- CoCo 1.0 is based on the Data protection directive and CoCo 2.0 on the GDPR which replaced the directive in 25 May 2018.
- CoCo 2.0 is more descriptive, it explains how the law should be interpreted in the context of attribute release in an R&E identity federation (e.g. what the attributes can be used for, how long they can be stored, etc)
- CoCo 2.0, after approved by the data protection authorities, justifies attribute release out of EU, if the SP has committed to it properly. This means also non-EU/EEA SPs can commit to it.
- CoCo 2.0 covers better the needs of international organisations (such as CERN and EMBL)
- CoCo 2.0 introduces a CoCo monitoring body, as required by GDPR
- CoCo 2.0 requires the SP to commit to SIRTFI, too
- Also Attribute Providers SPs can make use of the CoCo 2.0also for receiving attributes from Attribute Providers