Impact of US sanctions on IT services
Using US-based IT services in a European context is often criticized. The main argument is about wiretapping and its risk on privacy. This discussion is tied up in a never ending dance of lawsuits and safe harbor privacy agreement revisions. A smaller argument is about the availability of infrastructure in case of major outages and US customers being prioritized. This is addressed by storing and processing data in Europe. Another smaller argument is the risk of IT service providers abusing their market power or customer insights to their benefit. Recently a new risk was identified: the risk of US sanctions.
In a changing international landscape and with a controversial US government, sanctions to European customers are no longer unthinkable. I wanted to better understand the risk of sanctions on IT services. In this case I mean economic sanctions. I focus in the impact on availability of IT services and not on confidentiality or integrity for which wiretapping is a greater risk.
The questions I look to address:
- How a sanctions initiated?
- How are sanctions enforced?
- When do foreign organization have to abide by the sanctions?
- How are IT services affected by sanctions?
Review of sanctions
Let's start with a review some sanctions in recent history in which IT services are involved.
I won't go into the sanctions itself, to review if they are legal, moral or fair. All sanctions do have a longer history of international conflict, which at least made the sanctions somewhat expected.
Huawei (2019)
Rooted in the US policy against China, the sanctions against Huawei are broad and affect the internal operations of Huawei, as well as the service offering to customers of Huawei.
Timeline
Sanctions on Huawei have a longer history, but in 2019 service providers to Huawei got affected.
- March 2019: Huawei filed a lawsuit about earlier sanctions. Complaints on later sanctions were added. The trial is scheduled for 2026. Reuters article and The Wall Street Journal article.
- 15 May 2019: Two policies are adopted by the Trump Administration to sanction Huawei. One is a new governmental policy to ban US companies from using telecommunications equipment or services from Huawei. This follows earlier policy to limit use of Huawei in the government. The other is placing Huawei on the 'Entity List' trade restrictions lists by the Commerce Department. This now forces Huawei to get US government approval to buy US technology. Reuters timeline and Android Central article.
- 19 May 2019: Google followed the Huawei ban by removing Huawei from their suite of digital products, disabling Google services (including Google Play App store and Google Maps) on the Android devices sold by Huawei. Huawei already had a lawsuit running on the sanctions. Other companies US-based companies quickly followed the ban, including Qualcomm, Intel, Arm and Microsoft.
- 4 June 2019: China countered by creating a 'list of unreliable entities' to warn Dell and Microsoft not to join Google in the ban towards China. Wikipedia summary and Bloomberg article.
- 15 May 2020: The Trump Administration expands the sanctions by including chips. Reuters article and BBC article.
- 17 August 2020: Bureau of Industry and Security (BIS) imposed controls over certain foreign-produced items to address the threat by Huawei. The specific wording is relevant: "... requirement on certain foreign-produced items when (1) there is knowledge that a listed Huawei entity is a party to the transaction and (2) the foreign-produced item is produced by an overseas plant or major component of a plant that is itself a direct product of U.S.-origin technology or software subject to the EAR and specified in certain Export Control Classification Numbers." BIS announcement.
- September 2020: Intel received a license to ship laptop central processors to Huawei. CGTN article.
- September 2020: Seagate ignores the sanctions and enters into a three-year strategic partnership with Huawei. BIS report after fine.
- November 2020: Qualcomm also received a license from the US government to sell older 4G chips to Huawei. Reuters article.
- September 2021: Seagate complies complies with the ban and stops providing products/chips to Huawei.
- 19 April 2023: Settlement of a penalty for Seagate of $300 million. BIS publication and Seagate publication.
- March 2024: China adopts a list of government-approved technologies, banning the use of US-made processors, Microsoft Windows and foreign database software. Article by Data Center Dynamics.
- May 2024: US government revokes licenses of Intel and Qualcomm to sell certain (older) chips to Huawei. Article by Data Center Dynamics and article by Tom's Hardware.
Impact
- Loss of access to certain software and hardware for internal use and in products. Later Intel and Qualcomm (and perhaps others) were granted a license to sell certain chips until sanctions increased.
- Reduction in customers, both businesses and consumers, losing significant market share.
- Replacement services needed to be developed to maintain the service offering to customers.
- Honor mobile phone sub brand faced the same sanctions and was eventually sold off.
Complying organizations
Mentioned by sources: Google, Qualcomm, Intel, Arm, Microsoft, Seagate (excluding September 2020 until September 2021), Toshiba, SoftBank, Broadcom, Xilinx, Western Digital, Infineon (voluntarily), and more. Wikipedia overview.
Amsterdam Trade Bank (2022)
The sanctions against Russia not only hit the financial side of the Amsterdam Trade Bank, but also its IT services.
Timeline
- 6 April 2022:
- US Office of Foreign Assets Control (OFAC) publishes sanctions on Russian banking sector after the invasion of Ukraine. The targets include Alfa Bank and its subsidiary Amsterdam Trading Bank (ATB), registered in Amsterdam. Published sanctions.
- US based companies implement the sanctions by blocking access, including Microsoft and Amazon Web Services. This halted the customer facing operations of the bank like the website as well as the internal services like email and document storage.
- 22 April 2022: Amsterdam Trading Bank is declared bankrupt. The persons to handle the bankruptcy (curators) are appointed to wind down operations.
- April 2022: The curators don't get the necessary access to internal documents and emails to handle the bankruptcy and sues Microsoft and AWS to gain access.
- 3 May 2022: Dutch court case about access to the internal documents and emails. Amazon Web Services lifts the ban right before the court case. The judge orders Microsoft to grant the necessary access and orders a daily fine. In the court case it is argued that Microsoft could was allowed some time to implement the actions but did so immediately. Dutch Computable article, Dutch Techzine article, Dutch ATB Wikipedia page, Court case proceedings in Dutch.
- 5 May 2022: US OFAC grants a limited license to wind down operations.
- 12 may 2022, UK grants limited license until 12 may 2030 to wind down operations. World ECR article and UK government publication.
Impact
- Loss of access to internal data like email and documents.
- Bankruptcy.
- Struggling to even handle bankruptcy.
Complying organizations
At least Microsoft and Amazon Web Services.
Organic Maps (2025)
The geolocation of a single project contributor stopped the entire open source project from operating as GitHub enforced existing US sanctions.
Timeline
- 13 March 2025: After a contributor to the open source Organic Maps project on GitHub was geolocated in a US sanctioned region, the project was sanctioned by GitHub (part of Microsoft). The project was set to read-only but remained publicly available. The Organic Maps did not get further details on the reason for the sanctions. The project contacted GitHub to complain and object to the decision, but didn't get a immediate response. Mastodon post from Organic Maps.
- 17 March 2025: In order to unblock the development, the project started to migrate to a self-hosted infrastructure for collaboration.
- Between 17 and 28 March: GitHub reviewed the complaint and unblocked the project.
- 27 March 2025: The migration to new infrastructure was complete, abandoning GitHub. Mastodon post, AlternativeTo article and Lobste.rs article.
Impact
- Complete stall of the project as the infrastructure for collaborations was unavailable.
- As the information was public, there was no significant loss of information. There were also public mirrors to other providers like SourceForge. In case of a private project the impact would have probably been more significant because of loss of access.
Complying organizations
GitHub (part of Microsoft).
International Criminal Court (2025)
Sanctions against persons at the ICC directly or indirectly involved with the arrest warrant of Netanyahu resulted in a partial blockade of IT services.
Timeline
- US already had a long history of undermining the International Criminal Court (ICC), even though it is supported by allies. Wikipedia article. Note worthy is the nicknamed 'The Hague Invasion Act' as a indication how far the US government would be willing to go.
- Past sanctions against officials at the court complicated the the travel to the US and bank transactions. Several US employees have resigned because of these sanctions. New York times article.
- 6 February 2025: Trump administration implements sanctions on the ICC after the arrest warrant on Netanyahu. The sanctions go after the persons involved in the arrest warrant and persons that assisted including by providing services.
- 'Soon after': Microsoft blocked ICC access to certain services, including the email account of ICC prosecutor Karim Khan. This is unexpected because on 30 April Microsoft announced they would fight all sanctions in court: "In the unlikely event we are ever ordered by any government anywhere in the world to suspend or cease cloud operations in Europe, we are committing that Microsoft will promptly and vigorously contest such a measure using all legal avenues available, including by pursuing litigation in court." It is unclear if there was upfront contact between Microsoft and the ICC. Journalists in contact with ICC mention that there wasn't any contact, whilst Microsoft says there was contact and that the blockage was even a voluntary decision. The prosecutor moved to using Proton Mail to continue internal communications. Dutch iBestuur article, another Dutch iBestuur article, New York Times article, Belgium Knack article, LBC article, and another Belgium Knack article.
- 20 May 2025: The case is discussed in the Dutch Parliament. (Online version via OpenTK). There are actually multiple organizations that have stopped collaboration with the ICC or are considering to. The sanctions severely impacted the operation of the ICC. The minister expresses the concern of 'overcompliance' where organizations implement more sanctions than strictly necessary. The European Commission could initiate a 'blocking statute' as a counter measure. It is uncertain if a blocking statute would be effective.
Impact
- Earlier sanctions made the work difficult for US colleagues, so they left.
- Loss of access to data and services. Having to use different service providers to continue internal communications.
- Multiple organizations stopping collaboration with ICC, or considering to.
Penalties for not complying
While the Amsterdam Trading Bank was sanctioned entirely, some European organization were sanctions for not complying with the US sanctions. Hunton article.
- Toll, a logistical company from Austria, agreed to pay a $6.1 million fine to settle nearly 3,000 separate violations of Iran, North Korea and Syria sanctions. Lloydslist article.
- Swedbank, a Swedish bank, agreed to pay a $3.4 million fine for shortcomings to prevent money laundering in the Baltic region. Wall Street Journal article.
Conclusions of sanctions
- Sanctions are used more often to support foreign policy.
- US companies have to comply to US sanctions policy. If they don't comply, they get fined. In case of Seagate the fine was more than twice the net profit of the illegal exports, making it a net negative.
- Larger companies comply quickly, even if the deadline left some more time, in the case of the Amsterdam Trading Bank.
- There is a risk of 'overcompliance' where companies apply more sanctions than strictly necessary.
- Affected organizations can go to US court, but a provisional relief of sanctions seems impossible and the court case will take time.
- Loss of access to IT services including data has an existential impact on an organization.
- A blocking statute can be initiated by the European Commission, but its effectiveness is questionable.
Trends in sanctions
- According to lawyer Sara Elizabeth Dill, specializing in sanctions compliance, the Trump administration increasingly uses sanctions and executive orders. New York Times article.
- The Center for Economic and Policy Research (CEPR) observes an increase in the number of US sanctions and questions their legality under international legislation. CEPR report.
Mitigating measures for providers
What can providers done against sanctions?
Organizational measures
Providers confronted with the sanctions have to comply or face strong penalties, making compliance the only reasonable option from a business perspective. What could providers do to avoid being affected by these sanctions?
- By not doing business in the US, the US government would not have leverage to impose sanctions or apply penalties. The US government would have to step up and apply secondary sanctions to the company that would not comply with the sanctions.
- A separate legal entity subsidiary might be a solution, as Amazon Web Services is creating for Europe. Datacenter Dynamics article. Due to the direct relationship it might not be sufficient to avoid a penalty to the holding. In the case of AWS, the European entity would offer a service using software from the parent organization, which could be subject to sanctions. This is similar to the questions raised on the sovereign clouds where Delos (by SAP) used technology from Microsoft and the cloud by Tales will use technology by Google. Bert Hubert article in Dutch. In case of sanctions the service offering could maybe be limited to just the parts that are not explicitly part of the sanctions.
Reducing susceptibility to US sanctions as a provider is difficult and not water tight.
Reduce customer impact
Another approach is to reduce the potential impact on the customer:
- If the customer has access to a backup of all information in a standard machine-readable format, it could migrate to an alternative service.
- If the provider offering is open source software, the sanctioned organization could still keep software up to date from the open source community. This removes the need to migrate to a different solution. When business can resume because sanctions are lifted or a governmental license is granted, the company could again offer the service on the open source product.
Open source
Open source projects are only partially immune to sanctions. As seen in the case of Organic Maps, the project infrastructure was blocked by sanctions. The Linux kernel project is legally registered in the US and has to comply to sanctions as well. They introduced the policy of not interacting with sanctioned persons and organizations. Sanctioned organizations are however still able to access the open source software due to the public nature. Linux Weekly News article and The Register article.
Conclusions
US sanctions in Europe used to be unthinkable. In the mean time US sanctions have been applied to organizations based in Europe. IT services became unavailable as a result. Providers get large fines for not complying with the sanctions, ensuring that sanctions come into effect.
The sanctions are effected immediately, increasing its impact. Objecting sanctions is not a short-term solution as it will result in a lengthy legal trial without provisional lifting of sanctions. The only real option left is to migrate to a different provider, if one is even available, or building an alternative in-house.
Although the likelihood of sanctions is low, it is no longer unthinkable. Given the major impact, it is important to incorporate this scenario in the IT strategy and operations.
Course of action
What can customers of US IT services do to reduce the impact of possible US sanctions? Here are some things I can think of:
- Use providers without business in the US to limit the exposure to US foreign policy.
- Backup important data under your own control in a standard format to be able to restore even if the associated software is no longer available.
- Use open source software to be able to restore a similar service.
- Use open standards for system interfaces to migrate to alternative services more easily.
Continue the discussion
Sanctions are a complicated topic and there are many aspects to the discussed cases. With this blogpost I aim to contribute to the discussion on digital sovereignty. Please contact me if you have suggestions for information I should look into, or information I should correct.