The Digital Single Market (DSM) cloud stakeholder working groups were established following the Commission's legislative proposals of 13 September 2017 on the free flow of non-personal data and cyber security. Their objective was to conduct self-regulatory work in the areas of cloud security and porting data/switching cloud service providers. The self-regulatory group on porting data was active from December 2017 to May 2020. The self-regulatory group on cloud security submitted its final recommendations to the Commission in June 2019.

abstract image illustrating cloud computing

Self-regulatory Codes of Conduct on data portability for easier cloud switching

The SWIPO (switching and porting) Codes of Conduct Working Group was one of two DSM (Digital Single Market) cloud stakeholder groups. Its purpose was to develop two self-regulatory Codes of Conduct on data portability and cloud switching as an element of the Commission’s broader work on cloud regulation:

•    SWIPO Code of Conduct on ‘Infrastructure-as-a-service’ portability)
•    SWIPO Code of Conduct on ‘Software-as-a-service’ portability

To assure a balanced approach to this work, the SWIPO Working Group was co-chaired by representatives from the cloud service industry and from business users of cloud services.
SWIPO was working on two different codes. In May 2020, the SWIPO Working Group finalised work on the Codes of Conduct.

It was decided that the Codes of Conduct will function subject to a governance agreement, enforced and put into practice by a new legal entity. This legal entity, SWIPO AISBL, was formally launched in May 2020 and is working since then autonomously and independently.

Interested cloud users and cloud providers can join the SWIPO Association

The objective of the SWIPO Codes of Conduct is to reduce the risk of vendor lock-in by cloud service providers in light of the increasing importance of the European Data Economy. The Codes of Conduct should make the European market for cloud services more fluid and to allow smaller companies and new market entrants to compete there as well. The European Commission will perform an evaluation of the Codes of Conduct and their impact before the end of 2022.

Self-regulatory working group on cloud security certification (CSPCERT)

The self-regulatory working group on cloud security certification (CSPCERT) was set up to explore options for the development of a possible European certification scheme in the field of cloud security to enhance legal certainty and trust in the cloud market. After 18 months of work, the group presented its final recommendations for a European cloud certification scheme in June 2019. The recommendations address security requirements, conformity assessment methodologies and assurance levels basic, substantial and high in line with the European Cybersecurity Act.

Next Steps

In November 2019, pursuant to the EU Cybersecurity Act, the European Commission tasked the European Union Agency for Cybersecurity (ENISA) to prepare a cybersecurity certification candidate scheme for cloud services taking into account existing and relevant schemes and standards. The recommendations developed by CSPCERT have made a significant contribution in this direction. Upon finalisation, ENISA will submit its proposal to the European Commission for adoption.

CSPCERT members

To ensure a balanced approach, the working group has consisted of relevant stakeholders including businesses of all sizes, cloud providers, cloud users and representatives of national cybersecurity certification authorities. The leadership has been hold by a balanced group of representatives including the supplier, user and expert categories.

DSM cloud stakeholder conferences

November 2019: Helsinki, Finland
September 2019:   Warsaw, Poland
June 2019:   Amsterdam, The Netherlands
April 2019:   Berlin, Germany
February 2019:   Madrid, Spain
December 2018:   Vienna, Austria
October 2018:   Rome, Italy
July 2018:   Paris, France
December 2017:   Brussels, Belgium