Hi Felipe, Thanks for your response on this topic, i'm glad to hear that the RIPE NCC acknowledges there are increased risks with the current approach, and that changes will be necessary. I'm looking forward to learn more about the future of RIPE NCC's cloud strategy during the upcoming NCC Services WG session. Timo Hilbrink Freedom Internet On 08/05/2025 20:10, Felipe Silveira wrote:
Dear Timo,
Thank you for raising these concerns again.
We agree that the situation has changed since November. Within the RIPE NCC we are also seeing increased risk.
In response to this, we are actively working on business continuity plans that include exit strategies for the different cloud providers we use. We are also reviewing our cloud strategy and expect this to shift to using less Platform as a Service (PaaS) from Big Tech providers. I have also decided to halt any significant deployments to some cloud providers until we have a new strategy in place.
Our approach to the cloud has evolved since we first dipped our toe in the water five years ago. We stepped back from our initial “cloud-first” strategy after hearing concerns from the members and community. We also shared principles that aimed to achieve a balance between resilience, accessibility and availability on the one hand, and avoiding vendor lock-in and dependence on any single provider on the other. And all the while, we needed to strike this balance while being conscious of the costs to our members.
The result of this work is that we are well placed to further adapt our strategy in light of the concerns you outline. We are currently discussing internally what actions we might need to take.
I’ll be sharing more details on this as part of my update in the RIPE NCC Services WG at RIPE 90. We are interested in thoughts from our members and the RIPE community and we welcome input both in that session and on this mailing list.
Kind regards,
Felipe Victolla Silveira Chief Technology Officer RIPE NCC
Cloud technology status: https://www.ripe.net/publications/documentation/cloud-technology-status/ <https://www.ripe.net/publications/documentation/cloud-technology-status/>
Service Criticality Ratings: https://www.ripe.net/publications/documentation/service-criticality-rating-o... <https://www.ripe.net/publications/documentation/service-criticality-rating-of-ripe-ncc-services/>
RIPE NCC Cloud Strategy Framework (v2): https://labs.ripe.net/author/felipe_victolla_silveira/ripe-ncc-cloud-strateg... <https://labs.ripe.net/author/felipe_victolla_silveira/ripe-ncc-cloud-strategy-framework-v2/>
On Tue, 6 May 2025 at 14:39, Timo Hilbrink via members-discuss <members-discuss@ripe.net <mailto:members-discuss@ripe.net>> wrote:
Hi all,
Last november i wrote a post to this mailinglist, voicing my concerns about the wide use of US based cloud services at the RIPE NCC. This was just before the US elections took place.
RIPE NCC (Felipe) responded to my concerns, and the last sentence of that mail was:
"It is difficult to run our operations if we have to speculate on what governments can and cannot do. Instead, we apply a risk-based approach, paying close attention to the contracts we sign with these providers and ensuring that the obligations described in them give the highest possible level of privacy and security for our members."
Now, a lot has happened in the world since november, and without going into every detail, i think it is safe to conclude that the US and its big tech companies can no longer be seen as reliable partners when it comes to storing our personal data.
In fact it could soon become illegal for EU businesses and organisations to store personal data on US owned cloud platforms; the Transatlantic Data Privacy Framework (TADPF) that allows a free flow of EU data to US providers relies on the "Privacy and Civil Liberties Oversight Board" (PCLOB) for oversight on data protection laws. Already in january, Mr Trump fired all democratic board members of the PCLOB, rendering the board powerless, as they now lack the required quorum necessary to operate.
This means that the foundation of the TADPF has essentially been removed, and while EU organisations can still rely on the agreement as long as it's not formally annulled by the European Commission or the Court of Justice, it is now more important than ever to have a contingency plan.
So, since the RIPE NCC applies a risk-based approach, my question would be: What contingency plan is there in place for the RIPE NCC? How quickly can they switch to a self hosted or "hosted in Europe" model, while still providing essential services to the members?
* Some relevant links with more background information: https://noyb.eu/en/us-cloud-soon-illegal-trump-punches-first-hole-eu-us-data... <https://noyb.eu/en/us-cloud-soon-illegal-trump-punches-first-hole-eu-us-data-deal> https://www.lawfaremedia.org/article/trump-s-sacking-of-pclob-members-threat... <https://www.lawfaremedia.org/article/trump-s-sacking-of-pclob-members-threatens-data-privacy> https://berthub.eu/articles/posts/you-can-no-longer-base-your-government-and... <https://berthub.eu/articles/posts/you-can-no-longer-base-your-government-and-society-on-us-clouds/>
Timo Hilbrink Freedom Internet ----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/ <https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/> As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/ <https://www.ripe.net/membership/mail/mailman-3-migration/>