The EU Cybersecurity Certification Scheme for Cloud Services (EUCS), developed by ENISA under the Cybersecurity Act, will introduce tiered assurance levels for cloud providers operating in Europe. The scheme's most contentious element — a "High+" sovereignty tier requiring EU ownership and operational control — has sparked intense transatlantic debate over market access and digital autonomy.
The EUCS is being developed under the framework established by the Cybersecurity Act (Regulation (EU) 2019/881), which entered into force on 27 June 2019. The Act gave the European Union Agency for Cybersecurity (ENISA) a permanent mandate and created a European cybersecurity certification framework enabling the development of EU-wide certification schemes for ICT products, services, and processes. Cloud services were identified as a priority area from the outset.
ENISA began drafting the EUCS in 2020, working with an ad hoc working group comprising national cybersecurity authorities, cloud providers, and industry stakeholders. The scheme was designed to replace the patchwork of national cloud certification programmes — such as Germany's C5 (Cloud Computing Compliance Criteria Catalogue) maintained by the BSI, and France's SecNumCloud operated by ANSSI — with a harmonised EU-level scheme. The goal was to create a single certification that could be recognised across all 27 Member States, reducing compliance costs for providers and increasing trust for procurers.
The draft scheme defines three assurance levels aligned with the Cybersecurity Act's framework: Basic, Substantial, and High. Each level imposes progressively stricter requirements for security controls, risk management, vulnerability handling, and incident reporting. The controversy, however, centred on what was initially called "High+" — a supplementary tier that added sovereignty requirements beyond pure cybersecurity.
The proposed sovereignty requirements under the "High+" tier would have mandated that cloud service providers seeking the highest certification level must have their headquarters and global headquarters within the EU/EEA, with no entity outside the EU capable of exercising effective control over the provider. Data processing and storage would be required to occur exclusively within EU territory, and the provider would need to be immune from non-EU jurisdictions — a criterion clearly aimed at the US CLOUD Act (H.R.4943) and similar extraterritorial data-access laws.
This ignited a fierce policy debate. France, backed by Italy and Spain, argued that sovereignty requirements were essential for protecting Europe's most sensitive public-sector workloads — defence, intelligence, critical infrastructure, and citizen identity systems — from foreign government access demands. They pointed to France's own SecNumCloud 3.2 qualification, which since 2022 has required that certified providers be majority-owned by EU entities and subject exclusively to EU law, as proof that such requirements were both workable and necessary.
On the other side, the United States government lobbied aggressively against the sovereignty tier. In a widely reported diplomatic push, US officials warned that excluding American hyperscalers (AWS, Microsoft Azure, Google Cloud) from high-assurance government contracts would harm transatlantic relations and reduce the security of European workloads by locking them into less mature platforms. The Netherlands, Sweden, and Ireland also pushed back, arguing that sovereignty requirements were protectionist rather than security-driven and would increase costs for public-sector cloud adoption.
In March 2024, ENISA published its final candidate scheme with the sovereignty requirements removed from the "High" level. Instead, the scheme left sovereignty considerations to individual Member States, which may impose additional national requirements for the most sensitive use cases. This compromise satisfied neither camp fully: sovereignty advocates viewed it as a capitulation to US pressure, while opponents feared a fragmented landscape of national sovereignty add-ons.
Regardless of where the EUCS lands in its final adopted form, the scheme will profoundly reshape European public-sector cloud procurement. Under the current landscape, government buyers navigate a patchwork of national certifications. A provider certified under Germany's C5 must separately obtain France's SecNumCloud qualification to compete in French government tenders. The EUCS's core promise is mutual recognition: a single certification valid across the internal market.
For hyperscale providers, the stakes are enormous. European public-sector cloud spending is projected to exceed €15 billion annually by 2027, according to estimates from IDC and the European Commission's cloud strategy communications. If the EUCS "High" level becomes a prerequisite for government contracts — as many Member States are expected to mandate — providers will need to invest significantly in conformity assessment processes. Major US providers have already begun preparing: Microsoft announced its "EU Data Boundary" initiative, Google launched Sovereign Controls with T-Systems, and AWS introduced the AWS European Sovereign Cloud based in Germany.
For European cloud providers — OVHcloud, Deutsche Telekom/T-Systems, Ionos, Scaleway, and others — the EUCS represents both an opportunity and a challenge. A sovereignty tier would give them a protected market segment for the most sensitive workloads. Without it, they must compete on features and scale against hyperscalers with far larger R&D budgets. Industry bodies like CIGREF in France and the European Cloud Alliance have been vocal advocates for maintaining strong sovereignty provisions.
The EUCS does not exist in isolation. It forms part of a broader EU cybersecurity regulatory architecture that includes the NIS2 Directive (Directive (EU) 2022/2555), applicable since 18 October 2024, and the Cyber Resilience Act (Regulation (EU) 2024/2847), which entered into force on 10 December 2024.
Under NIS2, cloud computing is classified as an essential service, meaning cloud providers fall within the Directive's scope and are subject to cybersecurity risk-management obligations, incident reporting requirements, and supervisory oversight. Member States may use EUCS certifications as a mechanism for demonstrating compliance with NIS2 security requirements — creating a powerful incentive for providers to obtain certification even before it becomes formally mandatory.
The Cyber Resilience Act focuses on products with digital elements but will interact with cloud certifications insofar as cloud-connected hardware and software must meet baseline security requirements throughout their lifecycle. Together, these three instruments — EUCS, NIS2, and the CRA — create a comprehensive compliance framework. For cloud providers operating in Europe, understanding how these regimes interact will be essential for both market access and regulatory risk management. The European Commission is expected to adopt the EUCS as an implementing act during 2025, at which point the scheme will move from draft to operational reality.
The EUCS is a pan-European cybersecurity certification scheme for cloud services developed by ENISA under the Cybersecurity Act. It defines three assurance levels (Basic, Substantial, High) and will replace the current patchwork of national certifications like Germany's C5 and France's SecNumCloud with a single EU-wide standard.
The final candidate scheme published in March 2024 removed the proposed sovereignty requirements that would have required EU ownership. However, individual Member States may impose additional national sovereignty requirements for their most sensitive government workloads.
SecNumCloud is France's national cloud security qualification operated by ANSSI. Version 3.2 requires certified providers to be majority EU-owned and subject exclusively to EU law, effectively excluding US hyperscalers from the most sensitive French government contracts.