Self-regulatory Codes of Conduct on data portability for easier cloud switching
The SWIPO (switching and porting) Codes of Conduct Working Group was one of two DSM (Digital Single Market) cloud stakeholder groups. Their purpose was to develop self-regulatory Codes of Conduct on data portability as an element of the Commission’s broader work on cloud regulation.
SWIPO’s policy objective was to reduce the risk of vendor lock-in by cloud service providers in light of the increasing importance for the European Data Economy. The aim was to make the European market for cloud services more fluid and to allow smaller companies and new market entrants to compete there as well.
Governance
It was decided that the Codes of Conduct will function subject to a governance agreement, enforced and put into practice by a new legal entity. This legal entity, SWIPO AISBL, was formally launched in May 2020 and is working since then autonomously and independently.
SWIPO Members
To assure a balanced approach to this work, the group was co-chaired by representatives from the cloud service industry and from business users of cloud services.
SWIPO was working on two different codes:
- SWIPO Code of Conduct on the porting of data across different cloud infrastructures (IaaS ‘Infrastructure-as-a-service’ portability)
- SWIPO Code of Conduct on the porting of data across different cloud-based applications (SaaS ‘Software-as-a-service’ portability
Self-regulatory working group on cloud security certification (CSPCERT)
The self-regulatory working group on cloud security certification (CSPCERT) was set up to explore options for the development of a possible European certification scheme in the field of cloud security to enhance legal certainty and trust in the cloud market. After 18 months of work, the group presented its final recommendations for a European cloud certification scheme in June 2019. The recommendations address security requirements, conformity assessment methodologies and assurance levels basic, substantial and high in line with the European Cybersecurity Act.
Next Steps
In November 2019, pursuant to the EU Cybersecurity Act, the European Commission tasked the European Union Agency for Cybersecurity (ENISA) to prepare a cybersecurity certification candidate scheme for cloud services taking into account existing and relevant schemes and standards. The recommendations developed by CSPCERT have made a significant contribution in this direction. Upon finalisation, ENISA will submit its proposal to the European Commission for adoption.
CSPCERT members
To ensure a balanced approach, the working group has consisted of relevant stakeholders including businesses of all sizes, cloud providers, cloud users and representatives of national cybersecurity certification authorities. The leadership has been hold by a balanced group of representatives including the supplier, user and expert categories.
DSM cloud stakeholder conferences
November 2019: Helsinki, Finland
September 2019: Warsaw, Poland
June 2019: Amsterdam, The Netherlands
April 2019: Berlin, Germany
February 2019: Madrid, Spain
December 2018: Vienna, Austria
October 2018: Rome, Italy
July 2018: Paris, France
December 2017: Brussels, Belgium