On September 24, 2021, the Department of Commerce (“Commerce”) published an Advance Notice of Proposed Rulemaking (“ANPRM”) concerning new regulations relating to U.S. Infrastructure as a Service (“IaaS”) providers—companies that offer processing, storage, networks, or other fundamental computing resources, typically using hardware that consumers do not manage or control. The new rules will require IaaS providers to enhance customer identity verification procedures and to implement special measures concerning foreign persons involved in, or located in foreign jurisdictions associated with, malicious cyber activities. The ANPRM is a response to Executive Order 13984 (“EO”), which directs Commerce to implement regulations to combat malicious cyber actors’ use of U.S. cloud infrastructure to steal sensitive data and target critical infrastructure.
