Dear Timo,

Thank you for raising these concerns again.

We agree that the situation has changed since November. Within the RIPE NCC we are also seeing increased risk.

In response to this, we are actively working on business continuity plans that include exit strategies for the different cloud providers we use. We are also reviewing our cloud strategy and expect this to shift to using less Platform as a Service (PaaS) from Big Tech providers. I have also decided to halt any significant deployments to some cloud providers until we have a new strategy in place.

Our approach to the cloud has evolved since we first dipped our toe in the water five years ago. We stepped back from our initial “cloud-first” strategy after hearing concerns from the members and community. We also shared principles that aimed to achieve a balance between resilience, accessibility and availability on the one hand, and avoiding vendor lock-in and dependence on any single provider on the other. And all the while, we needed to strike this balance while being conscious of the costs to our members.

The result of this work is that we are well placed to further adapt our strategy in light of the concerns you outline. We are currently discussing internally what actions we might need to take.

I’ll be sharing more details on this as part of my update in the RIPE NCC Services WG at RIPE 90. We are interested in thoughts from our members and the RIPE community and we welcome input both in that session and on this mailing list.

Kind regards,

Felipe Victolla Silveira

Chief Technology Officer

RIPE NCC

Cloud technology status:
https://www.ripe.net/publications/documentation/cloud-technology-status/

Service Criticality Ratings:
https://www.ripe.net/publications/documentation/service-criticality-rating-of-ripe-ncc-services/

RIPE NCC Cloud Strategy Framework (v2):
https://labs.ripe.net/author/felipe_victolla_silveira/ripe-ncc-cloud-strategy-framework-v2/

On Tue, 6 May 2025 at 14:39, Timo Hilbrink via members-discuss <members-discuss@ripe.net> wrote:

Hi all,

Last november i wrote a post to this mailinglist, voicing my concerns
about the wide use of US based cloud services at the RIPE NCC. This was
just before the US elections took place.

RIPE NCC (Felipe) responded to my concerns, and the last sentence of
that mail was:

"It is difficult to run our operations if we have to speculate on what
governments can and cannot do. Instead, we apply a risk-based approach,
paying close attention to the contracts we sign with these providers and
ensuring that the obligations described in them give the highest
possible level of privacy and security for our members."

Now, a lot has happened in the world since november, and without going
into every detail, i think it is safe to conclude that the US and its
big tech companies can no longer be seen as reliable partners when it
comes to storing our personal data.

In fact it could soon become illegal for EU businesses and organisations
to store personal data on US owned cloud platforms; the Transatlantic
Data Privacy Framework (TADPF) that allows a free flow of EU data to US
providers relies on the "Privacy and Civil Liberties Oversight Board"
(PCLOB) for oversight on data protection laws. Already in january, Mr
Trump fired all democratic board members of the PCLOB, rendering the
board powerless, as they now lack the required quorum necessary to operate.

This means that the foundation of the TADPF has essentially been
removed, and while EU organisations can still rely on the agreement as
long as it's not formally annulled by the European Commission or the
Court of Justice, it is now more important than ever to have a
contingency plan.

So, since the RIPE NCC applies a risk-based approach, my question would
be: What contingency plan is there in place for the RIPE NCC?
How quickly can they switch to a self hosted or "hosted in Europe"
model, while still providing essential services to the members?

* Some relevant links with more background information:
https://noyb.eu/en/us-cloud-soon-illegal-trump-punches-first-hole-eu-us-data-deal
https://www.lawfaremedia.org/article/trump-s-sacking-of-pclob-members-threatens-data-privacy
https://berthub.eu/articles/posts/you-can-no-longer-base-your-government-and-society-on-us-clouds/

Timo Hilbrink
Freedom Internet
-----
To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/
As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings.
More details at: https://www.ripe.net/membership/mail/mailman-3-migration/