Updated juni 26, 2026
Summary: The revised Cybersecurity Act (CSA2), proposed on 20 January 2026, unblocks the long-stalled EUCS cloud certification scheme and introduces binding sovereignty criteria that will reshape procurement decisions across regulated EU sectors. CISOs and compliance officers should map EUCS assurance levels to their NIS-2, DORA and GDPR obligations now, before the scheme becomes mandatory.

The EU Cybersecurity Certification Scheme for Cloud Services (EUCS) is the framework through which the European Union intends to create a common, independently verified standard for cloud security across its single market. After years of political deadlock over sovereignty language, the European Commission’s proposal for a revised Cybersecurity Act (CSA2), published on 20 January 2026, creates the legislative conditions under which EUCS can finally be adopted and gradually made binding for regulated sectors. For compliance officers, CISOs and procurement officers in government, finance, healthcare and legal services, the practical implications are immediate: the certification landscape governing which cloud providers you can justifiably rely on is about to change structurally.

What CSA2 Changes in the ENISA Certification Architecture

CSA2 expands ENISA’s mandate and introduces binding mechanisms that the original 2019 Cybersecurity Act deliberately left voluntary. The core change for cloud certification is that CSA2 enables the Commission to make specific assurance levels mandatory by sector or by category of service, through delegated acts, without requiring a separate piece of sectoral legislation for each.

For EUCS specifically, CSA2 resolves the deadlock that had prevented finalisation. The earlier draft EUCS High+ assurance level contained sovereignty criteria requiring providers to be immune from third-country law enforcement access orders, most visibly the US CLOUD Act and FISA Section 702. Non-EU cloud operators lobbied against these criteria, and the Commission temporarily shelved them. CSA2, combined with the companion Cloud and AI Data Act (CADA) proposal, reintroduces sovereignty requirements through a horizontal legislative basis, removing the objection that EUCS was overstepping its technical remit by embedding geopolitical conditions into a certification scheme.

CSA2 also formalises three permanent assurance levels: Basic, Substantial and High. A new fourth tier, High+, is expected to be adopted within the EUCS scheme itself and will govern the most sensitive public-sector and critical-infrastructure use cases. ENISA receives explicit authority to conduct ongoing supervision of accredited conformity assessment bodies, closing a gap where certified providers could allow their security posture to degrade between audit cycles.

Key change: Under CSA2, the Commission can mandate specific EUCS assurance levels for critical infrastructure operators and essential entities via delegated acts. This means voluntary today can become obligatory for your sector within 18 to 24 months of scheme adoption.

The High-Risk Supplier Phase-Out Mechanism and Cloud Procurement

The high-risk supplier mechanism in CSA2 is currently specified with 5G network equipment in mind, mirroring tools already available under the EU Toolbox for 5G Cybersecurity. However, the legislative text is drafted with explicit extensibility: the Commission can apply equivalent phase-out logic to other ICT product and service categories, including cloud infrastructure, if ENISA’s risk assessments or Member State notifications establish a systemic risk.

For procurement officers in regulated entities, this creates a concrete decision framework. If a vendor cannot achieve EUCS High certification because its ownership or legal structure exposes it to foreign jurisdiction, that structural vulnerability may eventually trigger a phase-out designation. The prudent approach is to evaluate that risk now rather than during a mandated transition period under time pressure.

EUCS Assurance Level Target Use Case Key Sovereignty Requirement Likely Sectoral Mandate
Basic Low-sensitivity workloads None specific Not expected
Substantial Standard enterprise data GDPR adequacy and data location in EEA Possible for mid-tier regulated entities
High Sensitive personal and official data Operational independence from non-EU law Expected for NIS-2 essential entities
High+ Critical infrastructure, classified or highly sensitive state data Full legal immunity from third-country access orders Expected for public sector, defence-adjacent, CNI

Mapping EUCS Assurance Levels to NIS-2, DORA and GDPR Obligations

The three central compliance frameworks for regulated European organisations each address cloud security from a different angle, but all converge on the same practical question: can you prove, to a supervisory authority, that your cloud provider applies security measures appropriate to the risk?

NIS-2 Article 21 requires essential and important entities to implement “appropriate and proportionate technical, operational and organisational measures” covering supply chain security, access control, encryption and incident handling. An EUCS High certificate from a cloud provider directly evidences that the provider has undergone independent conformity assessment against exactly these control categories, assessed at a level matching the threat environment that Article 21 contemplates for critical infrastructure.

DORA Article 30 mandates that financial entities include specific ICT security provisions in contracts with third-party ICT providers and maintain documented exit strategies. EUCS certification supports this in two ways: it provides the technical due-diligence baseline that Article 30 paragraph 2 requires, and it simplifies ongoing monitoring because the certification’s maintenance cycle aligns with DORA’s continuous oversight obligation. The European Banking Authority and the European Insurance and Occupational Pensions Authority have both signalled in their DORA guidance consultations that recognised certification schemes will be treated as strong presumptive evidence of compliance with contractual risk provisions.

GDPR Article 32 requires controllers and processors to implement measures ensuring a level of security appropriate to the risk, explicitly including encryption and confidentiality. Recital 81 and Article 28 together establish that demonstrating a processor’s reliability is part of the controller’s accountability obligation. An EUCS certificate, particularly at High level, is the strongest available instrument for discharging that demonstrability requirement because it reflects EU-law-aligned criteria audited by an ENISA-accredited body, not a self-assessment or a US-market standard applied by analogy.

“Certification is not a box-ticking exercise. It is the mechanism through which buyers in regulated sectors can systematically verify that a provider’s security claims hold up under independent scrutiny.” — ENISA, EUCS scheme documentation

Audit readiness: A single EUCS High certificate anchors the technical evidence layer for NIS-2, DORA and GDPR simultaneously. It does not replace contractual documentation or incident-response records, but it dramatically reduces the burden of explaining and defending your third-party risk assessment to supervisors.

The ENISA Entity Cyber Posture Scheme and Its Relation to ISO 27001 and SOC 2

CSA2 introduces a second new certification track alongside EUCS: a scheme assessing the “cyber posture of entities,” meaning organisations rather than products or services. This scheme is designed to give critical infrastructure operators and large regulated entities a standardised, EU-recognised attestation of their overall security maturity, distinct from product or service certification.

The relationship with existing frameworks matters practically. ISO 27001 is a management-system standard that assesses whether an organisation has implemented an information security management system meeting a defined process baseline. SOC 2 is a US audit framework assessing controls relevant to the Trust Services Criteria. Neither was designed with EU sovereignty criteria, NIS-2 Article 21 scope or ENISA governance in mind.

For sovereign hosting providers, including those operating under Swiss jurisdiction under the revised Federal Act on Data Protection (revFADP), the entity cyber posture scheme creates an opportunity to obtain an EU-recognised credential that supplements or eventually may replace the combination of ISO 27001 plus SOC 2 currently used to signal trustworthiness to European regulated buyers. Swiss-based providers that already demonstrate structural immunity from US extraterritorial orders are well-positioned for this scheme because its criteria are expected to mirror EUCS High sovereignty conditions at the organisational level.

Conformity Assessment under CSA2 and the CRA September 2026 Deadline

CSA2 tightens the conformity assessment obligations for software vendors supplying regulated sectors. Providers targeting EUCS Substantial and High certification must undergo third-party assessment by an ENISA-accredited conformity assessment body; self-declaration, which is permitted at Basic level, is not available for the tiers that matter to regulated buyers.

This intersects with the Cyber Resilience Act (CRA), whose vulnerability reporting obligations take effect from September 2026. From that date, manufacturers of products with digital elements must notify ENISA of actively exploited vulnerabilities within 24 hours of becoming aware of them, and of severe incidents within the same window. For organisations deploying sovereign software stacks, including open-source workspace platforms, the practical implication is that vendors must have compliant disclosure pipelines and that internal patch deployment processes must be capable of responding within the CRA’s notification timeframe.

The IBM Cost of a Data Breach Report 2024 found that the average total cost of a data breach reached USD 4.88 million, the highest figure recorded in the report’s history. Eurostat’s 2023 ICT survey found that 46% of EU enterprises experienced at least one ICT security incident with significant consequences. ENISA’s 2023 Threat Landscape report identified cloud services as one of the top three targeted sectors, with supply-chain attacks rising 17% year-on-year. These figures collectively underscore why the conformity assessment and vulnerability disclosure architecture that CSA2 and the CRA together create is commercially as well as legally significant.

“The revised Cybersecurity Act will strengthen ENISA’s role and equip the EU with the tools it needs to address the evolving cyber threat landscape, including through certification schemes that reflect our strategic autonomy goals.” — European Commission, press statement accompanying the CSA2 proposal, January 2026

Practical Steps for CISOs and Procurement Officers Now

The EUCS scheme is not yet adopted and CSA2 is still in the legislative process. That does not mean preparation can wait. The sovereign criteria expected in EUCS High and High+ already provide a usable evaluation framework today: assess whether your current cloud providers are structurally immune from CLOUD Act production orders, whether their conformity assessments use ENISA-accredited bodies, and whether their contracts support the exit-planning obligations that DORA Article 30 requires.

Where a provider cannot demonstrate structural immunity from third-country legal access, that gap should be documented in your ICT third-party risk register with a mitigation plan. Regulators conducting NIS-2 or DORA supervisory reviews will expect to see that the risk was identified and managed, not simply inherited without analysis. EUCS certification, once available, will be the most efficient way to close that gap with auditable evidence. Until adoption, the draft EUCS criteria published by ENISA for consultation provide the most precise available proxy for what the final scheme will require.

FAQ

Is EUCS certification already mandatory for cloud procurement in regulated sectors?

Not yet. EUCS remains a voluntary scheme under the original Cybersecurity Act. However, CSA2 creates the legislative basis for Member States and sectoral regulators, particularly under NIS-2 and DORA, to mandate specific assurance levels for critical infrastructure. Regulated buyers should treat compliance preparation as urgent rather than optional.

Does CSA2 require cloud providers to be EU-owned or EU-headquartered?

CSA2 does not impose a blanket ownership requirement, but the sovereignty criteria embedded in the EUCS High+ assurance level effectively demand that providers be immune from third-country legal orders such as the US CLOUD Act. This makes it structurally difficult for US-controlled entities to achieve the highest assurance tier without major corporate restructuring.

How does Swiss hosting fit into the EUCS framework?

EUCS is an EU scheme and does not automatically extend to Switzerland. However, a Swiss-hosted provider operating under the revised Federal Act on Data Protection and structurally independent from US-parent companies can demonstrate the same immunity from extraterritorial access laws that the EUCS High+ tier requires, making it a credible sovereign alternative when evaluated on equivalent criteria.

What is the September 2026 CRA deadline and why does it matter for sovereign software deployments?

From September 2026, the Cyber Resilience Act requires manufacturers of products with digital elements to report actively exploited vulnerabilities to ENISA within 24 hours. Sovereign software deployers must ensure their vendors have compliant disclosure processes and that internal patch workflows can respond within this window.

Can a single EUCS certificate simultaneously satisfy NIS-2 Article 21, DORA Article 30 and GDPR Article 32?

A single EUCS High or High+ certificate provides strong evidence for all three but does not automatically discharge every obligation. NIS-2 Article 21 requires risk-proportionate technical measures, DORA Article 30 demands contractual ICT risk clauses and exit planning, and GDPR Article 32 requires demonstrable appropriateness of measures. EUCS certification anchors the technical layer; contractual and operational documentation must accompany it.

Frequently asked questions

Is EUCS certification already mandatory for cloud procurement in regulated sectors?
Not yet. EUCS remains a voluntary scheme under the original Cybersecurity Act. However, CSA2 creates the legislative basis for Member States and sectoral regulators, particularly under NIS-2 and DORA, to mandate specific assurance levels for critical infrastructure. Regulated buyers should treat compliance preparation as urgent, not optional.
Does CSA2 require cloud providers to be EU-owned or EU-headquartered?
CSA2 does not impose a blanket ownership requirement, but the sovereignty criteria embedded in the EUCS High+ assurance level effectively demand that providers be immune from third-country legal orders such as the US CLOUD Act. This makes it structurally difficult for US-controlled entities to achieve the highest assurance tier without major corporate restructuring.
How does Swiss hosting fit into the EUCS framework?
EUCS is an EU scheme and does not automatically extend to Switzerland. However, a Swiss-hosted provider operating under the revised Federal Act on Data Protection and structurally independent from US-parent companies can demonstrate the same immunity from extraterritorial access laws that the EUCS High+ tier requires, which makes it a credible sovereign alternative when evaluated on equivalent criteria.
What is the September 2026 CRA deadline and why does it matter for sovereign software deployments?
From September 2026, the Cyber Resilience Act requires manufacturers of products with digital elements to report actively exploited vulnerabilities and severe incidents to ENISA within 24 hours. Sovereign software deployers, including Nextcloud-based deployments, must ensure their vendors have compliant disclosure processes and that internal patch workflows can respond within this window.
Can a single EUCS certificate simultaneously satisfy NIS-2 Article 21, DORA Article 30 and GDPR Article 32?
A single EUCS High or High+ certificate provides strong evidence for all three but does not automatically discharge every obligation. NIS-2 Article 21 requires risk-proportionate technical measures, DORA Article 30 demands contractual ICT risk clauses and exit planning, and GDPR Article 32 requires demonstrable appropriateness of measures. EUCS certification anchors the technical layer; contractual and operational documentation must accompany it.