i agree with the perception of risk using us-based provider(s), but ...
From a risk-based perspective, true operational independence and legal clarity can only be achieved through self-hosting critical infrastructure under the full control of the RIPE NCC itself. This would eliminate dependencies on commercial cloud providers and allow for full auditability, transparency, and compliance with the highest data protection standards.
this is the way things used to be. we complained it was too expensive. without micro-managing the details of service provisioning, let's assume that the NCC's cost analysis was good. are we willing to pay for data sovereignty? < from the cheap seats > my short term suggestion, should anyone be foolish enough to ask, would be that the NCC not bind itself to things such as AWS's or Gobble's very sticky feature services. portability to different MaaS providers would be my inclination. i suspect there is a lot of thinking going on in amsterdam this season. and by folk with much more information and expertise than i have. randy