About IBM Cloud regional compliance programs

Leaders of international organizations are faced with a growing landscape of region-specific compliance standards as they move their IT infrastructures to the cloud. IBM Cloud™ platform services can help you meet these regional compliance standards.

Asia Pacific

FISC (Japan)

The Center for Financial Industry Information Systems (FISC) was created by the Japanese Ministry of Finance with the purpose of conducting research on topics related to financial information systems in Japan. FISC created guidelines to promote the security of information systems within the banking and financial industries. These FISC guidelines, though not mandated by law, are recognized and used by most Japanese financial institutions in the design and maintenance of their information systems.

IRAP (Australia)

The Information Security Registered Assessors Program (IRAP) was created by the Australian Signals Directorate to provide high-quality information and communications technology services to governments in support of Australia’s security. IRAP provides the framework to endorse individuals from the private and public sectors to supply cybersecurity assessment services to Australian governments.

K-ISMS (South Korea)

The Korea Information Security Management System (K-ISMS) is a Korean government-backed certification sponsored by the Korea Internet and Security Agency (KISA). K-ISMS is a certification system designed to assess if an organization's information security management system is properly established, managed and operated. Achieving this certification means IBM Cloud infrastructure clients in South Korea can more easily demonstrate adherence to local legal requirements for protection of key digital information assets and meet KISA compliance standards.

View the IBM Cloud infrastructure services K-ISMS certificate in English (PDF, 317 KB)

View the IBM Cloud infrastructure services K-ISMS certificate in Korean (PDF, 280 KB)

ISMS logo

MTCS (Singapore)

Multi-Tier Cloud Security (MTCS), also known as Singapore Standard SS 584, is a multi-tiered security standard for cloud service providers operating in Singapore.

To request the IBM Cloud infrastructure certificate: Visit the client portal (link resides outside IBM)

My Number Act (Japan)

The Social Security and Tax Number System (My Number Act) went into effect in Japan starting in January 2016. Under this act, a unique number is assigned to every resident in Japan, whether Japanese or foreign, to be used mainly for taxation and social security purposes. The Personal Information Protection Commission (PPC) created guidelines to help companies properly handle and protect their My Number information.

My Number Act logo

Europe and United Kingdom

BaFin (Germany)

BaFin, formally known as the German Federal Financial Supervisory Authority, oversees all financial services firms in Germany. BaFin has published a specification for the regulatory framework for cloud computing services provided to financial services firms.

C5 (Germany)

The Cloud Computing Compliance Controls Catalog (C5), introduced by the German Federal Office for Information Security (BSI), is a cloud-specific attestation scheme. This scheme outlines the requirements cloud service providers must meet in order to ensure a minimum-security level for their cloud services. C5 elevates the demands on cloud providers by combining existing security standards such as ISO 27001, with additional requirements for increased transparency in data processing.

To request the IBM Cloud infrastructure C5 attestation, do one of the following:
Visit the client portal (link resides outside IBM)
Contact an IBM representative

European Banking Authority - EBA (EU)

As part of its mission to establish consistent, efficient and effective supervisory practices across the EU and ensure uniform application of Union law, the European Banking Authority (EBA) issues regulatory guidelines and recommendations in its fields of competence.

Learn how IBM Cloud platform supports EBA recommendations (PDF, 1.5 MB)


The European Union Agency for Network and Information Security (ENISA) issued the Information Assurance Framework (IAF), a set of assurance criteria designed to assess the risk of adopting cloud services, comparing different cloud provider offers, obtaining assurance from the selected cloud providers, and reducing their assurance burden.

ENS (Spain)

The National Security Framework of Spain (ENS) is a legal decree that develops provisions about security, and applies them to all public administrations in Spain. The ENS establishes the security policy for eGovernment services. It establishes the basic principles and minimum requirements to enable adequate protection of information to be followed by all public administrations.

View the IBM Cloud infrastructure ENS High certificate (PDF, 704 KB)

IBM Cloud platform services with an ENS High certificate include:

IBM Cloud Bare Metal
IBM Cloud Block Storage
IBM Cloud Direct Link
IBM Cloud File Storage
IBM Cloud Hardware Security Module
IBM Cloud Object Storage (IaaS)
IBM Cloud Virtual Servers

ENS Spain certificate

EU Model Clauses

EU Model Clauses are available to controllers and processors of EU citizens' Personally Identifiable Information (PII). These clauses obligate non-EU companies to follow the laws and practices mandated by the EU Data Protection Directive in all global locations. The clauses provide enforcement rights and assurance to companies that hold EU PII that providers located outside of the EU will process data only in accordance with their instructions and in conformance with EU laws. In May 2018, the EU Data Protection Directive was replaced by the General Data Protection Regulation (GDPR).

EU-US Privacy Shield

The EU-US and Swiss-US Privacy Shield Frameworks were designed by the US Department of Commerce and the European Commission and Swiss Administration. These frameworks provide companies on both sides of the Atlantic with a mechanism that helps them comply with data-protection requirements when they transfer personal data from the European Union (EU) and Switzerland to the United States in support of transatlantic commerce.

View the IBM policy and list of privacy-shield certified IBM Cloud services


As part of the European Union's General Data Protection Regulation (GDPR), IBM is enhancing its ongoing commitment to privacy by design. IBM is working to embed data protection principles even more deeply into its business processes. This work also strengthens existing controls to limit access to personal data, including mobile applications that rely on default settings to prevent sharing of personal data.

Learn about the IBM GDPR Framework

G-Cloud (UK)

The government of the United Kingdom created the G-Cloud framework to enable a faster and less expensive process for UK government organizations to enter into procurement contracts with cloud providers. G-Cloud services are divided into three categories: cloud hosting, cloud software, and cloud support.

Hébergeurs de Données de Santé - HDS; Health Data Hosting (France)

Hébergeurs de Données de Santé (HDS) is designed to describe the conditions under which personal health data initially collected in France must be protected. Data hosting must include security controls commensurate with the critical nature of the data.

Any individual or legal person who hosts personal health data collected in France must be approved or certified for this purpose.

View the IBM Cloud infrastructure services HDS certificate (PDF, 448 KB)

IT-Grundschutz (Germany)

The aim of IT-Grundschutz is to achieve an appropriate security level for all types of information in an organization. IT-Grundschutz uses a holistic approach to this process, and provides guidance for the application of technical, organizational, personnel and infrastructural safeguards.

NIS Directive (EU)

The Network and Information Systems (NIS) Directive (EU 2016/1148) is the first cybersecurity law to cover the entire the European Union, and is intended to boost the overall cybersecurity level for critical infrastructure in the EU.

IBM maintains standard technical and organizational measures appropriate and proportionate to manage the risks posed to the security of network and information systems. This includes a security monitoring program and a global incident response process to respond to cybersecurity threats and attacks. In addition, IBM utilizes a combination of online training, educational tools, videos and other awareness initiatives to foster a culture of security awareness and responsibility among its workforce.  More information on these technical and organizational measures is available in IBM certifications and audit reports such as ISO 27001 and SOC 2.


United States


Security is central to compliance with the Family Educational Rights and Privacy Act (FERPA), which requires the protection of student information from unauthorized disclosures. Educational institutions that use cloud computing need contractual reassurances that a technology vendor will appropriately manage sensitive student data.