U.S. Big Tech raises concerns over Seoul's proposed cloud security rules

Major players worry that new rules favor domestic firms, on the heels of a U.S. House report leveling accusations of “discriminatory attacks” against Coupang Inc.

Published Modified
A Google sign is displayed on one of the company's buildings at its campus in Mountain View, California, on Sept. 24, 2019.

Major U.S. cloud providers are urging Washington to push back against South Korea’s planned overhaul of the security approval system for cloud providers serving its government agencies, arguing that the changes could unfairly shut them out of the market and violate the South Korea-U.S. FTA.

The dispute threatens to broaden an already escalating conflict over South Korea’s digital regulations targeting U.S. technology companies following the July 1 release of a U.S. House Judiciary Committee report which accused the country of “discriminatory attacks” against Coupang Inc. The report states that the e-commerce giant has been unfairly treated by the South Korean government following its user data breach in November of last year.

U.S. Big Tech companies recently met with Michael G. DeSombre, assistant secretary of state for East Asian and Pacific Affairs , and David Wilezol, deputy assistant secretary for Japan, Korea and Mongolia, at the U.S. Department of State's Bureau of East Asian and Pacific Affairs to discuss South Korea's planned overhaul of public cloud security regulations, according to sources in Washington's diplomatic and technology circles on Sunday.

“U.S. companies expressed concern that South Korea’s decision to replace the existing dual public cloud security certification process administered by the Ministry of Science and ICT and the National Intelligence Service [NIS] with a single verification system under the NIS would create serious restrictions on market access and raise fairness concerns for U.S. companies,” a technology industry source who attended the meetings told the JoongAng Ilbo.

The Science Ministry and the NIS announced on April 20 a plan to overhaul the Cloud Security Assurance Program (CSAP) for the public sector by consolidating certification procedures and authority under the NIS.

Under the revised framework, the existing CSAP system will become a private sector certification while the NIS will hold final authority over public sector access.

The government plans to introduce the National Network Security Framework as the new certification system that will serve as the exclusive standard for public cloud operations.

“We plan to revise the national cloud computing security guidelines during the first half of the year, allow a one-year grace period and fully implement the system in the second half of next year,” said the NIS in April.

National Intelligence Service headquarters

However, U.S. technology companies argue that the overhaul could become a major barrier to their entry into the South Korean market. U.S. Big Tech players are particularly concerned that a requirement for “physical network separation,” which they believe is likely to be included in the revised security guidelines, would create barriers for U.S. cloud service providers such as Amazon Web Services, Microsoft Azure and Google Cloud.

“Physical network separation” requires data storage servers to be housed on dedicated hardware in physically separate facilities. In effect, it requires cloud providers to build separate infrastructure, such as data centers, in South Korea.

U.S. technology companies argue that building separate data centers would impose enormous costs and amount to a protectionist technical trade barrier that blocks global companies from entering the South Korean market.

The tech companies argue that cloud providers worldwide are built on “logical network separation,” which electronically and automatically isolates data spaces within a single server through advanced software technologies and encryption controls.

An Amazon data center in Ashburn, Virginia

The South Korean government emphasizes that this is a national security issue because of the country’s unique geopolitical situation, namely its proximity to North Korea.

However, U.S. technology companies disagree. The companies note that Taiwan and Israel face similar security threats but still allow global cloud providers such as Google and Amazon Web Services to operate using logical network separation.

“South Korea may be the only country where an intelligence agency leads cloud security verification,” a U.S. technology industry source said. “The [U.S.] State Department, the broader U.S. administration and [U.S.] Congress are all well aware of the challenges facing global cloud companies and are closely watching the South Korean government.”

U.S. cloud companies are also raising fairness concerns. They say some U.S. companies already meet the existing low-risk CSAP certification standards. Even so, only South Korean companies have been automatically included on the NIS’s list of approved providers while U.S. companies have been excluded.

The companies view the South Korean government’s decision to require only U.S. companies to undergo a separate application process as a violation of the national treatment principle, a core premise of the Korea-U.S. FTA.

The U.S. Department of Commerce building is decorated for the Fourth of July celebration in Washington on July 2.

The U.S. technology industry has already reportedly conveyed these concerns to the U.S. Department of Commerce and the U.S. Trade Representative and is discussing possible responses with them.

As of now, the U.S. government and the U.S. Congress are reportedly keeping an eye out on what the NIS would include in its upcoming revised security guidelines. The revised guideline has yet to be released as of July.

U.S. technology companies are preparing a full response if the revisions explicitly require physical separation, viewing such a move as a violation of the trade agreement reached by the South Korean and U.S. governments last year.

 “The United States and Korea commit to ensure that U.S. companies are not discriminated against and do not face unnecessary barriers in terms of laws and policies concerning digital services, including network usage fees and online platform regulations,” the joint fact sheet released in November of last year outlining the two countries’ trade and security agreements read.

The United States Capitol in Washington as seen on June 18

“It will become a major issue if South Korea’s security guidelines include a physical separation requirement,” a diplomatic source in the United States said. “South Korea wants to build nuclear-powered submarines and secure the capability to reprocess spent nuclear fuel. If technical barriers to cloud security become a reality, more people in the United States will start asking, ‘If South Korea isn’t treating our companies fairly, why should we do business with South Korea on these issues?’”

In other words, a public dispute over cloud security could hurt follow-up security talks between South Korea and the United States, such as discussions on nuclear-powered submarines.

The South Korean government insists the overhaul is not intended to discriminate against foreign technology companies or shield domestic firms from competition. Instead, officials say the goal is to strengthen security while simplifying the approval process for cloud providers.

Under the previous system, cloud providers seeking to enter the public sector first had to obtain CSAP certification from the Science Ministry before undergoing a separate security review by the NIS. The revised framework consolidates those reviews under the NIS.

Harold Rogers, interim CEO of Coupang Korea, answers questions from lawmakers at a joint parliamentary hearing on Coupang's personal data leak, unfair trade practices and labor conditions at the National Assembly in Yeouido, western Seoul, on Dec. 30, 2025.

The dispute comes as tensions between South Korea and the United States over digital regulation have already spilled into public view.

On Thursday, a White House official accused the South Korean government of “discriminatory targeting,” saying Coupang Inc. was being “singled out” by the Lee Jae Myung administration following the e-commerce giant's data breach in November.

South Korea's Ministry of Foreign Affairs rejected the allegations, saying regulatory actions against Coupang had been carried out fairly under South Korean law regardless of a company's nationality.



BY KIM HYOUNG-GU [[email protected]]

This article was originally written in Korean and translated by a bilingual reporter with the help of generative AI tools. It was then edited by a native English-speaking editor. All AI-assisted translations are reviewed and refined by our newsroom.