Updated juli 2, 2026
Summary: The EUCS candidate scheme establishes Basic, Substantial and High assurance levels but lacks binding sovereignty controls, leaving sensitive government and regulated-sector workloads potentially subject to foreign jurisdiction. The SEAL framework translates digital sovereignty into measurable procurement criteria that CISOs can apply today.

The EUCS (European Cybersecurity Certification Scheme for Cloud Services) is the EU-wide framework, developed by ENISA under the EU Cybersecurity Act (CSA), that defines common security requirements for cloud services across three assurance levels. It is designed to replace a fragmented landscape of national cloud certifications with a single, mutually recognised standard. Whether it actually delivers digital sovereignty, however, depends on which version of the scheme is adopted and whether binding sovereignty controls are included.

The Three EUCS Assurance Levels and What They Actually Require

Each of the three levels targets a different risk profile and imposes a progressively stricter set of controls. Understanding what each level requires, and crucially what it omits, is the starting point for any procurement decision involving sensitive workloads.

Basic

The Basic level is intended for low-risk, non-sensitive workloads. Conformity is assessed through self-declaration by the cloud service provider (CSP). There are no requirements for third-party audits, no data localisation obligations and no controls relating to the legal jurisdiction of the provider or its parent company. It covers fundamental hygiene controls such as asset management, vulnerability handling and incident logging, but offers no assurance that data is shielded from access by non-EU authorities.

Substantial

The Substantial level requires an independent conformity assessment by an accredited body. Controls become more granular: they include access management, cryptographic protections, supply chain requirements and continuous monitoring. However, Substantial still does not mandate EU data residency, nor does it require that the CSP or its controlling entities be free from non-EU legal obligations such as the US CLOUD Act or FISA 702. A provider that stores data in EU data centres but is ultimately owned by a US corporation can, in principle, obtain Substantial certification.

High

The High level demands the most rigorous technical and organisational controls, including penetration testing, strict separation of duties, hardware security modules for key management and formal incident response procedures. Third-party assessment is mandatory. Even so, in the current draft of the EUCS candidate scheme, the High level does not include binding requirements that the CSP be legally immune from non-EU government access orders, that its ownership chain be free from non-EU controlling interests, or that encryption keys be held exclusively by EU-based entities without any exposure to foreign legal process.

Key gap: A cloud provider subject to the US CLOUD Act can, under the current EUCS High draft, obtain High-level certification. This means the certification mark does not, by itself, guarantee that a foreign government cannot compel disclosure of data stored under that provider’s infrastructure.

Why Member States Have Demanded an Explicit Sovereignty Tier

France, Germany, the Netherlands and several other member states have formally argued that the absence of explicit sovereignty controls in the EUCS High level creates structural risks that technical security controls alone cannot mitigate.

The core argument is legal, not technical. Even if a US-owned hyperscaler operates physically compliant European data centres and passes every EUCS High technical control, the provider remains subject to the extraterritorial reach of US law. Under 50 U.S.C. Section 1881a (FISA 702) and the CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018), US authorities can compel disclosure of data held by US-controlled entities regardless of where the data physically resides. The European Court of Justice underscored this exposure in its Schrems II ruling (Case C-311/18, July 2020), which invalidated the Privacy Shield framework precisely because US surveillance law did not offer equivalent protection to EU data subjects.

The structural risk this leaves unaddressed is procurement-level false assurance. If a public authority selects a provider on the basis of EUCS High certification and assumes that certification implies sovereignty, it may have misclassified its legal exposure. For healthcare records, classified government communications, legal professional privilege material and systemically important financial data, this is not a theoretical risk: it is an active compliance gap under GDPR Article 44 (transfers to third countries) and potentially under NIS-2 Article 21 (risk management measures).

According to ENISA’s Threat Landscape 2023, public administration accounted for 19% of all cyber incidents recorded across EU member states, making it the single most targeted sector. The combination of high targeting and potential sovereign exposure creates a compounded risk that neither EUCS High technical controls nor existing GDPR compliance programmes fully neutralise.

The French National Cybersecurity Agency (ANSSI), a key contributor to the EUCS drafting process, has stated: “A cloud certification scheme that does not address jurisdiction and immunity from third-country laws provides incomplete assurance for the protection of sensitive public data.” Germany’s BSI has taken a comparable position, and both agencies have pushed within the European Cybersecurity Certification Group (ECCG) for a dedicated sovereignty tier above the current High level.

The SEAL Framework: Translating Sovereignty into Procurement Criteria

The Sovereignty Effectiveness Assurance Levels (SEAL) framework, developed at European Commission level, is the most concrete attempt to operationalise digital sovereignty as a set of verifiable procurement criteria rather than a policy aspiration.

SEAL does not replace the EUCS assurance levels. It is designed to complement them by specifying additional sovereignty effectiveness criteria that procurement officers can require alongside or on top of EUCS certification. Its core criteria cluster around four dimensions:

SEAL Dimension What It Requires Why It Matters
Legal immunity The CSP and its entire ownership chain must be free from non-EU legal orders that could compel data disclosure Neutralises CLOUD Act and FISA 702 exposure
Ownership and control No controlling interest held by non-EU entities; EU-incorporated legal persons in the chain Prevents indirect foreign jurisdiction via corporate structure
Data localisation and key custody Data processed and stored within the EU; encryption keys held solely by EU-based entities Prevents technical access even if legal compulsion is attempted
Operational independence No dependency on non-EU-controlled software, hardware or support that could create a back-channel Addresses supply chain sovereignty gaps

SEAL transforms these dimensions into scoreable criteria that a procurement officer can verify against a provider’s corporate structure, contractual terms and technical architecture. This matters because it bridges the gap between policy intent and procurement practice: a CISO can use SEAL criteria as a checklist during due diligence rather than relying on a certification mark that does not, in its current form, certify sovereignty.

A related legislative proposal, the Cloud and AI Development Act (proposed), is intended to create a broader framework for European cloud and AI infrastructure development, including provisions that would align with SEAL-type sovereignty requirements. This proposal remains under discussion but signals the direction of EU policy on cloud sovereignty beyond pure certification.

Using EUCS Levels in Practice: A CISO and Procurement Officer’s Evaluation Framework

For regulated-sector decision-makers, the EUCS assurance levels provide a useful starting filter but must be supplemented with additional due diligence for sensitive workloads.

The ECCG has noted that “the absence of sovereignty requirements in the EUCS High level would mean that European sensitive data could still be legally accessed by non-EU authorities, undermining the very purpose of the certification scheme.” This means CISOs should not treat EUCS High as a sovereignty guarantee without independently verifying the provider’s corporate structure and legal exposure.

A practical evaluation sequence looks as follows. First, map the workload’s data classification: does it involve personal data under GDPR, critical infrastructure data under NIS-2, or financial data under DORA? Second, determine the minimum EUCS level that corresponds to that classification. Third, apply SEAL criteria to any provider that achieves EUCS Substantial or High, to verify that technical certification is not undermined by legal jurisdiction. Fourth, review the provider’s contractual terms for audit rights, incident notification timelines consistent with NIS-2 Article 23 (72-hour reporting), and the right to change sub-processors, which GDPR Article 28 requires.

Procurement note: For workloads classified as sensitive under national security frameworks or as critical under NIS-2, requiring EUCS High certification plus full SEAL compliance provides a documentable, audit-ready basis for the procurement decision. It also creates a defensible record for supervisory authorities under GDPR Article 5(2) accountability obligations.

The average cost of a data breach reached USD 4.45 million per incident globally in 2023 (IBM Cost of a Data Breach Report 2023). For regulated entities, the actual cost is higher when supervisory fines, mandatory notification costs and reputational damage are included. Procurement decisions that prioritise lowest-cost cloud over sovereign assurance create a cost-risk trade-off that is rarely made explicit in budget discussions but is material to financial exposure.

EUCS, NIS-2, DORA and the EU Cybersecurity Act: How the Frameworks Interlock

The EUCS sits within the broader EU Cybersecurity Act (CSA), specifically under CSA Article 48, which empowers the European Commission to request that ENISA prepare candidate certification schemes. Once adopted, a scheme under Article 49 CSA can be referenced in sectoral legislation, creating binding procurement obligations.

NIS-2 (Directive 2022/2555) requires essential and important entities to implement risk management measures for their ICT environment, including cloud services. Article 21 NIS-2 explicitly covers supply chain security and access controls. EUCS certification provides a structured way to demonstrate that a cloud provider meets these obligations, but it does not substitute for a jurisdiction risk assessment where non-EU legal exposure is a factor.

DORA (Regulation 2022/2554) imposes ICT risk management requirements on financial sector entities and their critical ICT third-party providers. Article 28 DORA requires that contracts with ICT providers for critical or important functions include provisions for full audit access, data portability and exit strategies. EUCS High certification is a relevant indicator of a provider’s security posture under DORA, but DORA’s concentration risk provisions (Article 29) also require entities to assess whether reliance on a single non-EU-controlled hyperscaler creates systemic exposure, precisely the scenario that SEAL criteria are designed to surface.

European public sector cloud spending was projected to exceed EUR 14 billion by 2025 (European Commission cloud policy documents, 2022). At that scale, procurement decisions that embed EUCS and SEAL requirements into standard contract templates have a material effect on which providers can compete for public-sector business, creating a market incentive for sovereignty-compliant cloud infrastructure that regulation alone cannot generate.

FAQ

Is EUCS certification currently mandatory for EU government cloud procurement?

No. As of 2024, the EUCS remains a candidate scheme under development. However, once adopted under the EU Cybersecurity Act, member states and the European Commission may reference it in procurement requirements. Several national frameworks already anticipate its structure.

Does achieving EUCS High level certification mean a provider is immune from the US CLOUD Act?

Not automatically. The current draft of the EUCS High level does not contain binding sovereignty controls that would prevent a US-owned or US-controlled provider from being subject to the CLOUD Act. This is precisely the gap that France, Germany and other member states have flagged, and which the SEAL framework is designed to address.

What is the difference between EUCS High and a full sovereignty tier?

EUCS High focuses on technical and organisational security controls, including penetration testing, incident response and cryptographic requirements. A sovereignty tier would add legal and structural requirements: EU-based legal entities, no controlling interest by non-EU companies, immunity from non-EU legal orders, and data localisation obligations that extend to key custody.

How does SEAL relate to the EUCS formally?

SEAL is a framework proposed at European Commission level to complement EUCS by specifying sovereignty effectiveness criteria. It is not itself a certification level within the EUCS scheme but provides measurable criteria that procurement officers can use when the EUCS High level alone is insufficient for sensitive workloads.

Can a provider certified at EUCS Substantial level be used for DORA-regulated workloads?

Potentially, depending on the criticality classification of the ICT service. DORA requires financial entities to assess concentration risk and ensure that ICT third-party providers meet security standards commensurate with the criticality of the supported function. For critical or important functions, EUCS High or an equivalent national certification is more appropriate, and sovereignty controls should be separately verified using SEAL or equivalent criteria.

Frequently asked questions

Is EUCS certification currently mandatory for EU government cloud procurement?
No. As of 2024, the EUCS remains a candidate scheme under development. However, once adopted under the EU Cybersecurity Act, member states and the European Commission may reference it in procurement requirements. Several national frameworks already anticipate its structure.
Does achieving EUCS High level certification mean a provider is immune from the US CLOUD Act?
Not automatically. The current draft of the EUCS High level does not contain binding sovereignty controls that would prevent a US-owned or US-controlled provider from being subject to the CLOUD Act. This is precisely the gap that France, Germany and other member states have flagged, and which the SEAL framework is designed to address.
What is the difference between EUCS High and a full sovereignty tier?
EUCS High focuses on technical and organisational security controls, including penetration testing, incident response and cryptographic requirements. A sovereignty tier would add legal and structural requirements: EU-based legal entities, no controlling interest by non-EU companies, immunity from non-EU legal orders, and data localisation obligations.
How does SEAL relate to the EUCS formally?
SEAL is a framework proposed at European Commission level to complement EUCS by specifying sovereignty effectiveness criteria. It is not itself a certification level within the EUCS scheme but is intended to provide measurable criteria that procurement officers can use when the EUCS High level alone is insufficient for sensitive workloads.
Can a provider certified at EUCS Substantial level be used for DORA-regulated workloads?
Potentially, depending on the criticality classification of the ICT service. DORA requires financial entities to assess concentration risk and ensure that ICT third-party providers meet security standards commensurate with the criticality of the supported function. For critical or important functions, EUCS High or an equivalent national certification is more appropriate, and sovereignty controls should be separately verified.