public fora to speak on international legal issues, including testifying before Congress, public speaking engagements, and panel presentations.

Read Brian’s full bio.

Email
Show more Show less
Photo of Peter Jeydel Peter Jeydel

Peter Jeydel‘s practice focuses on US export controls and economic sanctions, including the Commerce Department’s Export Administration Regulations (EAR), the State Department’s International Traffic in Arms Regulations (ITAR), and sanctions regulations administered by the Treasury Department’s Office of Foreign Assets Control (OFAC)…

Peter Jeydel‘s practice focuses on US export controls and economic sanctions, including the Commerce Department’s Export Administration Regulations (EAR), the State Department’s International Traffic in Arms Regulations (ITAR), and sanctions regulations administered by the Treasury Department’s Office of Foreign Assets Control (OFAC) and the State Department. His practice spans all aspects of these regimes, including counseling, compliance, transactional advice, licensing and opinions, disclosures, and enforcement actions. He has also represented companies and individuals seeking de-listing from OFAC’s sanctions list. In addition, Pete has assisted clients in anti-corruption matters, including under the US Foreign Corrupt Practices Act (FCPA), and has experience handling reviews and investigations by the Committee on Foreign Investment in the United States (CFIUS).

Read Pete’s full bio.

Read more about Peter JeydelEmail
Show more Show less
  • Posted in:
    Government Contracts, Technology and AI
  • Blog:
    International Compliance Blog
  • Organization:
    Steptoe LLP

Call us at 1-800-913-0988 or email sales@lexblog.com.

Facebook LinkedIn Twitter RSS
  • About LexBlog
  • The Field We Built
  • Our Beliefs
  • Our Team
  • Contact LexBlog
  • Disclaimer
  • Editorial Policy
  • Terms of Service
  • Get Started
  • Publishing Solutions
  • Compass
  • Submit a Request
  • Support Center
  • System Status
Copyright © 2026, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo