Key market players welcome CISPE’s Code for focus on data sovereignty, independence and cloud infrastructure services

May 20, 2021 | News

Leading brands, European authorities and global auditors among those supporting the new CISPE Data Protection Code of Conduct

20th  May 2021, Brussels. Less than 24 hours after the positive opinion given by the European Data Protection Board (EDPB) representatives from more than a dozen key organisations including VMWare, Ducati and EY Certify Point have expressed support for the CISPE Data Protection Code of Conduct. Organisations and individuals across Europe perceive its unique attributes in helping cloud service providers to create GDPR-compliant infrastructure for Europe’s Digital Economy.

Key stakeholders from the European Parliament, the Commission and from across industry welcome the CISPE code’s specific attributes:

  • Data sovereignty, supported by the ability to choose to store and process data exclusively in Europe, and have full transparency on location
  • Independence, delivered through at least four, globally recognised independent monitoring bodies
  • Prohibition of using customer data, the CISPE code clearly excludes reuse of customer data, for marketing or monetization
  • Focus on IaaS, infrastructure as different requirements precisely catered for by the CISPE code

Some of the expressions of support are given below and CISPE takes this opportunity to thank the many organisations that have been fundamental to the drafting and delivery of our Code.

Paul Nemitz, EU Commission, DG Justice

“The CISPE GDPR Code of Conduct for Cloud infrastructure is, alongside the GAIA-X initiative for a European Cloud System, an encouragement to Cloud Users and Cloud providers to look with self-confidence to the ability of Europe to set up socio-technological systems which work, in line with fundamental rights and the rule of law to ensure that, as a continent, Europe does not become dependent on essential infrastructures being provided by others, which then may also impose their rules on how we live and how we shape our society” said Paul Nemitz, Principal Advisor, European Commission, Directorate-General for Justice and Consumers

MEP Eva Maydell

“The use of cloud infrastructure has become key for any business or public administration that wants to undergo digital transformation. It is crucial that their data is handled securely and in compliance with the GDPR,” commented MEP Eva Maydell. “This is why, since day one, I supported the CISPE Code of Conduct and I am very glad to see today that their consistent efforts pay off.”

ANSSI (National Information Security Agency of France)

“With the development of cloud infrastructures, the matter of trust is now central in addition to issues of performance and innovation. It is reflected in the need to share and apply clear rules, like the ones developed in the code of conduct proposed by CISPE, and adapted to the level of sensitivity of the information systems and hosted data. Technical, operational and legal security must be at the centre of the certification procedures implemented at both national and European level to effectively guide the beneficiary towards offers that guarantee a long-lasting development of trust.” Guillaume Poupard CEO ANSSI


“EY has a global reputation for independence. We believe that independent monitoring bodies are fundamental to the success of Codes of Conduct and thus critical to effective operation of GDPR. Seeking accreditation as a Monitoring Body for the CISPE code is in complete alignment with our purpose and we will be honoured to play this crucial role.” Jatin Shegal, Managing Director, EY CertifyPoint

Bureau Veritas

“The strength of any Code of Conduct lies in the auditing of the services that declare under it,” said Paolo Tondi, I&F Italy Sales Manager, Bureau Veritas. “As a globally recognised audit company Bureau Veritas is completely independent of the code and the businesses declaring services. Therefore, customers can be assured that there are no conflicts of interest and that every service has been fully and comprehensively audited before receiving the declaration of compliance.”


The sharp focus on IaaS offered by CISPE’s Code of Conduct is hugely valuable to us and to the market,” said Laurent Allard, Strategic Business Development – EMEA at VMWare. “There are very important differences between how cloud infrastructure providers and wider cloud service providers treat personal data and it is important to have a Code of Conduct built specifically for the former. We expect many of our partners will declare services under CISPE’s clear, targeted code.”


“In the manufacturing and motorsport field, we need to collect and process significant amounts of data ensuring the maximum security of these data in terms of resilience and GDPR compliance. As such, it is essential that we have confidence that the cloud infrastructure services we rely upon are also fully compliant. Providers declaring services under the CISPE code give us a further level of guarantee that they provide this vital compliance.” Alessandro Iervolino, DPO & CISO, Ducati Motor Holding S.p.A.

Baker McKenzie

“We have played an important role in the development of the CISPE code as legal advisors to the project,” Steve Holmes, Head of London’s Technology and Communications practice at Baker McKenzie commented.  “It is gratifying to see it as one of the first codes to be approved by the EDPB and believe that it will help many businesses adopt cloud infrastructure services with confidence in their compliance with GDPR.”


“The approval of the CISPE Code of Conduct by the EDPB is a major step forward in clarifying the roles and responsibilities of IaaS providers in managing customer data within the EU. For customers who use these services, this will provide a clear and pragmatic registry to ensure that their providers are compliant with the GDPR.” Adel Bourenane, Partner, IT Advisory, KPMG.


“Operating across Europe and handling the personal data of European citizens it is imperative that the cloud infrastructure services we use provide the choice to keep data within the European Economic Area, the CISPE code of conduct gives us that assurance. This control over how and where data is processed is a core plank of the whole GAIA-X project with which we are deeply committed.”   Martine Gouriet, Directrice des Usages Numériques at EDF

Groupe SEB

“Digital transformation is key to strategical growth and can no longer be a trade-off between privacy and security. The CISPE Code of Conduct will help providing that assurance for selecting the right cloud infrastructure providers to work with. Companies can now synergize innovation with privacy protection.” Stéphane Nappo, Vice-President & Global Chief Information Security Officer, Groupe SEB

3DS Outscale (Dassault Systemes) *

“We are very pleased with the approval of the CISPE Code of Conduct, which we have been complying with since its publication. This gives our customers an additional token of trust to support their migration to the Cloud. “  Laurent Seror – CEO 3DS OUTSCALE


“The approval of the CISPE Code for data protection marks a major achievement, both for the industry and for end users, which will ensure transparent rules to protect the rights of European citizens in the digital age,” stated Stefano Cecconi, VP CISPE and CEO Aruba S.p.A .
“We expect greater trust in service providers: data will be processed and stored in the European Economic Area and providers won’t be able to access customer records for any purpose besides maintaining or providing the agreed services.”


“Cloud infrastructure is the foundation of our digital economy and we need it to be robust and reliable, so we can build trustworthy digital services for citizens and public sector institutions in full confidence that we comply with GDPR, knowing that cloud providers follow the CISPE Code of Conduct gives the needed assurances to satisfy both regulators and cloud users on data protection.” Diego Cabezudo, CEO of Gigas


We are very proud of this endorsement by the European Data Protection Board. It gives our IaaS services, already compliant to the CISPE Code of Conduct and already approved by AgID (Agency for Digital Italy), a further seal of approval for our Customers as a trustworthy cloud infrastructure. Danilo Vivarelli, CEO of IRIDEOS


“The CISPE Code is for us the real first step of the true sovereign European cloud.” Jules-Henri Gavetti, CEO of Ikoula


“Leaseweb Global – one of the early members of CISPE and a Dutch headquartered, globally operating hybrid cloud hosting provider – fully embraces GDPR regulations worldwide to benefit our international customer base. We are proud and we value the importance  that the CISPE Data Protection Code of Conduct has been confirmed by the European Data Protection Board as the first pan-European code for cloud infrastructure providers,” said Jacqueline van de Werken, CISPE Board Member and Group General Counsel & DPO for Leaseweb Global.


“We are delighted of this important step in the direction of a full recognition of the CISPE Code of Conduct as a tool that can effectively support the choice of customers who want to use GDPR-compliant IaaS cloud services that meet an objective of European digital sovereignty.” – Michele Zunino – CEO Netalia


“Today, the CISPE Data Protection Code become a reference tool for the whole cloud ecosystem: first, for any cloud provider willing to demonstrate compliance with the GDPR, particularly in the framework of Gaia-X. Secondly, for the EU users ecosystem willing to identify infrastructures fully stored and processed in Europe with no re-use of their data. This code plays a key role in building a strong European sovereign cloud,” says Michel Paulin, CEO of OVHcloud.

*CISPE Members

About CISPE: CISPE  is an association of cloud infrastructure service providers in Europe. CISPE has 34 members with global headquarters in 14 EU Member States. CISPE has developed the first GDPR code of conduct which encourages the storage and processing of personal data exclusively in Europe. Since 2017, with EuroCIO and then with CIGREF, CISPE has co-chaired the working group developing industry Codes of Conducts which facilitate and enable data portability. This was established by the European Commission within the framework of EU Regulations on the Free Flow of non-personal Data. In addition, CISPE is among the 22 founding members of the GAIA-X initiative and the convener of the Climate Neutral Data Centre Pact.

Contact: For all questions and to speak to CISPE or one of its member companies, please contact us here:  Tel +32 2 502 65 80

Never miss a post!

Subscribe to our newsletter below

We don’t spam! We keep your data private and share your data only with third parties that make this service possible. Read more in our Privacy Policy