Jurisdiction Adaptations
Each partner jurisdiction adapts the common framework to its specific governance, compliance, procurement, and operational requirements while maintaining interoperability.
Select a Jurisdiction
Potential Future Partners: Asia-Pacific Expansion
The current framework focuses on UK, EU, Canada, and Australia. However, two significant Asia-Pacific allies face identical sovereignty challenges and could substantially strengthen the coalition.
Strategic Case for Asia-Pacific Inclusion
- Supply chain resilience: SK Hynix and Samsung produce ~45% of global memory chips. Coalition access to this supply chain is strategically vital.
- Hardware manufacturing: Reduces dependency on Chinese manufacturing for servers/networking equipment.
- Geographic distribution: Asia-Pacific datacentres provide latency/DR options for Australian operations.
- Economic weight: Combined GDP of Japan + South Korea (~$7T) significantly strengthens coalition negotiating power.
- Shared threat perception: Both nations face similar US coercion risks and China tensions, creating alignment on sovereignty.
Geopolitical Consideration: Chinese Open Source Contributions
A realistic assessment of sovereign cloud infrastructure must address the role of Chinese contributions to the open source ecosystem. This is complex and requires nuanced analysis.
Opportunities
Existing significant contributions:
- Linux kernel (Huawei, Alibaba, Tencent among top contributors)
- Kubernetes (significant Chinese corporate contribution)
- OpenStack (active Chinese deployments and contributions)
- Apache projects (multiple Chinese-originated projects in incubation)
Chinese-originated projects of note:
- openEuler: Enterprise Linux distribution (Huawei)
- openGauss: PostgreSQL-compatible database (Huawei)
- PolarDB: Cloud-native database (Alibaba)
- TiDB: Distributed SQL database (PingCAP)
- Apache ShardingSphere: Database middleware
- Apache DolphinScheduler: Workflow orchestration
Strategic alignment:
- China benefits from weakening US tech dominance
- Open source leadership builds soft power
- Common interest in non-US infrastructure standards
- Fragmented Western cloud market serves Chinese interests
Risks & Concerns
Security concerns:
- Potential for subtle backdoors or vulnerabilities
- Supply chain compromise at code level
- Long-term maintenance/support concerns if geopolitical situation changes
- Difficult to audit at scale even with open source
Political concerns:
- Optics of "Chinese infrastructure" in government systems
- Five Eyes intelligence sharing implications
- Parliamentary/congressional scrutiny
- Media/public perception risk
Operational concerns:
- Security clearance for integration contractors
- Restricted access to certain environments
- Export control complications
- Dual-use technology considerations
Dependency risk:
- Replacing US dependency with Chinese dependency
- Future geopolitical shifts could create new coercion vector
Recommended Approach
| Category | Approach | Rationale |
|---|---|---|
| Foundational infrastructure (Linux kernel, K8s, etc.) |
ACCEPT | Already ubiquitous. Extensively audited by global community. Chinese contributions are minority of codebase. Impractical to avoid. |
| Neutral foundation projects (Apache, CNCF hosted) |
ACCEPT | Foundation governance provides oversight. Diverse contributor base. Code review processes in place. Origin less relevant than quality. |
| Chinese-originated projects (openEuler, openGauss, etc.) |
EVALUATE | Case-by-case assessment. Consider: project maturity, community diversity, alternative options, security audit feasibility, deployment context. |
| Direct collaboration (joint development, direct partnership) |
AVOID | Political risk too high. Intelligence concerns. No direct government-to-government or consortium-to-Chinese-company arrangements. |
| Security-critical components (HSMs, crypto, auth systems) |
AVOID | Use only Western/allied-origin security components. No Chinese-originated cryptographic implementations regardless of open source status. |
Practical Reality
Any modern cloud platform already contains Chinese-contributed code in the Linux kernel, Kubernetes, and dozens of supporting projects. The question is not "whether" to use Chinese contributions but "how" to manage the risk appropriately. A blanket ban is neither practical nor necessary. Targeted exclusion of security-critical components combined with standard open source security practices (code review, SBOM, vulnerability scanning) provides adequate protection.
Jurisdiction Comparison
| Aspect | UK | EU | Canada | Australia |
|---|---|---|---|---|
| Data Protection | UK GDPR, DPA 2018 | EU GDPR | Privacy Act, PIPEDA | Privacy Act 1988 |
| Security Framework | NCSC CAF, Cyber Essentials | NIS2, ENISA | ITSG, CSE guidance | PSPF, ISM |
| Classification Scheme | OFFICIAL, SECRET, TS | Varies by member state | Protected A/B/C, Secret | PROTECTED, SECRET, TS |
| Procurement Framework | G-Cloud, DOS, CCS | EU Procurement Directives | PSPC, TSPS | Whole-of-Government |
| Architecture Standard | GDS Service Standard | EIF, ISA² | GC Enterprise Architecture | AGA, Digital Service Std |
| Est. Gov Cloud Spend | £3-5B/year | €15-25B/year | CAD 3-5B/year | AUD 4-6B/year |
| Primary US Dependency | AWS, Azure | Azure, AWS | AWS, Azure | AWS, Azure |
Adaptation Documentation Structure
Each jurisdiction adaptation covers the following areas:
Governance Mapping
How the common framework aligns with jurisdiction-specific governance frameworks, approval processes, and architectural standards.
Compliance Requirements
Specific regulatory, privacy, and security compliance requirements including data protection laws and security classifications.
Procurement Constraints
Procurement rules, frameworks, and processes including domestic preference policies and existing contract vehicles.
Current State Landscape
Assessment of current US cloud adoption, major dependencies, and existing sovereign capability.
Target Architecture
Jurisdiction-specific sovereign cloud architecture design adapted from the common framework.
Migration Roadmap
Phased migration approach tailored to jurisdiction priorities, budget cycles, and political realities.
Supplier Ecosystem
Assessment of domestic and regional sovereign cloud providers available in the jurisdiction.
Investment Case
Jurisdiction-specific ROI analysis including local economic benefits and risk quantification.
Sovereignty Preserved
Each jurisdiction adaptation represents that nation's sovereign choices within the common framework. No jurisdiction is bound by another's decisions. The framework enables coordination without requiring uniformity.
Common standards. Independent implementation. Full sovereignty retained.