CISPE Code of Conduct


The CISPE Code of Conduct is the first pan-European sector-specific code for cloud infrastructure service providers under Article 40 of the European Union’s General Data Protection Regulation (GDPR) receiving a green light from the European Data Protection Board (EDPB). It helps organisations across Europe accelerate the development of GDPR compliant cloud-based services for consumers, businesses, and institutions.

The CISPE Code of Conduct offers three key advantages:

Data in Europe

Many European businesses want to retain better control over their data by ensuring that it remains within the EU. Uniquely and while not required for GDPR compliance, the CISPE Code of Conduct gives IaaS customers explicit options to select services that enable data to be processed entirely within the European Economic Area. As such, it also promotes data protection best practices which support the EU’s GAIA-X initiative to develop European federated cloud data services.


Compliance with the CISPE Code of Conduct is verified by independent, external auditors accredited as “Monitoring Bodies” by the competent European Data Protection Authority. Independent “Monitoring Bodies” strengthen the level of assurance provided by services declared under the code.


It is the first and only code to focus exclusively on the Infrastructure-as-a-Service (IaaS) sector and address the specific roles and responsibilities of IaaS providers, which cannot be represented in general, multi-purpose codes. The CISPE Code of Conduct creates the confidence and trust for end-users that a declared IaaS service is compliant with GDPR. Providers of declared services will only access or use customer data to maintain or provide the service and will not use customer data for marketing or advertising purposes.

The Trust Mark

Any company that provides Infrastructure as a Service (IAAS) in line with our Code of Conduct is eligible to apply for an official CISPE trust mark.


The ‘Candidate’ mark is awarded to services and providers that have fulfilled the self-assessment against the CISPE Code of Conduct requirements pending the verification by an independent Monitoring Body.


The ‘Compliant’ mark is given to services and providers for which compliance with the CISPE Code of Conduct has been verified by an independent Monitoring Body. 

Using CISPE data protection trust marks is subject to :

  • Declaring your service to CISPE and receiving a declaration number
  • Paying the fees required
  • Accepting the licensing contract that covers CISPE trust marks

4 steps to get the CISPE Trust Mark


Read the Code and determine which one(s) of your services meet the requirement(s)


Declare your services by completing and submitting the Declaration
of Adherence with the required documentation on the “Declare a Service” page.


If the submission is complete, CISPE Secretariat will incorporate the Declaration of Adherence into the Public Register within 10 working days of the notification of acceptance. (note: notification of acceptance may take up to 40 days)


CISPE will issue an invoice based on the number of services declared according to the fee schedule.