Approved Quotes from key supporters

CISPE Data Protection Code of Conduct

MEP Eva Maydell

“The use of cloud infrastructure has become key for any business or public administration that wants to undergo digital transformation. It is crucial that their data is handled securely and in compliance with the GDPR,” commented MEP Eva Maydell. “This is why, since day one, I supported the CISPE Code of Conduct and I am very glad to see today that their consistent efforts pay off.”

Paul Nemitz, EU Commission, DG Justice

“The CISPE GDPR Code of Conduct for Cloud infrastructure is, alongside  the GAIA-X initiative for a European Cloud System, an encouragement to Cloud Users and Cloud providers to look with self-confidence to the ability of Europe to set up socio-technological systems which work, in line with fundamental rights and the rule of law to ensure that, as a continent, Europe does not become dependent on essential infrastructures being provided by others, which then may also impose their rules on how we live and how we shape our society” said Paul Nemitz, Principal Advisor, European Commission, Directorate-General for Justice and Consumers


“Operating across Europe and handling the personal data of European citizens it is imperative that the cloud infrastructure services we use provide the choice to keep data within the European Economic Area, the CISPE code of conduct gives us that assurance. This control over how and where data is processed is a core plank of the whole GAIA-X project with which we are deeply committed.”   Martine Gouriet, Directrice des Usages Numériques at EDF

Bureau Veritas

“The strength of any Code of Conduct lies in the auditing of the services that declare under it,” said Paolo Tondi, I&F Italy Sales Manager, Bureau Veritas. “As a globally recognised audit company Bureau Veritas is completely independent of the code and the businesses declaring services. Therefore, customers can be assured that there are no conflicts of interest and that every service has been fully and comprehensively audited before receiving the declaration of compliance.”


“EY has a global reputation for independence. We believe that independent monitoring bodies are fundamental to the success of Codes of Conduct and thus critical to effective operation of GDPR. Seeking accreditation as a Monitoring Body for the CISPE code is in complete alignment with our purpose and we will be honoured to play this crucial role.” Jatin Shegal, Managing Director, EY CertifyPoint


“In the manufacturing and motorsport field, we need to collect and process significant amounts of data ensuring the maximum security of these data in terms of resilience and GDPR compliance. As such, it is essential that we have confidence that the cloud infrastructure services we rely upon are also fully compliant. Providers declaring services under the CISPE code give us a further level of guarantee that they provide this vital compliance.” Alessandro Iervolino, DPO & CISO, Ducati Motor Holding S.p.A.

ANSSI (National Information Security Agency of France)

“Avec le développement des infrastructures de cloud, en plus des questions de performance et d’innovation, le sujet de la confiance prend aujourd’hui une place centrale. Elle se traduit par la nécessité de partager et d’appliquer des règles bien comprises, à l’image de celles développées dans le code de conduite proposé par, et adaptées au niveau de sensibilité des systèmes d’information et des données hébergés. La sécurité technique, opérationnelle mais également juridique doit être au centre des démarches de certification mises en œuvre tant à l’échelle nationale qu’européenne afin de guider efficacement les bénéficiaires vers des offres garantissant durablement un développement numérique de confiance.” Guillaume Poupard CEO ANSSI

“With the development of cloud infrastructures, the matter of trust is now central in addition to issues of performance and innovation. It is reflected in the need to share and apply clear rules, like the ones developed in the code of conduct proposed by CISPE, and adapted to the level of sensitivity of the information systems and hosted data. Technical, operational and legal security must be at the centre of the certification procedures implemented at both national and European level to effectively guide the beneficiary towards offers that guarantee a long-lasting development of trust.” Guillaume Poupard CEO ANSSI

Baker McKenzie

“We have played an important role in the development of the CISPE code as legal advisors to the project,” Steve Holmes, Head of London’s Technology and Communications practice at Baker McKenzie commented.  “It is gratifying to see it as one of the first codes to be approved by the EDPB and believe that it will help many businesses adopt cloud infrastructure services with confidence in their compliance with GDPR.”


“The sharp focus on IaaS offered by CISPE’s Code of Conduct is hugely valuable to us and to the market,” said Laurent Allard, Strategic Business Development – EMEA at VMWare. “There are very important differences between how cloud infrastructure providers and wider cloud service providers treat personal data and it is important to have a Code of Conduct built specifically for the former. We expect many of our partners will declare services under CISPE’s clear, targeted code.”


“L’approbation du code de conduite CISPE par l’EDPB est un grand pas en avant dans la clarification des rôles et responsabilités des providers IaaS dans la gestion des données clients au sein de l’UE. Pour les clients utilisateurs des services, cela apportera un référentiel clair et pragmatique pour s’assurer de la conformité de leurs prestataires vis-à-vis du RGPD.” Adel Bourenane, Associé, IT Advisory, KPMG.

“The approval of the CISPE Code of Conduct by the EDPB is a major step forward in clarifying the roles and responsibilities of IaaS providers in managing customer data within the EU. For customers who use these services, this will provide a clear and pragmatic registry to ensure that their providers are compliant with the GDPR.” Adel Bourenane, Partner, IT Advisory, KPMG.

Groupe SEB

“Digital transformation is key to strategical growth and can no longer be a trade-off between privacy and security. The CISPE Code of Conduct will help providing that assurance for selecting the right cloud infrastructure providers to work with. Companies can now synergize innovation with privacy protection.” Stéphane Nappo, Vice-President & Global Chief Information Security Officer, Groupe SEB

3DS Outscale (Dassault Systemes)

“We are very pleased with the approval of the CISPE Code of Conduct, which we have been complying with since its publication. This gives our customers an additional token of trust to support their migration to the Cloud.”  Laurent Seror – CEO 3DS OUTSCALE


“The approval of the CISPE Code for data protection marks a major achievement, both for the industry and for end users, which will ensure transparent rules to protect the rights of European citizens in the digital age,” stated Stefano Cecconi, VP CISPE and CEO Aruba S.p.A .
“We expect greater trust in service providers: data will be processed and stored in the European Economic Area and providers won’t be able to access customer records for any purpose besides maintaining or providing the agreed services.”


“La infraestructura en la nube es la base de nuestra economía digital y necesitamos que sea robusta y confiable, de modo que podamos construir servicios digitales seguros para los ciudadanos y las instituciones del sector público con la plena confianza de que cumplimos con el RGPD, saber que nuestro proveedor de la nube sigue el Código de Conducta CISPE nos da las garantías que necesitamos para satisfacer tanto a los reguladores como a los usuarios de la nube en materia de protección de datos”, añade. Diego Cabezudo, CEO of Gigas

“Cloud infrastructure is the foundation of our digital economy and we need it to be robust and reliable, so we can build trustworthy digital services for citizens and public sector institutions in full confidence that we comply with GDPR, knowing that cloud providers follow the CISPE Code of Conduct gives the needed assurances to satisfy both regulators and cloud users on data protection.” Diego Cabezudo, CEO of Gigas


“We are very proud of this endorsement by the European Data Protection Board. It gives our IaaS services, already compliant to the CISPE Code of Conduct and already approved by AgID (Agency for Digital Italy), a further seal of approval for our Customers as a trustworthy cloud infrastructure.” Danilo Vivarelli, CEO of IRIDEOS


“The CISPE Code is for us the real first step of the true sovereign European cloud.” Jules-Henri Gavetti, CEO of Ikoula


“Leaseweb Global – one of the early members of CISPE and a Dutch headquartered, globally operating hybrid cloud hosting provider – fully embraces GDPR regulations worldwide to benefit our international customer base. We are proud and we value the importance  that the CISPE Data Protection Code of Conduct has been confirmed by the European Data Protection Board as the first pan-European code for cloud infrastructure providers,” said Jacqueline van de Werken, CISPE Board Member and Group General Counsel & DPO for Leaseweb Global.


“We are delighted of this important step in the direction of a full recognition of the CISPE Code of Conduct as a tool that can effectively support the choice of customers who want to use GDPR-compliant IaaS cloud services that meet an objective of European digital sovereignty.” – Michele Zunino – CEO Netalia


“Today, the CISPE Data Protection Code become a reference tool for the whole cloud ecosystem: first, for any cloud provider willing to demonstrate compliance with the GDPR, particularly in the framework of Gaia-X. Secondly, for the EU users ecosystem willing to identify infrastructures fully stored and processed in Europe with no re-use of their data. This code plays a key role in building a strong European sovereign cloud,” says Michel Paulin, CEO of OVHcloud.