Skip navigation

PRESS RELEASE: Schellman performs third-party assessments for EU Cloud CoC Level 3 Compliance

SCOPE EuropeEU Cloud CoCNewsPress Release

Brussels, 11 January 2024 – Schellman, a supporting member of the EU Cloud Code of Conduct (CoC), plays a crucial role in providing additional assessments and guidance for cloud service providers (CSPs) aiming to reach the highest level of compliance.

In a landscape where GDPR implementation is paramount, approved codes of conduct serve as essential tools for specifying regulatory requirements, fostering transparency and building trust. Going through  the EU Cloud CoC’s assessment process – which allows for three different compliance levels – represents a  provider's commitment to rigorous data protection standards. Level 3 compliance, the highest tier, involves independent third-party certificates and audits which are based upon internationally recognized standards.

As a  supporting member of the EU Cloud CoC with vast expertise in the privacy and security fields, Schellman assesses CSPs that wish to pursue the Code’s highest level of adherence while also assisting them with SOC 2 examination and obtaining certification through globally acknowledged standards such as ISO 27001. This work empowers CSPs to continually enhance their information security management systems.

Key Features of Level 3 Compliance:

  • Stringent Verification: Level 3 compliance requires meticulous scrutiny by independent third-party auditors. Leveraging its exceptional expertise in optimizing compliance while enhancing the highest levels of security, Schellman  ensures a comprehensive evaluation of all EU Cloud CoC controls.
  • Demonstrated Commitment: CSPs achieving Level 3 compliance showcase their commitment  to providing high assurance regarding the implemented safeguards , aligning with GDPR's risk-based approach, especially relevant for specific processing activities.
  • Transparent Data Processing: Level 3 compliance attests to the service provider's commitment to transparent and appropriate data processing practices, providing stakeholders with confidence in their data security measures.

Schellman has worked with Cisco throughout their journey to achieve the highest level of adherence to the Code.  Cisco, as the second company to earn the Level 3 compliance mark for Webex,  enabled trust and confidence in their  services by subjecting its practices to additional third-party assessments.  

Against this backdrop, Cisco's choice to provide all available safeguards to their customers by elevating their compliance to the highest tier emphasizes the added value of the Code’s multi-level adherence approach, which  provides the dynamism that the cloud environment requires.

Chris Lippert, Director, Schellman Privacy Practice Lead, comments:

Companies must aim for the highest level of compliance in this dynamic world where data and information are prized targets. The EU Cloud CoC includes two foundational pillars of what Schellman believes in - transparency and trust, which are integral to a data protection program. We are honored to have played a part in this process with Cisco and look forward to seeing more companies do the same.

Gabriela Mercuri, Managing Director of SCOPE Europe, added:

Witnessing companies achieving the Level 3 compliance mark attests to the EU Cloud CoC’s success in addressing the needs of the highly diverse cloud industry. This approach, which requires additional third-party assessments, is only possible thanks to trusted stakeholders committed to the highest compliance standards, such as Schellman.

About the EU Cloud Code of Conduct

The EU Cloud Code of Conduct is an approved and fully legally operational Code of Conduct pursuant to Article 40 GDPR. Defining clear requirements for Cloud Service Providers to implement Article 28 GDPR, the Code covers all cloud service layers (IaaS, PaaS, SaaS), has its compliance overseen by an accredited monitoring body, and represents the vast majority of the European cloud industry market share.


About Schellman

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman stands as a leading global provider of attestation, compliance, and certification services. Operating under two distinct entities, Schellman & Company, LLC (a top 50 firm) and Schellman Compliance, LLC (a globally accredited compliance assessment firm which is not a licensed CPA firm). The services provided by the Schellman entities include acting as a CPA firm (Schellman & Company, LLC Florida license number AD62941) as a leading provider of SOC reports, an ISO Certification Body, a PCI Qualified Security Assessor Company, a HITRUST assessor, a FedRAMP 3PAO, and being among the pioneering CMMC Authorized C3PAOs.

Renowned for its professionals’ expertise combined with practical experience, Schellman delivers superior client service while upholding steadfast independence. The company's approach fosters successful, long-term relationships, enabling clients to achieve multiple compliance objectives through a single trusted third-party assessor. For further information about the services provided, please visit