United States of America: Closed consultation on rule to implement the AI Executive Order requiring user identification for IaaS providers

On 29 April 2024, the Secretary of Commerce of the United States closed its consultation on the proposed rule to implement the Executive Order requiring Infrastructure as a Service (IaaS) providers to verify the identity of their foreign customers. It mandates risk-based identity verification procedures, flexible methods, and steps for failed verifications. Recordkeeping requirements involve maintaining, protecting, and accessing records for two years. Foreign resellers must adhere to CIP requirements, with US providers reporting and terminating relationships for malicious cyber activity. Annual updates and certifications on CIPs are proposed, attesting to compliance and addressing changes. Exemptions are possible based on compliance with security best practices. The order also includes procedures for granting exemptions and authorising special measures to deter foreign malicious cyber actors' use of US IaaS products.