The Digital Single Market (DSM) cloud stakeholder working groups were established following the Commission's legislative proposals of 13 September 2017 on the free flow of non-personal data and cyber security. Their objective is to conduct self-regulatory work in the areas of cloud security and porting data/switching cloud service providers.

abstract image illustrating cloud computing

Self-regulatory Codes of Conduct on data portability for easier cloud switching 

The SWIPO (switching and porting) Codes of Conduct Working Group is one of two DSM (Digital Single Market) cloud stakeholder groups. The purpose is to develop self-regulatory Codes of Conduct on data portability by 29 November 2019 and to implement them by 29 May 2020. The SWIPO Codes of Conduct are an element of the Commission’s broader work on cloud regulation.

SWIPO ’s policy objective is to reduce the risk of vendor lock-in by cloud service providers in light of the increasing importance for  the European Data Economy. The aim is to make the European market for cloud services more fluid and to allow smaller companies and new market entrants to compete there as well. During the implementation phase of the Codes of Conduct, the Commission will allow the SWIPO Working Group to develop its model contractual clauses, offering transparency for customers and safeguarding the actual implementation of the codes by cloud service providers that declare themselves to be adherent.


The Codes of Conduct will function subject to a governance agreement, enforced and put into practice by a new legal entity.

SWIPO Members

To assure a balanced approach to this work, the group is co-chaired by representatives from the cloud service industry and from business users of cloud services. The Working Group comprises stakeholders with relevant legal, technical and economical expertise and professional experience in the field of cloud computing. This self-regulatory work will constitute an open and inclusive process, so that any experts meeting the aforementioned requirements will be able to join throughout the process. Experts can express their interest to join the work by sending an email to:
SWIPO is working on two different codes:
•    SWIPO Code of Conduct on the porting of data across different cloud infrastructures (IaaS ‘Infrastructure-as-a-service’ portability)
•    SWIPO Code of Conduct on the porting of data across different cloud-based applications (SaaS ‘Software-as-a-service’ portability)

SWIPO Working Group on IaaS services:

Mr. Freddy van den Wyngaert, representing EuroCIO (a platform for business users of cloud services)
Mr. Alban Schmutz, representing CISPE (a platform for cloud service providers)

SWIPO Working Group on SaaS services:

Mr. Aniello Gentile, representing Confindustria and BusinessEurope (associations of business users of cloud services)
Mr. Maurice van der Woude, representing BP Delivery (representing SME-users of cloud services)
Mr. Chris Francis, representing SAP and Digital Europe (the association of European technology providers)
Mr. Jörn Wittmann, Scope Europe, representing a private Monitoring Body for Codes of Conduct

Self-regulatory working group on cloud security certification (CSP CERT)

The self-regulatory working group on cloud security certification aims at exploring options for the development of a possible candidate scheme in the field of cloud security to enhance legal certainty and trust in the cloud market. After 18 months of work the group presented its final recommendations for a European cloud certification scheme in June 2019 in Amsterdam. They address security requirements, conformity assessment methodologies and assurance levels basic, substantial and high in line with the European Cybersecurity Act.

The fast development of such a certification scheme is crucial for cloud uptake and the free movement of data in Europe. It will allow to demonstrate equivalence of security requirements throughout Europe and facilitate the cross-border storing and processing of data while also making it easier to compare cloud service providers with respect to security when considering switching provider. Such a scheme will help to overcome the current patchwork of cloud security certification schemes. This will be of central significance for the European data economy and the digitisation of the industry.
CSP CERT members:
The working group consists of relevant stakeholders including businesses of all sizes, users and representatives of national cybersecurity certification authorities.

Mr. Borja Larrumbide, representing BBVA and the European Banking Federation (large business users of cloud services)
Mr. Helmut Fallmann, representing Fabasoft  (an Austrian SME cloud service provider and member to the General Assembly of the EU Code of Conduct on Data Protection)

DSM cloud stakeholder conferences

November 2019: Helsinki, Finland
September 2019:   Warsaw, Poland
June 2019:   Amsterdam, The Netherlands
April 2019:   Berlin, Germany
February 2019:   Madrid, Spain
December 2018:   Vienna, Austria
October 2018:   Rome, Italy
July 2018:   Paris, France
December 2017:   Brussels, Belgium