After years of negotiations and heated debate, the European Union Agency for Cybersecurity (ENISA) has published the final version of the EU Cybersecurity Certification Scheme for Cloud Services (EUCS). The scheme establishes a Europe-wide standard for evaluating the security of cloud service providers, with three assurance levels that progressively increase in stringency.
The most significant aspect of the scheme is its highest tier — "High+" — which requires that cloud providers be headquartered in the EU, that all data processing occurs within EU borders, and that the provider is immune from non-EU government access requests. This effectively creates a premium tier that only European-owned cloud providers can achieve.
The Three EUCS Assurance Levels
| Level | Requirements | Suitable For |
|---|---|---|
| Basic | Standard security practices, annual audits | General commercial use |
| Substantial | Enhanced security, independent assessment, incident response | Business-critical workloads |
| High+ | EU headquarters, EU data processing, immunity from non-EU access, continuous monitoring | Government, healthcare, critical infrastructure |
Why This Matters
The EUCS has been one of the most contested pieces of EU tech policy in recent years. US tech companies — particularly Amazon Web Services, Microsoft Azure, and Google Cloud — lobbied intensively to remove the sovereignty requirements from the highest tier, arguing they were protectionist measures disguised as security standards.
The final version retains the sovereignty requirements, meaning that for the most sensitive European workloads — government data, healthcare records, critical infrastructure — only European-owned cloud providers can achieve the highest certification level.
Several European cloud providers are expected to be among the first to receive High+ certification, including Hetzner (Germany), Scaleway (France), OVHcloud (France), and IONOS (Germany). Browse our cloud computing directory for more European options.
Winners: European Cloud Providers
The EUCS is expected to accelerate the growth of European cloud companies, which have long struggled to compete with the massive scale and marketing budgets of US hyperscalers. Key beneficiaries include:
- Hetzner: Germany's largest independent cloud provider, known for competitive pricing and strong privacy practices
- Scaleway: French cloud provider owned by Iliad Group, operating sovereign data centres across Europe
- OVHcloud: Europe's largest cloud provider, headquartered in France with data centres in multiple EU countries
- IONOS: German cloud provider backed by United Internet, strong in managed hosting and cloud infrastructure
- Fuga Cloud: Dutch cloud provider focused on open standards and data sovereignty
Impact on Businesses
For Public Sector
EU member states will be required to use EUCS-certified cloud services for government workloads within 24 months. For sensitive data categories, only High+ certified providers will be acceptable. This creates a clear compliance pathway that favours European providers.
For Private Sector
While the EUCS is not mandatory for private businesses, it is expected to become a de facto standard for procurement decisions, particularly for companies in regulated industries like finance, healthcare, and energy. Companies processing personal data of EU citizens may also find that using EUCS-certified providers simplifies their GDPR compliance.
For US Cloud Providers
AWS, Azure, and Google Cloud can still achieve "Basic" and "Substantial" certification levels, which will be sufficient for most commercial workloads. However, they are excluded from the lucrative government and critical infrastructure market at the High+ tier — unless they create structurally separate EU-based entities.
"The EUCS is not about excluding anyone from the European market. It is about ensuring that Europeans have a genuine choice when it comes to cloud computing, and that the most sensitive data is processed under European jurisdiction." — ENISA Executive Director Juhan Lepassaar
