About IBM Cloud regional compliance programs

Leaders of international organizations are faced with a growing landscape of region-specific compliance standards as they move their IT infrastructures to the cloud. IBM Cloud® platform services can help you meet these regional compliance standards.

Asia Pacific

FISC (Japan)

The Center for Financial Industry Information Systems (FISC) was created by the Japanese Ministry of Finance with the purpose of conducting research on topics related to financial information systems in Japan. FISC created guidelines to promote the security of information systems within the banking and financial industries. These FISC guidelines, though not mandated by law, are recognized and used by most Japanese financial institutions in the design and maintenance of their information systems.

IRAP (Australia)

The Information Security Registered Assessors Program (IRAP) is an Australian Signals Directorate (ASD) initiative providing high-quality information and communications technology (ICT) services to government. Administered by the Australian Cyber Security Center (ACSC), IRAP assessments help Australian Government clients verify that appropriate controls are in place for addressing ICT requirements detailed in the Australian Government Information Security Manual produced by the ASD. 

IBM Cloud infrastructure services successfully completed an IRAP PROTECTED level assessment, enabling Australian Government clients to establish a highly secure and compliant PROTECTED level environment within IBM Cloud. The IBM Cloud infrastructure PROTECTED assessment included Security Construction and Equipment Committee (SCEC) Zone 3 level data centers with video surveillance. 

The Australian Taxation Office certified IBM Cloud infrastructure services for the processing, storing, and transmitting of Australian Government information classified up to, and including, PROTECTED for the IaaS services detailed within the IRAP assessment scope.

Australian Government clients may request the IBM Cloud Infrastructure IRAP PROTECTED Assessment and Certification Package:

Log in to IBM Cloud or contact an IBM representative.

IRAP logo

K-ISMS (South Korea)

The Korea Information Security Management System (K-ISMS) is a Korean government-backed certification sponsored by the Korea Internet and Security Agency (KISA). K-ISMS is a certification system designed to assess if an organization's information security management system is properly established, managed and operated. Achieving this certification means IBM Cloud infrastructure clients in South Korea can more easily demonstrate adherence to local legal requirements for protection of key digital information assets and meet KISA compliance standards.

View the IBM Cloud infrastructure services K-ISMS certificate in English (PDF, 317 KB)

View the IBM Cloud infrastructure services K-ISMS certificate in Korean (PDF, 280 KB)

ISMS logo

MTCS (Singapore)

Multi-Tier Cloud Security (MTCS), also known as Singapore Standard SS 584, is a security standard for cloud service providers operating in Singapore. Expanding on other standards such as ISO/IEC 27001, MTCS was developed under the Information Technology Standards Committee (ITSC) and is designed to ensure that security and privacy practices are followed to reduce risk when operating within a cloud environment.

IBM Cloud Infrastructure services have received MTCS/SS 584:2015 Level 3 certification.

View the IBM Cloud Infrastructure services MTCS certificate (link resides outside IBM.com)

Services in scope include:

IBM Cloud Backup
IBM Cloud Bare Metal
IBM Cloud Block Storage
IBM Cloud Direct Link
IBM Cloud File Storage
IBM Cloud for VMware Solutions (Dedicated options)
IBM Cloud Hardware Security Module
IBM Cloud Load Balancer
IBM Cloud Object Storage (IaaS)
IBM Cloud Virtual Servers

My Number Act (Japan)

The Social Security and Tax Number System (My Number Act) went into effect in Japan starting in January 2016. Under this act, a unique number is assigned to every resident in Japan, whether Japanese or foreign, to be used mainly for taxation and social security purposes. The Personal Information Protection Commission (PPC) created guidelines to help companies properly handle and protect their My Number information.

My Number Act logo


The Security Construction and Equipment Committee (SCEC) is an interdepartmental committee that evaluates security equipment and tools that are used by Australian Government departments and agencies.  SCEC guidelines are managed through the Australian Security and intelligence Organization (ASIO) T4 Protective Security directorate, which evaluates protective security products to determine their suitability for use in Australian Government facilities. 

IBM public cloud data centers in Sydney, Australia were evaluated and certified by an accredited SCEC security zone consultant as having the appropriate protective security controls in compliance with the principles of the Australian Government Protective Security Policy Framework, and provide the operational environment necessary for the confident and secure conduct of Australian Government business.

View the SCEC Certificates (PDF, 770 KB)

Europe and United Kingdom

BaFin (Germany)

BaFin, formally known as the German Federal Financial Supervisory Authority, oversees all financial services firms in Germany. BaFin has published a specification for the regulatory framework for cloud computing services provided to financial services firms.

C5 (Germany)

The Cloud Computing Compliance Controls Catalog (C5), introduced by the German Federal Office for Information Security (BSI), is a cloud-specific attestation scheme. This scheme outlines the requirements cloud service providers must meet in order to ensure a minimum-security level for their cloud services. C5 elevates the demands on cloud providers by combining existing security standards such as ISO 27001, with additional requirements for increased transparency in data processing.

To request the IBM Cloud infrastructure C5 attestation, do one of the following:
Visit the client portal (link resides outside IBM)
Contact an IBM representative

European Banking Authority - EBA (EU)

As part of its mission to establish consistent, efficient and effective supervisory practices across the EU and ensure uniform application of Union law, the European Banking Authority (EBA) issues regulatory guidelines and recommendations in its fields of competence.

Learn how IBM Cloud platform supports EBA recommendations (PDF, 1.5 MB)


The European Union Agency for Network and Information Security (ENISA) issued the Information Assurance Framework (IAF), a set of assurance criteria designed to assess the risk of adopting cloud services, comparing different cloud provider offers, obtaining assurance from the selected cloud providers, and reducing their assurance burden.

ENS (Spain)

The Esquema Nacional de Seguridad (ENS) (National Security Framework) of Spain is based on Spanish Law 11/2007 and governed by Royal Decree 3/2010. The decree’s security provisions apply to all cloud service providers (CSPs) that provide services to government agencies and public organizations. The provisions also apply to the agencies and organizations that purchase those cloud services. The ENS establishes the security policy for eGovernment services, as well as basic principles and minimum requirements to enable adequate information security and privacy protection controls for all public sector organizations. Many ENS security controls are related to ISO/IEC 27001:2013, with information protection measures for low, intermediate, and high sensitivity.

View the IBM Cloud infrastructure ENS High certificate in Spanish (PDF, 1.3 MB)

View the IBM Cloud infrastructure ENS High certificate in English (PDF, 1.2 MB)

IBM Cloud platform services have maintained ENS High certification since 2019, including:

ENS Spain certificate

Fortigate Security Appliance
Gateway Appliance
Hardware Firewall
IBM Cloud Backup
IBM Cloud Bare Metal
IBM Cloud Block Storage
IBM Cloud Direct Link (1.0)
IBM Cloud File Storage

IBM Cloud Hardware Security Module
IBM Cloud Load Balancer
IBM Cloud Object Storage (IaaS)
IBM Cloud SAP-Certified Cloud Infrastructure
IBM Cloud Virtual Servers
Storage Area Network (SAN)

EU Model Clauses

EU Model Clauses are available to controllers and processors of EU citizens' Personally Identifiable Information (PII). These clauses obligate non-EU companies to follow the laws and practices mandated by the EU Data Protection Directive in all global locations. The clauses provide enforcement rights and assurance to companies that hold EU PII that providers located outside of the EU will process data only in accordance with their instructions and in conformance with EU laws. In May 2018, the EU Data Protection Directive was replaced by the General Data Protection Regulation (GDPR).

EU-US Privacy Shield

The EU-US and Swiss-US Privacy Shield Frameworks were designed by the US Department of Commerce and the European Commission and Swiss Administration. These frameworks provide companies on both sides of the Atlantic with a mechanism that helps them comply with data-protection requirements when they transfer personal data from the European Union (EU) and Switzerland to the United States in support of transatlantic commerce.

View the IBM policy and list of privacy-shield certified IBM Cloud services

TISAX (Germany)

The German Association of the Automotive Industry (Verband der Automobilindustrie, or VDA) developed the Trusted Information Security Assessment Exchange (TISAX), a security framework and information exchange designed to address the needs of the automobile manufacturing industry.

Broadly based on the international ISO/IEC 27001 and 27002 standards, TISAX is overseen by a neutral third party — the ENX Association (link resides outside IBM) — which governs the accreditation and assessment of the TISAX standards.

IBM Cloud Infrastructure services available across all IBM Cloud data centers were assessed at the TISAX assessment level 2 standard, to the following VDA Information Security Assessment (ISA) criteria catalogues:

  • Information with High Protection Needs
  • Connection to 3rd Parties with High Protection Needs   
  • Data Protection according to EU-GDPR Art. 28 ("Processor")

TISAX and TISAX results are not intended for the general public. The IBM Deutschland GmbH TISAX assessment result can only be retrieved by logging into the ENX Portal (link resides outside IBM). (Scope ID SWYCFY, Assessment ID AV09CR-1)

Services in scope include:

IBM Cloud Backup
IBM Cloud Bare Metal
IBM Cloud Block Storage
IBM Cloud Direct Link
IBM Cloud File Storage
IBM Cloud Hardware Security Module
IBM Cloud Load Balancer
IBM Cloud Object Storage (IaaS)
IBM Cloud Virtual Servers

TISAX logo


As part of the European Union's General Data Protection Regulation (GDPR), IBM is enhancing its ongoing commitment to privacy by design. IBM is working to embed data protection principles even more deeply into its business processes. This work also strengthens existing controls to limit access to personal data, including mobile applications that rely on default settings to prevent sharing of personal data.

Learn about the IBM GDPR Framework

G-Cloud (UK)

The government of the United Kingdom created the G-Cloud framework to enable a faster and less expensive process for UK government organizations to enter into procurement contracts with cloud providers. G-Cloud services are divided into three categories: cloud hosting, cloud software, and cloud support.

Hébergeurs de Données de Santé - HDS; Health Data Hosting (France)

Hébergeurs de Données de Santé (HDS) is designed to describe the conditions under which personal health data initially collected in France must be protected. Data hosting must include security controls commensurate with the critical nature of the data.

Any individual or legal person who hosts personal health data collected in France must be approved or certified for this purpose.

View the IBM Cloud infrastructure services HDS certificate (PDF, 448 KB)

IT-Grundschutz (Germany)

The aim of IT-Grundschutz is to achieve an appropriate security level for all types of information in an organization. IT-Grundschutz uses a holistic approach to this process, and provides guidance for the application of technical, organizational, personnel and infrastructural safeguards.

NIS Directive (EU)

The Network and Information Systems (NIS) Directive (EU 2016/1148) is the first cybersecurity law to cover the entire the European Union, and is intended to boost the overall cybersecurity level for critical infrastructure in the EU.

IBM maintains standard technical and organizational measures appropriate and proportionate to manage the risks posed to the security of network and information systems. This includes a security monitoring program and a global incident response process to respond to cybersecurity threats and attacks. In addition, IBM utilizes a combination of online training, educational tools, videos and other awareness initiatives to foster a culture of security awareness and responsibility among its workforce.  More information on these technical and organizational measures is available in IBM certifications and audit reports such as ISO 27001 and SOC 2.


United States


Security is central to compliance with the Family Educational Rights and Privacy Act (FERPA), which requires the protection of student information from unauthorized disclosures. Educational institutions that use cloud computing need contractual reassurances that a technology vendor will appropriately manage sensitive student data.