Skip navigation

Cloud computing provides significant benefits to both public and private sector customers in terms of cost, flexibility, efficiency, security and scalability. In order to secure the trust of cloud customers in Cloud Service Provider (CSPs), the EU Cloud Code of Conduct aims to help Cloud Providers on their path to GDPR compliance.

As representatives of European and multinational companies and organizations with significant involvement in cloud computing, we have developed a set of requirements that enable CSPs to demonstrate their capability to comply with GDPR – the Code provides cloud specific approaches and recommendations, including a road map, which tracks Code requirements to GDPR and to international standards such as ISO 27001 and 27018.


The EU Cloud Code of Conduct consists of  requirements for CSPs that wish to adhere to the Code, plus a governance section that is designed to support the effective and transparent implementation, management, and evolution of the Code. The Code is a voluntary instrument, allowing a CSP to evaluate and demonstrate its adherence to the Code’s requirements, either through self-evaluation and self-declaration of compliance and / or through third-party certification. The Code is developed to cover GDPR requirements for a Code of Conduct under GDPR and is being submitted to the appropriate Data Protection Authority.

The intention of the EU Cloud Code of Conduct is to make it easier for cloud customers (particularly small and medium enterprises and public entities) to determine whether certain cloud services are appropriate for their designated purpose. In addition, the transparency created by the Code will contribute to an environment of trust and create a high default level of data protection in the European cloud computing market.

The EU Cloud Code of Conduct

  • Covers the full spectrum of cloud services: software (SaaS) and platform (PaaS) as well as infrastructure (IaaS).
  • Has an independent governance structure to deal with compliance as well as an independent monitoring body, SCOPE Europe, which scrutinizes cloud services which sign up to the Code and monitors services that are certified in the Code – a requirement of GDPR.
  • Invites Cloud Service Providers of all sizes and from all cloud sectors to join: there are different membership options, depending on CSP’s interests. Once a member, CSP’s can declare Cloud Services adherent to the Code, committing to rigorous data protection safeguards
  • Is the only Code drafted together with authorities of the European Union: the Code was developed by the Cloud Select Industry Group (Data Protection Code of Conduct Subgroup) convened by the European Commission under the auspices of DG Connect and with the involvement and advice of DG Justice. Development of the Code was further informed by input from the Article 29 Working Party.