Key Takeaways 1
Introduction 3
Trusted Cloud Is Critical to Global Data, Cybersecurity, and Technology Governance 7
Country Case Studies 8
　Australia’s Critical Infrastructure Act and How One Problematic Firm Shaped It 8
　Costa Rica’s Trusted Supplier Decree Uses the Budapest Convention as a Criterion to Assess 5G Trustworthiness 9
　The Czech Republic Uses EU and NATO Membership, Plus Other Criteria, to Assess 5G Trustworthiness 10
　The European Union’s Cloud Cybersecurity Regime and Its Sovereignty Requirements 10
　France’s Discriminatory Cloud “Sovereignty” Requirements 11
　Germany’s Information Security Law Uses Several Non-technical Criteria to Assess Trustworthiness 12
　India’s Evolving Cloud Cybersecurity Certification Scheme and Its Efforts to Target Chinese Hardware, Software, and Data 12
　Korea’s Unprecedented Public Sector Cloud Restrictions 13
　Romania Uses Strategic Partnerships as Criteria to Assess 5G Trustworthiness 14
　The United Kingdom’s Investigatory Powers Act Undermines Cloud Trustworthiness 14
　The United States’ Problematic Clean Network and Cloud Initiatives and Proposed Expansion of Data Localization in FedRAMP 15
Technical and Legal Criteria for Assessing Trusted—and Untrusted—Cloud Service Providers 15
　International Standards Are Foundational to Cloud Cybersecurity and Trustworthiness 16
　Cloud Cybersecurity Certifications Are Critical Points of Commonality and Conflict 18
Map and Work to Align Technical Controls and Standards, Audits, and Cloud Certification Requirements 20
　Government Access to Data: Assessing Legal Frameworks and What Happens in Practice 23
Transparency Reports About Government Requests for Data Provide Critical Transparency and Data on Cloud Trustworthiness 25
　Government Operational Control Over Cloud Services 26
　Cooperation With Cybersecurity Authorities Demonstrates Cloud Trustworthiness 27
Legal Criteria to Assess Geopolitical Risks and Cloud Trustworthiness 28
The OECD’s Data Free Flow with Trust Secretariat Should Be the Forum for Trusted Cloud Discussions 30
Conclusion 31
Endnotes 33