Self-regulatory Codes of Conduct on data portability for easier cloud switching
The SWIPO (switching and porting) Codes of Conduct Working Group was one of two DSM (Digital Single Market) cloud stakeholder groups. Its purpose was to develop two self-regulatory Codes of Conduct on data portability and cloud switching as an element of the Commission’s broader work on cloud regulation:
• SWIPO Code of Conduct on ‘Infrastructure-as-a-service’ portability)
• SWIPO Code of Conduct on ‘Software-as-a-service’ portability
To assure a balanced approach to this work, the SWIPO Working Group was co-chaired by representatives from the cloud service industry and from business users of cloud services.
SWIPO was working on two different codes. In May 2020, the SWIPO Working Group finalised work on the Codes of Conduct.
It was decided that the Codes of Conduct will function subject to a governance agreement, enforced and put into practice by a new legal entity. This legal entity, SWIPO AISBL, was formally launched in May 2020 and is working since then autonomously and independently.
Interested cloud users and cloud providers can join the SWIPO Association
The objective of the SWIPO Codes of Conduct is to reduce the risk of vendor lock-in by cloud service providers in light of the increasing importance of the European Data Economy. The Codes of Conduct should make the European market for cloud services more fluid and to allow smaller companies and new market entrants to compete there as well. The European Commission will perform an evaluation of the Codes of Conduct and their impact before the end of 2022.
Self-regulatory working group on cloud security certification (CSPCERT)
The self-regulatory working group on cloud security certification (CSPCERT) was set up to explore options for the development of a possible European certification scheme in the field of cloud security to enhance legal certainty and trust in the cloud market. After 18 months of work, the group presented its final recommendations for a European cloud certification scheme in June 2019. The recommendations address security requirements, conformity assessment methodologies and assurance levels basic, substantial and high in line with the European Cybersecurity Act.
Next Steps
In November 2019, pursuant to the EU Cybersecurity Act, the European Commission tasked the European Union Agency for Cybersecurity (ENISA) to prepare a cybersecurity certification candidate scheme for cloud services taking into account existing and relevant schemes and standards. The recommendations developed by CSPCERT have made a significant contribution in this direction. Upon finalisation, ENISA will submit its proposal to the European Commission for adoption.
CSPCERT members
To ensure a balanced approach, the working group has consisted of relevant stakeholders including businesses of all sizes, cloud providers, cloud users and representatives of national cybersecurity certification authorities. The leadership has been hold by a balanced group of representatives including the supplier, user and expert categories.
DSM cloud stakeholder conferences
November 2019: Helsinki, Finland
September 2019: Warsaw, Poland
June 2019: Amsterdam, The Netherlands
April 2019: Berlin, Germany
February 2019: Madrid, Spain
December 2018: Vienna, Austria
October 2018: Rome, Italy
July 2018: Paris, France
December 2017: Brussels, Belgium