Europe’s €2 billion IPCEI-CIS program and France’s SecNumCloud framework, which sets nearly 1,200 requirements for immunity from extraterritorial laws, certify cloud operators while leaving Intel CSME and AMD PSP management engines outside evaluation scope. These Ring -3 subsystems maintain independent memory, clocks, and network stacks that share host MAC addresses and expose ports 16992–16995 for AMT features, as documented in John Goodacre’s 37-page CISO risk assessment.

Microsoft’s 2017 report on the PLATINUM actor recorded use of Intel Serial-over-LAN channels that transit the ME before the host TCP/IP stack initializes, evading endpoint detection; the same architecture persists in Modern Standby platforms where battery drain occurs on powered-off systems. RISAA 2024 classifies hardware manufacturers as electronic communications service providers subject to secret orders, extending reach beyond the software layers addressed by current certifications.

GAIA-X technical specifications and the UK’s Digital Security by Design program similarly focus on higher-level stacks without mandating firmware audits or RISC-V alternatives, leaving primary-source coverage from The Register unextended to processor supply-chain mappings across IPCEI-funded datacenters.