일보(一步) 전진을 위한 이보(二步) 후퇴: 클라우드 보안인증제도(CSAP)의 국제통상규범 합치성에 대한 연구

This study evaluates whether the Cloud Security Assurance Program (CSAP), mandated for private cloud providers entering the public cloud sector in Korea, is consistent with international trade rules. Initially, we assess whether CSAP falls within the scope of the revised WTO Government Procurement Agreement (GPA) and the Government Procurement Chapter of the KORUS FTA. Our findings indicate that CSAP meets the criteria for procuring entities, value thresholds, services specified, and non-exclusionary services, thereby subjecting it to the substantive rules of the GPA and the KORUS FTA. Subsequently, we examine CSAP’s key requirements–network separation, data and personnel localization, and the use of certified national standard encryption technologies–concluding that they do not comply with GPA obligations of non-discrimination, avoiding unnecessary obstacles to international trade, and participation conditions. Although the use of national standard encryption does not explicitly breach international standards harmonization, it could potentially conflict with the principle of technological flexibility. Arguments could be made for national security exceptions, but recent WTO dispute cases and CSAP’s characteristics suggest limited scope for such exceptions. Ultimately, CSAP is deemed discriminatory against foreign cloud providers, violating GPA and KORUS FTA rules. The recent introduction of logical network separation has reduced burden on global cloud providers, but the added personnel localization requirements have diminished the competitiveness of the cloud services trade environment. For an effective digital platform government and industrial digital transformation, an open digital policy in government procurement is recommended. Further research should explore both CSAP’s legal aspects and strategies for domestic cloud providers’ technological innovation and international expansion.