EU Approves Unified Cloud Compliance Code

The initiative's roots trace back to 2012, when then-European Commission VP Neelie Kroes launched the European Cloud Strategy to increase trust in cloud adoption. After years of collaboration with the EU, the project was fully handed over to the industry in 2017. A consortium of cloud providers founded the EU Cloud CoC General Assembly to drive the code's development, including Alibaba Cloud, Fabasoft, IBM, Oracle, Salesforce, and SAP. An independent body, SCOPE Europe, was accredited by the Belgian Data Protection Authority to monitor and verify compliance with the code's provisions. This code specifically translates the requirements of GDPR Article 28 into concrete controls for cloud service providers acting as data processors. It covers all service models—IaaS, PaaS, and SaaS—and adherence requires an annual assessment by the monitoring body, SCOPE Europe. Major cloud providers including Google Cloud, Microsoft Azure, and Salesforce have already undergone the assessment process and are listed in the code's public register of adherent services. This verification is also displayed on the Cloud Security Alliance (CSA) STAR Registry, replacing the previous CSA GDPR Code of Conduct. While the code provides a clear framework for processor obligations within the EU, it does not in itself serve as a mechanism for international data transfers to third countries. A specific module to address the "essential equivalence" test from the Schrems II decision is currently in development. This compliance framework operates alongside broader EU regulations like the Data Act, which aims to eliminate cloud egress fees by 2027 and reduce vendor lock-in. Concurrently, the Digital Markets Act (DMA) is actively investigating whether hyperscalers like AWS and Azure should be designated as "gatekeepers," which would impose further obligations related to interoperability and data portability.