Computer & Communication Industry Association
PublishedFebruary 26, 2024

CCIA Submits Comments Seeking Changes to Korea’s Cloud Certification Rules

Washington – The Computer & Communications Industry Association filed comments today with South Korea’s Ministry of Science and Information and Communications Technology, asking the agency to adjust its requirements for cloud computing service suppliers seeking to provide service to the public sector in Korea. Last year, Korea made modest changes to its certification process (Cloud Security Assurance Program, or CSAP) applicable to low-risk services, a small part of the market.  However, since it left in place numerous other restrictions, not a single foreign supplier has so far succeeded in qualifying to offer cloud services, even at the lowest tier of risk level possible.

The proposed updates to CSAP, targeting mid- and  high-risk service do nothing to improve the ability of foreign suppliers to serve this market segment–the most important part of the market.  As these requirements are clearly designed to favor local competitors, they are a case of de facto discrimination that is  inconsistent with Korea’s obligations under both the WTO and the Korea-United States FTA (KORUS).  

The following can be attributed to CCIA Vice President of Digital Trade Jonathan McHale: 

“Korea’s proposed amendments to its CSAP requirements fail to provide foreign providers with the certainty that they can fairly participate in the public sector market, as guaranteed through international trade commitments. If the Korean government follows through on these amendments, it will harm both Korean government agencies and U.S. cloud service suppliers that represent major drivers of U.S. economic strength. Korea’s public sector will be deprived of state-of-the-art cloud systems, while U.S. firms will be unable to tap into this market where they have invested significantly already.”