The U.S. New Tariff Regime: What Are the Potential Repercussions for the Hardware Security Module Market?

Accompanying the United States’ new tariff announcement on April 2, 2025 was a 40-page annex (Annex II) of exempted products, which included various semiconductor and electronic Integrated Circuit (IC) types. It did not, however, include Hardware Security Modules (HSMs) specifically, and it is unlikely that the Peripheral Component Interconnect Express (PCIe) form factor fits the exempted categories. Therefore, HSM imports to the United States will be subject to the new tariffs. The announcement will have repercussions for HSM sales by foreign Original Equipment Manufacturers (OEMs) in the United States. This will affect Average Selling Prices (ASPs), market shares, and demand for HSM services. This ABI Insight explores the possible repercussions to the HSM market in the United States and more globally.

The first impact will be the cost—HSM OEMs, especially non-U.S.-based ones, will bear the brunt of it, and will have to decide if, when, and how much of that impact to pass on to the customer. Either way, it will be financially painful. The second impact will come if the U.S. administration doesn’t back down or if negotiations on these tariffs don’t make headway, and other countries set retaliatory tariffs on goods. This will bode badly for all HSM vendors, U.S.-based or not. The third impact will likely be on HSM services, a dynamic market that is growing much faster than the HSM hardware space. HSM users will likely be looking at migrating to cloud or managed HSM offerings if the Total Cost of Ownership (TCO) for HSM appliances becomes too high. This could be the big catalyst for HSM service adoption, and could quicken the pace at which U.S. cloud service providers (Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP)) are rolling out service offerings for HSM and Key Management Service (KMS).

However, there is a significant risk factor that could just as well cut that U.S. service expansion down: the European Union’s (EU) Anti-Coercion Instrument (ACI). The ACI is a regulation that allows the EU to take action against economic coercion—essentially, allowing it to adopt “measures that affect the access of foreign direct investment to the Union or trade in services and that apply to services supplied, or direct investments made, within the Union by one or more legal persons established in the Union and owned or controlled by persons of the third country,” i.e., the coercing country. Should the EU decide that the United States is, in fact, trying to economically coerce it with its tariffs, it could well decide to retaliate against the U.S. service sector, against which it runs a €109 billion trade deficit. This includes trade in digital services, thus impacting HSM and KMS solutions. This would be a complex endeavor for the EU, as digital trade can be difficult to quantify appropriately because many U.S. companies set up subsidiaries in the EU where a lot of internal revenue trading happens, making export quantification of digital trade services difficult. Further, the ACI is an instrument of last resort. The regulation states that the EU must work all other alternative routes before leveraging the ACI, but in these uncertain times, even the EU’s careful and risk-averse nature may push it to take a more determined stance. With the EU’s Digital Services Act (DSA) and Digital Markets Act (DMA), as well as the resurgence of digital service taxes in a number of European countries, the EU is already exerting tools to curb what it deems to be the abusive influence of U.S. digital service companies.

For the HSM services market, and certainly for non-U.S. providers, this could be a boon, giving companies like Thales, Utimaco, Eviden and Wordline a break to compete more effectively against the aggressive push in cloud HSM by the big cloud providers, which are also likely to face rising costs as it pertains to data centers (with tariffs on imported aluminum, steel, and electronic components driving up costs related to servers, storage, and networking equipment). This could also be an opportunity for firms like Entrust and Crypto4A in Canada, as well as smaller outfits such as Securosys in Switzerland, Kryptus in Brazil, and Procenne in Turkey, giving them more room to expand into the HSM service business, especially in Europe.

This first, immediate issue is in the United States for foreign HSM OEMs. The top three are all headquartered abroad: Thales in France, Utimaco in Germany, and Entrust in Canada. This means that selling into the U.S. market now will mean these OEMs, among others, will face import duties on their products. There are three major considerations for foreign HSM vendors going forward in the United States.

The first is that HSMs are not a luxury, nice-to-have item. They are a critical asset for those using it, meaning those users will continue to buy HSMs, so the market is unlikely to shrink. In theory, even if OEMs pass on the cost of the tariffs to the consumer now, users will absorb these costs because they don’t have a choice; it will mean slimmer margins if OEMs want to push up ASPs, as the duties will have already eaten into buyers’ willingness to pay more. In the short term, the market is unlikely to fluctuate much, but as refresh cycles come up, U.S. clients will be looking long and hard at pricing and TCO, especially if the likelihood of a recession looms large.

Second, for those OEMs already selling to the U.S. Government, the likelihood is that they have set up manufacturing facilities in the United States to comply with U.S. supply chain requirements (as Thales does already). They could expand those facilities to also meet enterprise demands, thereby avoiding the tariffs. This would mean bigger investments into U.S.-based manufacturing and there are other issues at stake—HSM supply chains are complex, and not all parts can be made in the United States. Some will have to be imported, and those will also be subject to tariffs.

Third is that there are two strong U.S. HSM OEMs, Futurex and Marvell. Futurex manufactures all of its HSMs in the United States, so the new tariffs might be beneficial for its U.S.-based sales, positioning it better against competition from others outside of the country. However, if there are retaliatory tariffs abroad, this may impact its international expansion. There may also be other costs if its supply chain includes overseas parties. Marvell, on the other hand, offers only PCIe form factors, and it outsources manufacturing in Asia. This will mean that it will face duties when it brings the goods back into the United States. However, PCIe HSMs are still cheaper than network-attached HSMs, so Marvell could capitalize on this opportunity. However, with a focus primarily on cloud service providers, rather than enterprise, it might be easier to pass on those costs. IBM is also a U.S. HSM OEM, though it only offers its CryptoExpress as part of its Z mainframes, but with a market under stress, it could position itself as a viable alternative, especially on its service offerings.

As it stands today, the main difficulty will be in the U.S. market. It is not easy to predict how things will pan out with a U.S. administration that doesn’t seem to play by the standard rules, whether that is in trade or policy. HSM vendors still have time to assess the situation and watch the outcome of negotiations with the United States. But they should start looking at all options, and prepare for worst-case scenarios.