And about time too
1. Is this PDF a draft or a final document? Even at a glance the number of bad page breaks suggests that nobody has proof-read it. On a more detailed reading there are places where the wording could be significantly improved. A particularly egregious example is A CISP may choose to declare only specific of its cloud infrastructure services as adhering to the Code Requirements.
2. The code provides regulation of the location of data processing to be within the EEA. It doesn't address data sovereignty fully. If the CISP is owned by a non-EEA entity it might find itself subject to the sorts of demands as we see in the Microsoft and Google email access cases in the US. There needs to be a requirement for something like the Microsoft/DT trustee arrangement or the DC being operated by a wholly EEA company under franchise from the foreign business.
3. There's provision for self-certification. This needs to be restricted. For instance I use a small data registrar & hosting business for my personal email; it might be unreasonable to expect such a business to be economically audited by a 3rd party. The Microsofts & AWSs should be, especially when data mining is also part of their business.
4. The code states that security of the guest OS is solely the customer's responsibility. The customer should be responsible for not letting in malware or whatever but if the OS is initially installed by the CISP from their own build or profile they should have a responsibility for ensuring that that install is clean.
Would it also be too much to ask that data controllers, the CISPs' customers, have a similar code of conduct including an undertaking to only use CISPs who abide by this code of conduct?