Glossary · EU Cybersecurity

EUCS (European Cybersecurity Certification Scheme for Cloud Services)

Proposed pan-EU cybersecurity certification scheme for cloud services, intended to harmonize national approaches and define common assurance levels. Politically contested over sovereignty requirements; still in development in 2026.

## What EUCS actually is EUCS — European Cybersecurity Certification Scheme for Cloud Services — is a proposed pan-EU certification framework being developed under the **EU Cybersecurity Act (2019)**. It is intended to provide a single, harmonized way for cloud providers to demonstrate cybersecurity assurance across the EU, replacing the current patchwork of national schemes ([Cloud de Confiance](/en/glossary/cloud-de-confiance/), [BSI C5](/en/glossary/bsi-c5/), Italian ACN, Spanish ENS, etc.). EUCS is developed by **ENISA** (the EU Agency for Cybersecurity) in coordination with member states. As of early 2026, the scheme is **not yet finalized** — it has been politically contested since around 2022, primarily over how strictly its highest assurance level should require sovereignty. ## Proposed structure EUCS defines **three assurance levels**: ### Basic Self-assessment or conformity-assessment-body verification. Suitable for low-risk cloud services. Provider declares compliance against EUCS Basic criteria. ### Substantial Third-party audit against more stringent controls. Roughly equivalent to ISO 27001 + 27017 baseline. Suitable for general business workloads. ### High Most stringent. Third-party audit with continuous monitoring. Roughly the level needed for regulated workloads, public-sector sensitive data, and operators of essential services under [NIS2](/en/glossary/nis2/). The political fight has primarily concerned what "High" should require in terms of sovereignty. ## The sovereignty controversy The original draft (2022) of EUCS High included **sovereignty requirements** broadly similar to French SecNumCloud / Cloud de Confiance: the provider had to be structurally immune to non-EU law (notably US CLOUD Act and Chinese national-security obligations). **France, Spain, Italy, and Germany** initially supported strong sovereignty criteria at the High level. **Ireland, Netherlands, Sweden, Poland, and the Nordic countries** opposed them on the grounds that: 1. Sovereignty criteria are protectionist (deliberately exclude US hyperscalers) 2. Cybersecurity certification should be about *security*, not legal jurisdiction 3. Excluding hyperscalers reduces buyer choice Multiple revised drafts have circulated. Some drafts dropped sovereignty entirely from High; others moved it to a separate optional layer; others retained softer versions. As of 2026, the scheme has not been adopted, and the sovereignty question remains the principal blocker. ## Why EUCS matters ### 1. Single EU market for cloud certification If finalized, EUCS would replace national schemes with one Europe-wide qualification — substantial reduction in compliance overhead for cloud providers. ### 2. Default cybersecurity baseline under NIS2 NIS2's essential and important entities will increasingly look to EUCS as the canonical way to demonstrate cloud provider security. Until EUCS is finalized, they rely on national schemes. ### 3. The sovereignty debate is itself the story The multi-year fight reveals EU cloud politics. Sovereignty advocates want regulatory tools to make hyperscaler exposure visible and choosable. Hyperscaler-friendly states want competitive markets without legal protectionism. The eventual outcome will shape the EU cloud landscape for a decade. ### 4. Spillover into other regulations EUCS thinking is influencing the [Cyber Resilience Act](/en/glossary/cyber-resilience-act/), AI Act security provisions, and Data Act security requirements. ## Current status (as of 2026) - **Multiple drafts circulated** since 2022 - **No final adoption** - **National schemes continue** as the operative reality - **Cloud de Confiance and BSI C5 retain primacy** in their respective markets - **Ongoing political negotiation** at EU level The scheme is not officially abandoned but progress has been slow. ## What EUCS finalization would mean in practice ### If High includes strong sovereignty - Hyperscalers must operate via European-controlled joint ventures (S3NS / Bleu pattern) to meet High - French-style sovereignty wraps become EU-wide expectation for regulated workloads - Genuine European cloud providers (OVHcloud, Hetzner, Scaleway, Open Telekom Cloud) gain competitive advantage in High-classified procurement ### If High drops sovereignty - Hyperscalers (AWS, Azure, Google) can directly qualify for High - National sovereignty schemes (Cloud de Confiance) remain *more* stringent than EUCS High - Buyers seeking sovereignty look beyond EUCS to national schemes ### If High requires sovereignty as optional layer - Default High is achievable by hyperscalers - "EUCS High + Sovereignty" becomes the marketed tier for sensitive workloads - Compromise that nobody loves but everyone tolerates The third outcome appears most likely as of 2026. ## EUCS vs related schemes | Scheme | Scope | Sovereignty | |--------|-------|-------------| | EUCS (proposed) | Pan-EU cloud cyber | Contested | | Cloud de Confiance | French sovereign cloud | Strict | | BSI C5 | German cloud security baseline | Soft (documents exposure) | | SOC 2 | International general | None | | ISO 27001/27017/27018 | International cloud | None | ## Practical implications For European tech buyers in 2026: - **EUCS is not yet operative**; rely on national schemes - **Watch the High-level sovereignty resolution** — it will signal where EU cloud is heading - **Hyperscalers' EU cloud joint ventures** (S3NS, Bleu, Numspot) are betting on stringent sovereignty - **For high-sensitivity workloads now**, use national schemes that already provide sovereignty (Cloud de Confiance) - **For general workloads**, ISO 27001/27017 + C5 is the working baseline until EUCS lands ## What 2026-2027 brings - **Continued political negotiation** at Council and Commission level - **Possible finalization** of EUCS in 2026 or 2027 - **Member states preparing implementation** regardless of final form - **Hyperscaler positioning** through European JV structures continues EUCS remains the highest-stakes unresolved item in EU cloud regulation.

Related EU alternatives on BetterInEurope

Related glossary terms

← Back to glossary