If your organization is working towards meeting the new regulatory obligations of the European General Data Protection Regulation (GDPR), you might want to consider joining the General Assembly of the EU Cloud CoC and at a later point complying with requirements of the Code, to demonstrate the high data protection standards you are following. To apply to join the General Assembly, please complete the Online Application Form.
One of the requirements for new members is that they agree with the approach and principles of EU Cloud Code of Conduct as embodied in the Code and they are listed as a member on the EU Cloud CoC website, publicly communicating support for the the EU Cloud CoC.
The EU Cloud Code of Conduct offers two main types of membership, one for Cloud Providers and one for Supporters.
General Assembly Membership
The General Assembly Membership is open to any Cloud Service Provider (CSP) which fulfils the requirements above. There are three options for Membership depending on your interest: Full Membership (including General Assembly voting rights), Membership for medium sized enterprises (excluding voting rights) and a membership for small sized enterprises (excluding voting rights). To work out whether you qualify, please refer to European definition of Small or Medium Sized Enterprise.
General Assembly Supporter
The General Assembly Supporters are any natural or legal entities (non-CSPs) that strive to support the aims of the EU Cloud Code of Conduct (e.g. interest groups or associations).
Frequently Asked Questions
You may join the General Assembly by filling in the Online Application Form. Once you have applied, there is a vetting progress to check the legal status and veracity of the application by the Code’s Secretariat.
Please, note: There are two Membership options:
General Assembly Member (for CSPs) and General Assembly Supporter (for non-CSPs).
By joining the General Assembly, you publicly underpin the efforts to meet the requirements of the GDPR, increasing Customers’ confidence and trust when choosing Cloud Services. Moreover, there are substantial legal benefits you, as a CSP, can rely on, once being adherent to an approved Code of Conduct. For example, adherence to a Code of Conduct must be (positively) taken into account in the determination of administrative fines. A Code of Conduct covering relevant aspects due to Article 28 GDPR, such as the EU Cloud CoC, can be presented to the Customers in accordance with Article 28.5 GDPR as sufficient guarantee. By that, you can massively reduce your resources spent related to the onboarding of new Customers. Being governed by SCOPE Europe as an independent Code Monitoring Body, establishing a robust and trustworthy oversight mechanism, positively contributes to abovementioned factor, as well as the Code’s extensive collection of good practices within its controls catalogue.
Depending on the applicable Membership option, there are different requirements.
An overall requirement is to support the EU Cloud CoC. That includes being named as Member on the EU Cloud CoC website and publicly communicating your support of and Membership to the EU Cloud CoC.
To join as General Assembly Member, you must be a Cloud Service Provider. Any natural or legal entity that is not a Cloud Service Provider may join as a General Assembly Supporter.
General Assembly Membership is open to any Cloud Service Provider. There are three sub-options of becoming a General Assembly Member:
- Full-Membership including voting rights
- Membership for Medium Sized Enterprises excluding voting rights
- Membership for Small Sized Enterprises excluding voting rights
It is not required to be compliant with the Code the moment you join as a Member, already. However, it is expected that each Cloud Service Provider explores declaring adherent at least one of its Cloud Services within due time once the Code is being approved.
Yes, you can join as a Supporter. General Assembly Supporters must not be Cloud Service Providers but any natural or legal entity that strives to support the aims of the EU Cloud CoC, such as for example associations, authorities, law firms, NGOs, think tanks, etc.
As a supporter, the fee depends on the size of your company. The pricing is 1,500 EUR for small-sized, 3,000 EUR for mid-sized and 5,000 EUR for all other companies.
In general, every Cloud Service provider may choose to become a Full-Member no matter of its size. The Membership fee depends on the option you choose whereas there are three different Membership options, depending on your interest. Being a SME, you can choose between the Full-Membership with voting rights and two other options specifically addressing needs of mid-sized or small-sized Enterprises, i.e. a significantly adjusted and reduced pricing scheme. Membership options for Small and Medium Sized Enterprises (SME) are only applicable for those Cloud Service Providers that fulfil the European definition of a Small or Medium Sized Enterprise.
The Membership fee depends on the option you choose whereas there are three different Membership options, depending on your interest. Being a SME, you can choose between the Full-Membership with voting rights and two other options specifically addressing needs of mid-sized or small-sized enterprises, i.e. a significantly adjusted and reduced pricing scheme.
Please, read more about the pricing.
No, as SME you can to opt-in for full Membership, providing you with voting rights, subject to according fees at any time.
Please, note: If and to the extent it appears economically more reasonable, the EU Cloud CoC provides dedicated Membership options for SME, subject to an adjusted and significantly reduced pricing scheme.
Yes, once you opt-in for the full Membership option, you receive full voting rights, also enabling you to actively participate in the Code’s development. Please, read more about the EU Cloud CoC Membership options and relating pricing schemes.
Regardless of any voting rights, the Code’s Secretariat respectively General Assembly is happy to receive any comments and suggestions to further enhance the EU Cloud CoC.
The EU Cloud CoC addresses Cloud Services / Cloud Service Families. Hence, you will not have to comply as a Cloud Service Provider as such. By that the EU Cloud CoC allows for adequate flexibility and tailors for practical needs, especially to the extent Cloud Service Providers may (intentionally) provide Cloud Service offerings not subject to GDPR at all. Notwithstanding, those services declared adherent to the EU Cloud CoC must fully comply with its provisions.
Please read more at Do I have to comply with the EU Cloud CoC as Cloud Service Provider as such?
Yes, the minimum Membership period is 24 months.
The Membership of the EU Cloud CoC is voluntary. Provided the minimum Membership period of 24 months is being met, you may terminate subject to prior notification of 18 months.
Your Supporter status is automatically renewed for another year unless terminate three months prior to the end of your Supporter Membership term.
First, you need to qualify as CSP, i.e. you are offering Cloud Services as a processor. Second, it is expected to support the principles of and EU Cloud CoC as such. However, it is not required to be compliant with the Code the moment you join as a Member, already. It is rather expected that each Cloud Service Provider explores declaring adherent at least one of its Cloud Services within due time once the Code is being approved.
It is not required to declare any of your Cloud Service(s) adherent the very moment you are joining the General Assembly. However, you are expected to declare at least one Cloud Service adherent in due time, once the Code is officially approved.
Before declaring your Cloud Service(s) adherent, you should adequately prepare your Cloud Service to be compliant with the requirements of the Code. Such due time is also being provided if you are a General Assembly Member, already. Once a Cloud Service is being declared adherent, there is no grace period anymore. The Cloud Service will have to be compliant with all requirements of the Code; otherwise the Code’s Monitoring Body will reject a positive verification.
Each Cloud Service declared adherent must comply with all requirements of the Code from the first day onwards. It will be assessed by the Code’s Monitoring Body annually once it has positively passed the verification process. Cloud Service Providers must notify any adjustments and updates to its adherent Cloud Services, to the extent such may affect a Cloud Service’s compliance. Cloud Service Providers may also terminate their Cloud Service’s listing in the Public Register.
Please, refer to the Declaration of Adherence and incorporated agreement and procedures for further details.
Once a Cloud Service is being declared adherent, adherence may be terminated subject to prior notification of 18 months, provided that the Cloud Service will be adherent for 24 months at a minimum.
The Pricing depends on the Membership option chosen. Annual fees range from 1,500.00 EUR to 15,000.00 EUR.
Please, refer to our price list.
The EU Cloud CoC provides different levels of compliance and a respective translation of its provisions into precise controls – which is being provided to the Cloud Service Provider in the form of a Controls Catalogue. It is worth noting that every part of the Code is equally binding to any CSP that declares adherence to the Code: a CSP is either compliant or it is not.
To prove compliance, CSP must complete the online declaration of adherence and successfully pass the Monitoring Bodies assessment. Please, refer to our page on the Assessment Procedure for further details.
The EU Cloud CoC has a dedicated and independent Monitoring Body. Any Cloud Service Provider declaring a Cloud Service adherent to the EU Cloud CoC must prove its compliance to the satisfaction of the Monitoring Body.
Cloud Service Providers may only market their adherence to the EU Cloud CoC after having received the official approval by the Monitoring Body. Such Cloud Service Providers will then be listed in the Public Register of Adherent Cloud Services.
In general, a Cloud Service verified compliant must – at all times – comply with all Controls of the Code, regardless of the level chosen. The different levels of compliance are only related on the level of substantiation mandatorily being provided to the Monitoring Body, as the Code does support different methods of checking conformity.