The Digital Single Market (DSM) cloud stakeholder working groups were established following the Commission's legislative proposals of 13 September 2017 on the free flow of non-personal data and cyber security. Their objective was to conduct self-regulatory work in the areas of cloud security and porting data/switching cloud service providers. The self-regulatory group on porting data was active from December 2017 to May 2020. The self-regulatory group on cloud security submitted its final recommendations to the Commission in June 2019.

abstract image illustrating cloud computing

Self-regulatory Codes of Conduct on data portability for easier cloud switching

The SWIPO (switching and porting) Codes of Conduct Working Group was one of two DSM (Digital Single Market) cloud stakeholder groups. Their purpose was to develop self-regulatory Codes of Conduct on data portability as an element of the Commission’s broader work on cloud regulation.

SWIPO’s policy objective was to reduce the risk of vendor lock-in by cloud service providers in light of the increasing importance for the European Data Economy. The aim was to make the European market for cloud services more fluid and to allow smaller companies and new market entrants to compete there as well.


It was decided that the Codes of Conduct will function subject to a governance agreement, enforced and put into practice by a new legal entity. This legal entity, SWIPO AISBL, was formally launched in May 2020 and is working since then autonomously and independently.

SWIPO Members

To assure a balanced approach to this work, the group was co-chaired by representatives from the cloud service industry and from business users of cloud services.
SWIPO was working on two different codes:

  • SWIPO Code of Conduct on the porting of data across different cloud infrastructures (IaaS ‘Infrastructure-as-a-service’ portability)
  • SWIPO Code of Conduct on the porting of data across different cloud-based applications (SaaS ‘Software-as-a-service’ portability

Self-regulatory working group on cloud security certification (CSPCERT)

The self-regulatory working group on cloud security certification (CSPCERT) was set up to explore options for the development of a possible European certification scheme in the field of cloud security to enhance legal certainty and trust in the cloud market. After 18 months of work, the group presented its final recommendations for a European cloud certification scheme in June 2019. The recommendations address security requirements, conformity assessment methodologies and assurance levels basic, substantial and high in line with the European Cybersecurity Act.

Next Steps

In November 2019, pursuant to the EU Cybersecurity Act, the European Commission tasked the European Union Agency for Cybersecurity (ENISA) to prepare a cybersecurity certification candidate scheme for cloud services taking into account existing and relevant schemes and standards. The recommendations developed by CSPCERT have made a significant contribution in this direction. Upon finalisation, ENISA will submit its proposal to the European Commission for adoption.

CSPCERT members

To ensure a balanced approach, the working group has consisted of relevant stakeholders including businesses of all sizes, cloud providers, cloud users and representatives of national cybersecurity certification authorities. The leadership has been hold by a balanced group of representatives including the supplier, user and expert categories.

DSM cloud stakeholder conferences

November 2019: Helsinki, Finland
September 2019:   Warsaw, Poland
June 2019:   Amsterdam, The Netherlands
April 2019:   Berlin, Germany
February 2019:   Madrid, Spain
December 2018:   Vienna, Austria
October 2018:   Rome, Italy
July 2018:   Paris, France
December 2017:   Brussels, Belgium