On January 19, 2021, the Trump administration issued Executive Order 13984 (“EO 13984”), “Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities” which amends and expands Executive Order 13694 of April 1, 2015, to detect and deter the use of US infrastructure as a service (“IaaS”) products by foreign malicious cyber actors.  Specifically, EO 13984 directs the US Department of Commerce (“Commerce”) to (i) issue regulations to detect and deter the use of US IaaS products in malicious cyber-enabled activities primarily via identity verification requirements and to (ii) coordinate with other US government agencies to impose “special measures” against certain foreign persons and/or foreign jurisdictions. 

There is no immediate regulatory change resulting from EO 13984, and the Biden administration may or may not delay or change the implementation of the regulations directed under EO 13984.  However, cloud service providers and other IT service providers should closely monitor for any proposed regulations or other developments.  Below we provide a summary of key issues under EO 13984. 

Identity Verification Requirements

EO 13984 directs Commerce to propose regulations by July 18, 2021(“Proposed Regulations”) to require US IaaS providers to verify the identity of foreign persons using their services.  In doing so, the Proposed Regulations must set forth the minimum standards for US IaaS providers to verify the identity of foreign IaaS account holders, including:

  • the documentation and procedures required to verify the identity of foreign lessees/sub-lessees of IaaS products;
  • records that US IaaS providers must maintain regarding foreign IaaS account holders (e.g., a foreign account holder’s name, national identification number, address, payment methods, and associated financial identifiers, including credit card number, email address, phone number, IP address, and date and time of the foreign account holder’s activities in connection with the account); and
  • methods for securing the above information. 

However, Commerce may also exempt any US IaaS provider if Commerce finds that such US IaaS provider complies with security best practices to otherwise deter abuse of IaaS products. 

US IaaS provider is defined as any United States person (US citizen, lawful permanent resident, entity organized under the laws of the United States or any jurisdiction within the United States (including foreign branches) or any person located in the United States) that offers an “IaaS product”, itself defined to mean “any product or service offered to a consumer, including complementary or ‘trial’ offerings, that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications.  The consumer typically does not manage or control most of the underlying hardware but has control over the operating systems, storage, and any deployed applications…”  The definition of IaaS product is not limited to “dedicated” environments and expressly includes ” ‘virtualized’ products and services, in which the computing resources of a physical machine are split between virtualized computers accessible over the internet.”  

“Special Measures” for Certain Foreign Jurisdictions or Foreign Persons

EO 13984 also directs the Proposed Regulations to address “special measures” for IaaS providers to take against certain foreign jurisdictions and/or foreign persons.  “Special measures” can include prohibitions or conditions on the opening or maintaining of an “IaaS Account,” including a “Reseller Account,” in respect of:

(i) a foreign jurisdiction which has a significant number of foreign persons offering or obtaining US IaaS products to be used for malicious cyber-enabled activities (i.e., activities that seek to compromise or impair the confidentiality, integrity, or availability of computer, information, or communications systems, networks, physical or virtual infrastructure controlled by computers or information systems, or information resident thereon); and

(ii) a foreign person who has a pattern of offering or obtaining US IaaS products to be used in malicious cyber-enabled activities. 

“IaaS Account” means a formal business relationship established to provide IaaS products to a person in which details or such transactions are recorded, and “Reseller Account” means an IaaS account established to provide IaaS products to a person who will then offer those products subsequently, in whole or in part, to a third party.   

EO 13984 also requires Commerce to consider several factors before imposing “special measures” against a foreign jurisdiction: (i) evidence that foreign malicious cyber actors have obtained US IaaS products offered in that foreign jurisdiction; (ii) the extent to which that foreign jurisdiction is a source of malicious cyber-enabled activities; and (iii) the difficulty in detecting and punishing malicious activities involving US IaaS products and relating to that jurisdiction.  Regarding a foreign person, Commerce should consider (i) the extent to which a foreign person uses or offers US IaaS products for malicious cyber-enabled activities vis-à-vis legitimate purposes; and (ii) effective alternatives to the imposition of special measures.

EO 13984 also directs Commerce and other agencies to engage and solicit feedback from industry by May 19, 2021 on how to increase information sharing and collaboration among US IaaS providers and between US IaaS providers and relevant agencies.  Agencies are also required to submit a report to the President by September 16, 2021, to give recommendations on encouraging information sharing and collaboration as well as on facilitating the defection of IaaS accounts and activities that involve foreign malicious cyber actions.

While EO 13984 raises important concerns with respect to implementing safeguards to reduce the use of IaaS products and services in the United States by malicious foreign actors, the standards that will be addressed in the Proposed Regulations may have a significant impact on many businesses operating in the United States given the broad definition of IaaS products.  EO 13984 does not address any of the concerns that might be raised with respect to what measures can be implemented to respect individual privacy rights, nor does it address what measures can be taken to minimize the potential additional liability of requiring companies to store and maintain certain categories of sensitive personal data, including financial account information.  For now, companies currently providing IaaS products should continue to monitor and evaluate Commerce’s actions and look for opportunities to engage in meaningful industry dialogue with Commerce on the scope of such Proposed Regulations.


Paul Amberg is a partner in Baker McKenzie’s Madrid office, where he handles international trade and compliance issues. He advises multinational companies on export controls, trade sanctions, antiboycott rules, customs laws, anticorruption laws, and commercial law matters. Paul helps clients assess and address compliance risks presented by export controls, trade sanctions, antiboycott rules, customs laws, and anticorruption laws. His practice especially focuses on internal reviews, voluntary disclosure filings, and enforcement actions brought by, the US Government in relation to the Export Administration Regulations (EAR), International Traffic in Arms Regulations (ITAR), trade and economic sanctions programs, and US customs laws.


Eunkyung advices clients on various regulatory compliance and trade issues, concentrating on the US export controls such as the Export Administration Regulations (EAR) and International Traffic in Arms Regulations (ITAR), economic and trade sanctions, US customs and import laws, the US Foreign Corrupt Practices Act (FCPA), and foreign anti-bribery laws.


Brian Hengesbaugh is Chair of the Firm's Global Data Privacy and Security Business Unit, a Member of the Firm's Global IP Tech Steering Committee, and a Member of the Firm's Financial Institutions' Group. Brian is listed in The Legal 500 Hall of Fame and was recognized as a Regulatory & Compliance Trailblazer by the National Law Journal. He is also listed as a Leading Lawyer for Cyber law (including data protection and privacy) in The Legal 500 and is listed in Chambers. Formerly Special Counsel to the General Counsel of the US Department of Commerce, Brian played a key role in the development and implementation of the US Government’s domestic and international policy in the area of privacy and electronic commerce. In particular, he served on the core team that negotiated the US-EU Safe Harbor Privacy Arrangement (Safe Harbor), and earned a Medal Award from the US Department of Commerce for this service. In addition, Brian participated on behalf of the United States in the development of a draft Council of Europe Treaty on Cyber Crime, and in the negotiation of a draft Hague Convention on Jurisdiction and the Recognition of Foreign Judgments. Brian has been quoted in the Wall Street Journal, New York Times, Forbes, CNET, Slate Magazine, Compliance Weekly, BNA Bloomberg, PCWorld and other news publications on global privacy and security issues.


Mr. Stoker regularly advises technology and e-commerce companies on various aspects of their domestic and foreign operations, including negotiation of technology and services agreements, cybersecurity, data protection and privacy issues. Mr. Stoker also regularly advises automotive OEMs and suppliers in connection with issues related to technology, connected vehicles, sourcing, cybersecurity, data protection and privacy. Mr. Stoker is experienced in transactional and general corporate matters, as well as technology-and intellectual property-related litigation and arbitration. He is admitted to practice in New York and Illinois.


Iris's practice involves assisting multinational companies with a wide range of trade matters including export controls, sanctions, internal investigations and risk assessments. She also assists companies with respect to customs laws and other trade regulation issues in the US and abroad. Iris's practice extends to assistance in internal compliance reviews as well as enforcement actions and disclosures necessitated by US government action.