CISPE Code of Conduct


The CISPE Code of Conduct is the first pan-European sector-specific code for cloud infrastructure service providers under Article 40 of the European Union’s General Data Protection Regulation (GDPR) receiving a green light from the European Data Protection Board (EDPB). It helps organisations across Europe accelerate the development of GDPR compliant cloud-based services for consumers, businesses, and institutions.

The CISPE Code of Conduct offers three key advantages:


While not required for GDPR compliance, many European businesses want to retain sovereignty over their data by ensuring that it remains within the EU. Uniquely, the CISPE Code of Conduct gives IaaS customers explicit options to select services that enable data to be processed entirely within the European Economic Area. As such, it also promotes data protection best practices which support the EU’s GAIA-X initiative to develop European cloud data services.


Compliance with the CISPE Code of Conduct is verified by independent, external auditors accredited as “Monitoring Bodies” by the competent European Data Protection Authority. Independent “Monitoring Bodies” strengthen the level of assurance provided by services declared under the code.


It is the first and only code to focus exclusively on the Infrastructure-as-a-Service (IaaS) sector and address the specific roles and responsibilities of IaaS providers, which cannot be represented in general, multi-purpose codes. The CISPE Code of Conduct creates the confidence and trust for end-users that a declared IaaS service is compliant with GDPR. Providers of declared services will only access or use customer data to maintain or provide the service and will not use customer data for marketing or advertising purposes.

Twitter feed

The Trust Mark

Any company that provides Infrastructure as a Service (IAAS) in line with our Code of Conduct is eligible to apply for an official CISPE trust mark.


The ‘Candidate’ mark is awarded to services and providers that have fulfilled the self-assessment against the CISPE Code of Conduct requirements pending the verification by an independent Monitoring Body.


The ‘Compliant’ mark is given to services and providers for which compliance with the CISPE Code of Conduct has been verified by an independent Monitoring Body. 

Using CISPE data protection trust marks is subject to :

  • Declaring your service to CISPE and receiving a declaration number
  • Paying the fees required
  • Accepting the licensing contract that covers CISPE trust marks

6 steps to get the CISPE Trust Mark


Read the code


Determine which one(s) of your services meet the requirement(s)


Complete and submit the required documentation:

You will then receive the licence to use the ‘Candidate Trust Mark’ in your marketing and communications for declared services.


Choose your Monitoring Body

Select one of the independent accredited Monitoring Bodies to certify and monitor adherence of your services to the CISPE Data Protection Code.


Make the payment


Your chosen Monitoring Body will verify compliance of your declared services with the CISPE Code of Conduct.
Once achieved you will receive the licence to use the ‘Compliant Trust Mark’ in your marketing and communications for declared services.
Your Declared Services will be added to the CISPE Public Register.

CISPE thanks the early supporters of the CISPE Code of Conduct

Many companies have supported the CISPE Code of Conduct since the beginning and have declared services against the 2016 version of the CISPE Code of Conduct. Services that have been declared under this Code are listed in the public register. The public register will be updated to reflect services declared under the version of the CISPE Code of Conduct finally approved by the competent Data Protection Authority.

Who are the Monitoring Bodies?

Monitoring Bodies for the CISPE Code of Conduct are entirely independent of CISPE, its members and the companies declaring services. Each must be accredited by a competent supervisory authority, the French Data Protection Authority (CNIL), in this case.

Specified ‘Monitoring Bodies’ will be responsible for monitoring ongoing compliance with the CISPE Code of Conduct for any declared services.

If you want to become a Monitoring Body please contact the CISPE Secretariat.