CHANGELOG · REGULATORY CONTEXTLIVE

What shipped, and what shipped the need for it.

Two threads, interleaved: product updates on one side, the EU–US regulatory events that make the product necessary on the other.

01 · Product updates

Components shipped

What landed.

MAR 2026

Operator adds broker TLS certificate rotation

The cloudtaser operator now supports automatic TLS certificate rotation for the broker component. Combined with audit logging in the wrapper and Prometheus metrics in the S3 proxy, the full stack now provides production-grade observability and security lifecycle management.

MAR 2026

Live demo at cloudtaser.io/demo-lab

The canonical public demo runs on three real systems — a US GKE confidential-compute target cluster, a beacon relay VM in Frankfurt, and an OpenBao secret store VM in the Netherlands. Self-hosted, no third-party platform: a 4-minute MP4 walkthrough plus a one-driver-many-watchers interactive mode. Every cluster mutation the demo performs is published as YAML at cloudtaser.io/demo-lab/manifests/.

MAR 2026

S3 Proxy reaches beta - transient secret engine support

The cloudtaser S3 Proxy now performs full envelope encryption using OpenBao's transient secret engine: unique AES-256-GCM data key per object, wrapped via Transit, plaintext DEK never persists. Compatible with any S3-compatible storage (AWS S3, GCS, MinIO).

FEB 2026

Operator beta: process wrapper injection with auto-detection

The Kubernetes mutating admission webhook now reliably injects the cloudtaser wrapper into pods. Auto-detects container image entrypoints from OCI registries (supports private registries), rewrites commands transparently. No sidecar containers - zero resource overhead compared to sidecar-based injectors. Full CI/CD with integration tests on every release.

MAY 2026

BPF LSM enforcement: Phase L4 in progress

cloudtaser's eBPF agent gains BPF LSM hooks as the synchronous deny path for the five highest-risk kernel entry points: ptrace_access_check, file_open (covering /proc/pid/environ and /proc/pid/mem), bpf (unauthorised program loads), socket_sendmsg (secret-buffer exfiltration), and kernel_load_data. By LSM design, the hook fires synchronously before the kernel action completes. On kernels without CONFIG_BPF_LSM=y or where bpf is absent from /sys/kernel/security/lsm (some hardened distros, GKE pre-1.27, AKS Mariner), the agent detects this at startup and falls back to the well-tested kprobe enforcement path. No operator configuration change required. The LSM code merged across cloudtaser-ebpf #183, #185, #190, #193 and is rolling out in the next tagged release; per-kernel runtime confirmation lands once cloudtaser-pipeline#227 unblocks full-matrix BPF verifier validation.

JAN 2026

eBPF agent beta: BPF LSM (with kprobe fallback) and tracepoint monitoring

The eBPF agent now attaches to sys_enter_openat tracepoints and kprobes for comprehensive kernel-level monitoring. Detects /proc/environ reads, secret material in network buffers, and translates container PIDs to host PIDs for cross-namespace visibility. Enforcement mode can block unauthorised access in real time.

02 · Why this matters

Regulatory context

The legal ground keeps shifting.

Every event below added weight to the argument that contractual clauses alone can't bridge EU–US jurisdictional mismatch. cloudtaser's value grows with each one.

JAN 2026

NOYB files complaints against EU institutions using US cloud

The privacy advocacy group noyb filed formal complaints against EU institutions (including the European Commission) for using Microsoft 365 and AWS without adequate data protection measures. Source: noyb.eu

DEC 2025

DPF heads to CJEU - Schrems III countdown begins

The EU–US Data Privacy Framework survived its first challenge when the EU General Court dismissed the Latombe case in September 2025. However, Latombe appealed to the CJEU in October 2025. The CJEU has historically been far more sceptical - it invalidated both Safe Harbour (Schrems I) and Privacy Shield (Schrems II). cloudtaser makes the DPF irrelevant: keys never enter US jurisdiction. Source: WilmerHale

OCT 2025

European Commission launches €180M sovereign cloud tender

The European Commission published its Cloud Sovereignty Framework (eight measurable objectives) and launched a €180M Cloud III Dynamic Purchasing System tender for sovereign cloud services for EU institutions. The framework explicitly includes key management under EU control as a sovereignty objective - the exact requirement cloudtaser satisfies. Source: European Commission

OCT 2025

Danish DPA orders municipality to stop using Google Workspace

The Danish Data Protection Authority ordered Helsingør municipality to cease using Google Workspace and Chromebooks. Google's data processing does not provide adequate protection against US government access. The ruling was upheld despite Google's claims of encryption - because Google holds the keys. Source: Datatilsynet

JUN 2025

Microsoft admits it "cannot guarantee" EU data sovereignty

During a French Senate hearing, Microsoft France's GM was asked under oath: "Can you guarantee that French citizen data will never be transmitted to US authorities without French authorisation?" His answer: "No, I cannot guarantee it." Google, Amazon, and Salesforce gave equivalent responses. This is not a theoretical risk - it's a hyperscaler executive confirming, on the record, that the CLOUD Act creates an irremovable structural vulnerability. Source: The Register

MAR 2025

Dutch Parliament votes to reduce US cloud dependence

The Dutch Parliament passed motions requiring government agencies to reduce dependence on US cloud providers, launch a national cloud under "full Dutch management," and give European providers preferential treatment in procurement. Source: Euronews

MAR 2025

European Health Data Space regulation published

The EHDS regulation (EU 2025/327) was published in the Official Journal on 5 March 2025. Member states may require health data to be stored and processed exclusively within the EU. Primary use obligations become mandatory from March 2029 - a direct architectural requirement for EU-controlled key management. Source: EUR-Lex

JUL 2023

EU adopts new adequacy decision - EDPB warns of limits

The European Commission adopted the EU–US Data Privacy Framework, providing a new legal basis for data transfers. The EDPB stressed that the framework does not eliminate all risks and that supplementary technical measures remain recommended for sensitive data - explicitly client-side encryption where the data importer does not have access to keys. Source: EDPB

JUL 2020

Schrems II: CJEU invalidates Privacy Shield

Case C-311/18. The CJEU ruled the EU–US Privacy Shield invalid because US surveillance laws (FISA 702, EO 12333) do not provide equivalent protection to EU fundamental rights. Any data transfers to the US must include "effective supplementary measures" to prevent access by US authorities. This is the legal foundation for why technical controls - not just contracts - are necessary. Source: CJEU

MAR 2018

US CLOUD Act signed into law

The Clarifying Lawful Overseas Use of Data (CLOUD) Act requires US-based service providers to comply with warrants for data regardless of where it's physically stored - including EU data centres. This is the direct mechanism by which US authorities can compel access to EU customer data on AWS, GCP, and Azure, even when stored in Frankfurt, Dublin, or Amsterdam. Source: congress.gov

Subscribe via RSS or GitHub.

Component releases and interactive demo updates ship first in the GitHub org. Regulatory context is curated here.

GitHub org Read the docs