DLx Law Alert: Commerce Department Proposes Rule to Require Cloud Infrastructure Service Providers to Adopt Enhanced KYC and Due Diligence Procedures Due to National Security Concerns

Dall-E_Commerce Depart National Security Rule 03.08.24

Important Alert

The U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”) has proposed a rule1 that could mark a significant development in the regulation of network infrastructure providers and digital assets (or “crypto assets”). The proposed rule seeks to address national security concerns associated with what the proposal refers to as U.S. “Infrastructure-as-a-Service” (“IaaS”) providers.2 The proposal nevertheless also could have a significant impact on users and service providers in the crypto asset sector in the United States. The proposal focuses on what are very broadly described as “significant malicious cyber-enabled activities” under a set of Executive Orders remaining in place from 20153 and 20214.

More specifically, among other things, the proposed rule introduces stringent requirements for laaS providers, including crypto asset infrastructure and infrastructure services providers involved in decentralized finance (DeFi), Staking as a Service, the exchange and availability of crypto assets, or the broader blockchain environment. The proposed rule is unprecedented in scope, seeking to require cloud infrastructure providers and all others it characterizes as IaaS providers to adopt enhanced know-your-customer (“KYC”) and due diligence procedures. While the proposal is applicable to U.S. IaaS providers, the requirements imposed on “foreign resellers” of U.S. “IaaS products” could potentially extend extraterritorially and impose the proposed requirements on a global scale. Consider the notes below, which focus on the proposed rule’s potential impact on those IaaS providers contributing to the U.S. digital asset sector.

Key components of the proposed rule

  • Enhanced KYC requirements: IaaS providers, potentially including many service providers in the digital asset sector, would be required to implement advanced KYC procedures to prevent “misuse” of their platforms for malicious cyber activities.
  • Due diligence requirements: IaaS providers would be required to conduct thorough due diligence to ensure their services are not exploited by actors engaged in cyber-enabled threats.
  • National security focus: The rule underscores the national security implications of inadequate controls in the digital assets space, aiming to mitigate risks associated with “significant malicious cyber-enabled activities.”

Potential impact on the digital asset sector

  1. Operational challenges: The enhanced KYC and due diligence requirements could potentially be impractical if not impossible to implement, because it would likely impose significant operational burdens on crypto asset service providers, potentially limiting their efficiency and scalability.
  2. Compliance costs: Small and medium-sized enterprises (“SMEs”) in the blockchain sector would likely face significantly increased (if not prohibitive) compliance costs, which could impact their competitiveness and innovation capabilities, as well as the willingness of early-stage capital providers to fund these businesses.
  3. Market dynamics: In light of these compliance costs, there is a high likelihood the proposed rule would lead to a consolidation in the digital asset sector, favoring large players with sufficient resources to comply with the extensive new regulations.
  4. Innovation & growth: While the proposed rule would aim to protect national security, there is a risk that overly stringent regulations could stifle innovation and growth within the digital assets industry.
  5. International considerations: The global nature of the digital assets sector means the proposed rule could have far-reaching implications, potentially affecting international cooperation and regulatory alignment.


The BIS’s proposed rule represents a pivotal moment in the regulation, and perhaps viability, of the crypto asset sector, reflecting a growing recognition of the sector’s national security implications. While the proposed rule would aim to safeguard against malicious cyber activities, for the continued viability of the crypto asset sector, it is imperative that the proposal’s implementation balances security concerns with the need to protect ongoing technological innovation and growth in the crypto assets industry.

Comments are due by April 29, 2024. Stakeholders ought to strongly consider providing thoughtful comments and closely monitor the proposed rule’s development. While the commentary could result in a re-proposal or at least important modifications to the proposed rule, IaaS providers engaging in the crypto asset sector should prepare for its potential impact on operational practices, compliance costs, and market dynamics. Collaboration and dialogue between the industry and regulators will be crucial to ensure any final rule achieves its security objectives without unduly hampering the vibrant blockchain and crypto asset sector.

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –


1. Comm. Dep’t, Ind. & Sec. Bur., Proposed Rule Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities, 89 Fed. Reg. 5698, 5698-5735 (Jan. 29, 2024), available at https://www.federalregister.gov/documents/2024/01/29/2024-01580/taking-additional-steps-to-address-the-national-emergency-with-respect-to-significant-malicious [hereinafter Commerce Department Proposed Rule].

2. A U.S. IaaS provider could potentially include at least any provider of blockchain-based infrastructure or infrastructure services and any provider of cloud-based storage or computer processing services. As defined in the proposed rule, “United States Infrastructure as a Service provider” means any U.S. person offering any product or service “to a consumer, including complimentary or ‘trial’ offerings, that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications,” and where “[t]he consumer typically does not manage or control most of the underlying hardware but has control over the operating systems, storage, and any deployed applications …” See Congress Department Proposed Rule, 89 Fed. Reg. 5726 (§ 7.301) for the full definition.

3. See E.O. 13694, Executive Order Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities (Apr. 1, 2015), https://www.federalregister.gov/documents/2015/04/02/2015-07788/blocking-the-property-of-certain-persons-engaging-in-significant-malicious-cyber-enabled-activities.

4. See E.O. 13984, Executive Order Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities (Jan. 19, 2021), https://www.federalregister.gov/documents/2021/01/25/2021-01714/taking-additional-steps-to-address-the-national-emergency-with-respect-to-significant-malicious

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –


The contents of this communication are intended for general informational purposes only. This is not an attorney-client communication, and you therefore should not consider the content of this communication as legal or regulatory advice or a legal opinion in connection with any specific facts or circumstances. This communication is not intended as attorney advertising, but it might be considered attorney advertising in certain jurisdictions. Read our full legal disclaimer.

Read the full article on the link below

Read more

Amil Malik

Amil assists with various client matters in connection with digital assets and the adoption of blockchain technology, including general corporate law, securities law, and financial services regulation. She joined DLx Law after receiving her J.D. from the George Washington University School of Law, where much of her studies focused on national security and cybersecurity law.

Amil received her B.B.A./B.A. with high honors from the University of Texas at Austin. Between university and law school, Amil worked as a mergers and acquisitions analyst in New York, where she performed financial valuations and analysis as part of advisory services provided to sell-side and buy-side clients across media, consumer, technology, shipping, and financial technology industries. Amil is licensed to practice law in the District of Columbia.

Tom Momberg

+17186645458 tom.momberg@dlxlaw.com

Tom advises clients in an array of matters related to blockchain technology, decentralized finance, banking and payments systems, financial products, and financial technology applications. He joined DLx Law as an attorney after working as in-house counsel for a payments and banking software service provider, advising on various legal and regulatory matters, operations, risk, customer due diligence, and corporate best practices.

Tom received his J.D. from George Mason University Law School in Virginia and his B.A. from the University of Wisconsin-Milwaukee. Tom is a former journalist, and, while in law school, he interned for DLx Law and served as a law clerk for several federal institutions in Washington, D.C., including the CFTC, FCC, and House Judiciary Committee. Tom is admitted to practice law in the District of Columbia and the State of Oregon.

Sarah Chen

+19296345691 sarah.chen@dlxlaw.com

Sarah advises clients in all matters related to the adoption of blockchain technology, including general corporate, venture financing, securities laws and financial regulatory. Prior to joining DLx Law, Sarah was a senior associate in the M&A group of an international law firm headquartered in New York City, advising public companies and private equity firms on mergers, acquisitions, and other corporate transactions.

Sarah received her B.A. from New York University, magna cum laude, and her J.D. from Columbia Law School where she was a James Kent Scholar. During law school, Sarah also served as a judicial extern to the Hon. Debra Ann Livingston of the U.S. Court of Appeals for the Second Circuit. Sarah is licensed to practice law in the State of New York.

Gregory Strong

+3027665535 greg.strong@dlxlaw.com

Greg focuses on advising entities regarding legal issues associated with the adoption of blockchain technology. Prior to joining DLx Law, Greg was a Deputy Attorney General in the Delaware Department of Justice. He served as the Director of the Investor Protection Unit for three years and was responsible for administering and enforcing the provisions of the Delaware Securities Act. Prior to his appointment as Director of the Investor Protection Unit, Greg was the Director of the Consumer Protection Unit for three years.

Greg has successfully represented the State of Delaware in many complex civil enforcement matters alleging violations of Delaware investor and consumer protection statutes and has extensive litigation experience. Greg graduated from Lehigh University with a B.S. in Finance and received his J.D./M.B.A. from Temple University.

Angela Angelovska-Wilson

+12023651448 angela@dlxlaw.com

Angela is an early distributed ledger technology adopter and a leading authority in the evolving global legal and regulatory landscape surrounding distributed ledger technology and smart contracts. Prior to co-founding DLx Law, Angela served as the Chief Legal & Compliance Officer of Digital Asset and was part of the founding team.

Prior to joining Digital Asset, Angela was a partner at Reed Smith where she regularly advised clients on the implementation of new technologies to finance and the complex regulatory schemes involved in the development, creation, marketing, sale and servicing of various financial services and products. Before Reed Smith, Angela spent most of her career in various roles at Latham & Watkins, where she was recognized by The Legal 500 US among the top finance attorneys in the U.S.

Angela has a deep understanding of the Fin-Tech industry and in particular the distributed ledger industry, having been involved in a number of startups in various roles, as an employee, entrepreneur and advisor. In addition to DLx Law, Angela is also co-founder of Sila Inc., an innovative technology company.