CloudWATCH Cloud Certification Recommendations

Security and privacy certifications and attestations have been identified as one of most effective and efficient means to increase the level of trust in cloud service and stimulate their adoption. Based on this assumption, a number of efforts have been started in Europe at policy level, mainly led by the European Commission (EC) and their Special Industry Group on Certification, the European Union Agency for Network and Information Security (ENISA) and the European Telecommunications Standards Institute (ETSI), where CloudWATCH plays a role.

There is now a growing interest in European solutions for cloud standards and software industry development beyond the European Union. Building on this work CloudWATCH aims to provide guidance to cloud service customers, cloud service providers and policy makers in their evaluation of suitable security and privacy certification schemes for cloud services.

Main Findings

  • Insufficient transparency on certification process although transparency of security & privacy capabilities exist
  • Flexibility provided by few therefore do not meet changing requirements of user


  • Transparent certification schemes: Public administration procurement demands clear visibility of technical standards on which certification assessment is based.  Importance of quality of assessment/audit
  • Appropriate level & more transparency of detail on information security approaches
  • Soft law supporting transparency: Policy makers to work on soft-law to foster transparency  by supporting certification schemes that enable transparency
  • Assurance Certification schemes should provide scalability, flexibility & cost efficiency


CloudWATCH is making an active contribution to European efforts through its focus on standards and certification, driving interoperability as key to ensuring broader choice and fairer competition.

This CloudWATCH report is aimed at providing guidance for cloud service customers, especially public administrations and small and medium companies, cloud service providers and policy makers in their evaluation of possible options for “certifying” the level of security and privacy of cloud services.

Recommendations are of interest to policy makers, ranging from European Commission to member state levels; public procurers in European, National and Regional/local institutions and agencies; procurers of cloud services both in small and medium enterprises (SMEs) and large corporations; compliance managers of cloud service customers and compliance managers of cloud service providers.

Download the report here