CISPE has recently published the first Code of Conduct for Cloud infrastructure providers: it’s important to acknowledge its existence and its content for both clients interested in Cloud service (in the choice of the service) and for providers of such services (to evaluate whether to adhere to it).


In this new article of our column we cover the aspects about security and secrecy of data in Cloud services, also with regards to reserved business content and to industrial properties to safeguard. But the recent publication by CISPE of the first Code of Cloud Infrastructure Service Providers last 27 September lead us to a little detour from our usual routine. What is CISPE, if you don’t happen to know it? The acronym stands for Cloud Infrastructure Services Providers in Europe and it’s an alliance of circa twenty Cloud infrastructure providers operating in different European countries.


Why adopting a Code of conduct?

The idea of the Code, as already stated in the introductory part, was born from the general observation, by the members of CISPE, that clients using a Cloud computing service (which deals with personal data) consider a key element the elaboration of data by the provider while being compliant with the European law about data protection. From a provider perspective, the Code aims being a tool to which voluntary adhere (or not) thus showing clients the compliance to Code’s rules of the services being offered.


Which Cloud services does this code applies to?

The Code focuses in particular on Cloud services provided by IaaS providers, which is one of the three fundamental Cloud services. It’s about Infrastructure-as-a-Service providers (ie providing virtual hardware or computing infrastructures) are called CISP, or “Cloud Infrastructure Services Providers”. The goal of the Code, as per its original conception, is to guide clients of these services when evaluating if a Cloud infrastructure service is suitable or not for the needs they have.


What are the requirements of the Code?

The fundamental normative part is contained in section Five and Six which contain a number of requirements in term of data protection and transparency that providers adhering to the Code must respect as data processors, with a particular attention to the security of processed data. Let’s see the main ones.

With regards to the data protection profile, which is contained in Chapter 5, providers certified with the CISPE Code of Conduct:

  • Must offer their clients the option of computing and storing data inside the UE or the European Economic Area exclusively: this way, clients can control where data is physically treated and stored.
  • Can’t perform profiling or data mining operations, which basically are the extraction of information from clients to take advantage of them for personal use of sale to third parties, for instance for marketing and advertising operations. In other words, they commit not to reuse or sell data.
  • Must operate in compliance with the requirements stated in the new European Regulations in terms of data protection.
  • Must stipulate contracts with clients with well defined clauses.
  • Must adopt adequate security measures contained in the Code.
  • Can’t subcontract its service unless there’s a written authorization and respecting the same conditions of the main contract with the client, which the main provider must be anyway responsible for.
  • Must guarantee that their employees work with a specific commitment to secrecy
  • Must notice the client any data breaches and any wrong or incorrect behaviour with no delay.
  • At the end of the service, must destroy or return all personal data to the client.

In terms of transparency (Chapter 6), six elements are stated which the provider must offer the client in order to guarantee an adequate level of transparency:a written agreement that formalizes the division of responsibilities between the CISP and the client in terms of service security; a high level of carefulness to security measures and standards that are applied to the service; clear and precise information about the structure and the operating mode of the service; information about the existence of a risk management program (of the CISP); information about security measures arranged by the CISP; enough guarantee of the given information about security management and possibility for the client to verify them.

A CISP therefore can declare its adherence to the Code (compliant with Chapter 3) if: the services being offered (or some of them, and in this case they must be stated which ones) are provided in compliance with the norms contained in the Code; operates in compliance with all EU norms in terms of data protection, including Guidelines and the general Regulations about Data Protection; allows the client to treat and store data entirely inside the European Economic Area.

Lastly, how to know if a provider adheres to the Code and, if you are a provider yourself, how to certify it? Cloud infrastructure providers that adhere to the Code and are compliant with the norms contained in it are given a Compliance Mark that proves the adhesion, and its name will be added the public CISPE registry and indicated on its website.

The CISPE Code precedes the application of the new Data Protection European Regulations which, as we noted in a previous episode of this column, has been approved last May and will be fully operative in May 2018, and confirms the interest and fundamental attention that Cloud services users and Providers must have about data security in such services.

About the Author

Veronica Morlacchi

Laureata a pieni voti in giurisprudenza, è Avvocato Cassazionista, iscritta all’Albo degli Avvocati di Busto Arsizio dal 2004 e all’Albo degli Avvocati abilitati al Patrocinio davanti alla Corte di Cassazione e alle altre Giurisdizioni superiori. Si occupa principalmente, nell’interesse di Privati, Professionisti, Aziende ed Enti pubblici, di diritto civile, in particolare responsabilità civile e risarcimento danni, diritto delle nuove tecnologie e privacy, contratti, persone e famiglia. Ha conseguito un master in Responsabilità civile e un corso di perfezionamento in Tecniche di redazione dei contratti e, da ultimo, si è perfezionata in Data Protection e Data Governance all'Università degli Studi di Milano e in Strategie avanzate di applicazione del GDPR. Pubblica periodici aggiornamenti e articoli nelle materie di cui si occupa sul suo sito e da giugno 2016 collabora con Guru Advisor

banner eng

fb icon evo twitter icon evo

Word of the Day

The term Edge Computing refers, when used in the cloud-based infrastructure sphere, the set of devices and technologies that allows...


The acronym SoC (System on Chip) describes particular integrated circuit that contain a whole system inside a single physical chip:...


The acronym PtP (Point-to-Point) indicates point-to-point radio links realized with wireless technologies. Differently, PtMP links connects a single source to...


Hold Down Timer is a technique used by network routers. When a node receives notification that another router is offline...


In the field of Information Technology, the term piggybacking refers to situations where an unauthorized third party gains access to...

Read also the others...

Download of the Day


Netcat is a command line tool that can be used in both Linux and Windows environments, capable of...



Fiddler is a proxy server that can run locally to allow application debugging and control of data in...


Adapter Watch

Adapter Watch is a tool that shows a complete and detailed report about network cards. Download it here.


DNS DataView

DNS DataView is a graphical-interface software to perform DNS lookup queries from your PC using system-defined DNS, or...


SolarWinds Traceroute NG

SolarWinds Traceroute NG is a command line tool to perform advanced traceroute in Windows environment, compared to the...

All Download...

Issues Archive

  •  GURU advisor: issue 21 - May 2019

    GURU advisor: issue 21 - May 2019

  • GURU advisor: issue 20 - December 2018

    GURU advisor: issue 20 - December 2018

  • GURU advisor: issue 19 - July 2018

    GURU advisor: issue 19 - July 2018

  • GURU advisor: issue 18 - April 2018

    GURU advisor: issue 18 - April 2018

  • GURU advisor: issue 17 - January 2018

    GURU advisor: issue 17 - January 2018

  • GURU advisor: issue 16 - october 2017

    GURU advisor: issue 16 - october 2017

  • GURU advisor: issue 15 - July 2017

    GURU advisor: issue 15 - July 2017

  • GURU advisor: issue 14 - May 2017

    GURU advisor: issue 14 - May 2017

  • 1
  • 2
  • 3
  • BYOD: your devices for your firm

    The quick evolution of informatics and technologies, together with the crisis that mined financial mines, has brought to a tendency inversion: users that prefer to work with their own devices as they’re often more advanced and modern than those the companies would provide. Read More
  • A switch for datacenters: Quanta LB4M

    You don’t always have to invest thousands of euros to build an enterprise-level networking: here’s our test of the Quanta LB4M switch Read More
  • Mobile World Congress in Barcelona

    GURU advisor will be at the Mobile World Congress in Barcelona from February 22nd to 25th 2016!

    MWC is one of the biggest conventions about the worldwide mobile market, we'll be present for the whole event and we'll keep you posted with news and previews from the congress.

    Read More
  • 1