6 minutes to read With insights from... Thomas Bossard Principal Security Consultant & People Lead thomas.bossard@zuehlke.com Tizian Glanzer Junior Security Engineer tizian.glanzer@zuhlke.com The new reality: rising legal risk and uncertainty Recent developments under the current United States administration have amplified ambiguity around its socio-economic trajectory and global positioning. This unpredictability raises several questions around the reliance on cloud services from US-based hyperscalers:Is data still protected from access by US authorities?Are current Lawful Access Reviews (LARs) adequate to address the evolving risk landscape?How severe is the dependence on single vendors in the event of service disruptions?Some of these legal implications are explored in a blog article by David Rosenthal, which also discusses changes in risk and their assessment. At the heart of the growing concern are three key developments – removal of PCLOB members, government access to enterprise data, and legal mandates that undermine contracts. Key developments Removal of PCLOB members Removal of PCLOB members The new government's attempt to dismiss Democratic members of the Privacy and Civil Liberties Oversight Board (PCLOB) will likely weaken the US-EU/US-CH Data Privacy Framework (DPF) over time. This framework enables data transfers from the EU and the US, ensuring that data is protected according to local regulations, particularly the GDPR. The DPF also includes safeguards, such as limitations on US surveillance, to ensure adequate protection for EU citizens' data. Government access to enterprise data Government access to enterprise data Despite legal and contractual safeguards, concerns persist that US hyperscalers may allow government access to customer data under vague pretexts (e.g., alleged criminal activity). While providers are contractually and legally obliged to resist such access, enforcement ultimately depends on government compliance and judicial oversight. The blocking of ICC Chief Prosecutor Karim Khan's Outlook account highlights how these safeguards are not always upheld, casting serious doubt on their reliability. Legal mandates that undermine contracts Legal mandates that undermine contracts New US legislation could override crucial data privacy clauses, rendering them ineffective overnight. The ongoing legal and political volatility makes it increasingly difficult to assess the likelihood and impact of such changes. There is growing concern that the US may impose legal obligations on its hyperscalers that conflict with European privacy standards. Although contracts often include clauses resisting foreign government access, these protections only apply if they don’t conflict with US law. Should new legislation be passed, these clauses could become invalid or severely weakened, leaving European customers exposed and compromising trust in cloud providers. Zühlke’s assessment: time for strategic realignment Given the changing risk landscape, organisations must reassess their technical measures and safeguards.While the above risks haven’t yet fully materialised, the dynamic geopolitical climate demands that Lawful Access Reviews and Cloud Compliance and Risk Assessments (CCRAs) should be reassessed and updated to remain effective. Current CCRAs are based on FLARA (Foreign Legal Access Risk Assessment), a framework that no longer fully reflects today’s geopolitical realities, meaning that without updates, CCRAs risk being outdated or incomplete. We recommend that companies, particularly in regulated sectors like finance or critical infrastructure, review and adapt their risk assessments. This means updating technical and organisational measures to address emerging legal and geopolitical risks. David Rosenthal's team has developed an updated FLARA template reflecting this shift.In parallel, Business Continuity Management (BCM) and cloud exit strategies have become indispensable elements of a modern resilience strategy, and they are now more critical than ever. Our project experience shows that these areas are often addressed superficially, so closing existing gaps and rethinking strategies is now urgent. Recommendations for action 1. Update CCRA, FLARA, and associated measuresConduct a full review of your CCRA and related documentation for relevance and adequacy. The updated FLARA should be incorporated into these reassessments. These evaluations often surface a wide range of technical and organisational needs for secure and compliant cloud operations. In many organisations, much of this is already covered by an established security framework. But if that’s not yet the case, there are accessible, practical entry points. The OWASP Cloud Security Cheat Sheet and the Cloud-Native Application Security Top 10 provide clear, actionable guidance to help you build a stronger, more resilient cloud security posture. 2. Prioritise Business Continuity Management (BCM)BCM is complex and often underestimated. It refers to an organisation’s ability to maintain or rapidly restore critical processes during disruptions, from ransomware attacks to cloud service failures. While the specific scenarios may differ, the underlying response playbooks tend to overlap. That’s why they must be clearly documented, routinely tested, and continuously improved. We strongly advise you to deal with it at an early stage and in a structured manner. How well is your company organised in this area?Ideally, you should be able to answer all the following questions in the affirmative. If not, there is a concrete need for action.Has an organisational structure for dealing with incidents been defined and documented?Are responsibilities and roles, such as BCM officers and crisis teams, clearly assigned?Is a BCM plan in place that describes flow charts, escalation paths, and communication strategies?Are the performance requirements for implementing the business continuity requirements defined?Are the capacity requirements for the implementation of the business continuity requirements described?Have these requirements been derived from a systematic business impact analysis (BIA)?Has a recovery time objective (RTO) been defined for each critical IT service?Has a recovery point objective (RPO) been defined for each relevant IT resource?Is the effectiveness of the BCM plan reviewed at least annually through tests or exercises?Are findings from tests documented and considered in the plan (continuous improvement)?Do the BCM scenarios outlined cover a complete failure of your cloud infrastructure?3. Create a cloud exit strategy before you need itThe term "exit strategy" is often dismissed due to alarmist narratives or a reluctance to confront uncomfortable truths. Cloud exits are complicated and expensive due to vendor lock-in and insufficient on-premises capabilities. Not planning for one could be far more costly.In addition, you should consider potential cloud exit strategies and their specific implementation options at an early stage to be able to act swiftly in the event of an emergency. Depending on your organisation’s tech maturity, risk appetite, and strategic direction, exit strategies may take very different forms.We identified three primary exit routes: Switch hyperscalers / go multi-cloud Switch hyperscalers / go multi-cloud Switching to another US hyperscaler or adopting a multi-cloud strategy boosts flexibility, innovation, and scalability, but it comes at a cost. It demands high cloud maturity, increases complexity, and drives up operational overhead (e.g., staff training). Crucially, reliance on US providers remains, so if your concerns are US policy-driven, this path won’t solve them.This option is best suited for companies with high technological maturity and established multi-cloud capabilities. Outsource to a local cloud provider Outsource to a local cloud provider A local provider can offer better availability, resilience, and geo-redundancy if capacity is secured early, especially in crises. However, the migration costs are high, and supplier relationships must be in place upfront. In the worst-case scenario, a mass exit from public cloud infrastructures could strain local capacity. The question of whether local providers (e.g., in Switzerland) can meet that demand remains unanswered. Build an in-house IT infrastructure (on-premises) Build an in-house IT infrastructure (on-premises) Transitioning to a fully in-house infrastructure requires an efficient IT organisation capable of taking over operations within a few weeks during a crisis. It demands comprehensive internal expertise and a well-functioning hybrid cloud environment. While it provides maximum control and independence, it also involves significant upfront costs, limited scalability, and high operating expenses. A lean on-prem setup for crisis scenarios, paired with a clear risk acceptance strategy, offers a more balanced alternative. ' In times of rising uncertainty, resilient cloud solutions require robust threat models and realistic risk assessments, as well as sustainable mitigation measures such as failover processes to alternative solutions. ' Raphael Reischuk Partner and Group Head Cybersecurity How we can help you build resilience Organisations may believe they are compliant and competitive today, but often only because their risk models haven’t caught up to the new geopolitical reality. In 2025, true compliance and resilience require treating cloud risk as a strategic priority.At Zühlke, we help customers build sustainably secure cloud solutions. We identify critical gaps, both organisational and technical, and implement the necessary organisational changes. This includes:Reviewing and updating FLARA and CCRA frameworksDesigning Business Continuity Management (BCM)Developing actionable cloud exit strategies Wherever you are on your cloud journey, Zühlke is your partner for building resilient, future-ready solutions. Let us help you turn uncertainty into resilience Get in touch
' In times of rising uncertainty, resilient cloud solutions require robust threat models and realistic risk assessments, as well as sustainable mitigation measures such as failover processes to alternative solutions. ' Raphael Reischuk Partner and Group Head Cybersecurity