Germany: Conference of the Independent Data Protection Supervisory Authorities of the Federal and State Governments adopted Resolution on confidential cloud computing

On 16 June 2025, the Conference of the Independent Data Protection Supervisory Authorities of the Federal and State Governments (DSK) adopted a Resolution on confidential cloud computing, addressing its technical and security implications. The resolution applies to cloud service providers and organisations processing sensitive or personal data using cloud infrastructure. It highlights that marketing claims about data being confidential often overlook the technical complexities involved. It highlights that confidentiality requires a significantly stronger threat model, secure key management, and protection against manipulation by the provider, who retains physical and systemic access. The DSK emphasises that while such technologies can enhance security, particularly against other users and insider threats, they do not eliminate all data protection risks. Providers must ensure transparency in deployment scenarios, clearly communicate security assumptions, and document protective measures to ensure accountability.