TL;DR
- EUCS is a candidate cybersecurity certification scheme under the EU Cybersecurity Act, drafted by ENISA to provide harmonised cloud-services certification across the EU.
- It defines three assurance levels — Basic, Substantial, and High — broadly tracking risk appetite and required evidence depth.
- It is intended to replace the patchwork of national schemes (SecNumCloud in France, C5 in Germany, ENS in Spain) for cross-border cloud procurement.
- Adoption is still in progress as of 2026; the sovereignty requirements at the High level remain politically contested.
What EUCS Is#
EUCS — the European Cybersecurity Certification Scheme for Cloud Services — is being developed by ENISA, the EU Agency for Cybersecurity, under the framework of the Cybersecurity Act (Regulation (EU) 2019/881). The intent is to give EU buyers a single, harmonised way to assess cloud-service security across the bloc, replacing the patchwork of national schemes that grew up before the Cybersecurity Act.
The scheme has been through several public-consultation drafts. The text is broadly stable on technical control catalogues, but the political question — whether the High level should include data-sovereignty and immunity-from-foreign-law requirements — has been the subject of debate among member states.
The Three Assurance Levels#
| Level | Risk profile | Assessment intensity |
|---|---|---|
| Basic | Workloads with low risk of compromise impact. | Self-assessment with limited documentary evidence. |
| Substantial | Typical business workloads handling commercial or moderately sensitive data. | Third-party audit, with on-site checks and penetration testing. |
| High | Workloads where compromise would have a significant impact on essential services or sensitive data. | Third-party audit, deeper technical evaluation, ongoing monitoring; potentially with sovereignty requirements. |
Sovereignty at the High Level#
The most contentious element of EUCS has been whether the High assurance level should require sovereignty controls — meaning a cloud service eligible for the High mark would need to be operated by an entity not subject to foreign extraterritorial law (notably the US CLOUD Act).
France and a bloc of like-minded member states have pushed for explicit sovereignty requirements. Germany, the Netherlands and a number of others have pushed back, arguing it would exclude major hyperscalers and slow innovation.
Treat the final form of the High level as unsettled until ENISA publishes the adopted scheme. UK-headquartered cloud providers selling into the EU should track this closely — sovereignty requirements at High would be both a constraint and a market opportunity.
Control Catalogue#
EUCS draws heavily on existing frameworks. Its control catalogue maps closely to ISO 27001 + 27017 + 27018, the German BSI C5, and the French SecNumCloud reference catalogue, with additions for incident notification (aligned with NIS2) and supply-chain risk.
Practically, a cloud provider holding ISO 27001 + 27017 + 27018, with C5 or SecNumCloud experience, will be most of the way to evidence for the Substantial level.
Relationship to National Schemes#
- C5 (Germany) — comparable to Substantial; expected to be subsumed once EUCS is adopted.
- SecNumCloud (France) — comparable to High with sovereignty requirements; France has stated it will retain national requirements above EUCS High if needed.
- ENS (Spain) — used for public-sector procurement; will likely co-exist with EUCS Basic/Substantial.
- NCSC Cloud Security Principles (UK) — outside EUCS scope post-Brexit, but technically interoperable.
When to Care#
If you sell cloud services into EU public sector or EU regulated industries, EUCS will eventually be the entry ticket. Until adoption is finalised, the practical path is to maintain ISO 27001 + 27017 + 27018 with an active C5 or SecNumCloud equivalent, and to track ENISA publications. Cross-border buyers may begin to ask for 'EUCS Substantial-equivalent' evidence in tenders before the scheme is formally adopted.
Where Yobitel Sits#
Yobitel's EU-region cloud services are designed to be EUCS-Substantial-ready: ISO 27001 + 27017 + 27018 certified, with C5-aligned controls and EU data residency. For customers requiring the High level with sovereignty controls, Yobitel partners with Gaia-X-aligned providers to deliver sovereign-by-design deployments.
References
- EUCS — ENISA · ENISA
- Cybersecurity Act Regulation (EU) 2019/881 · EUR-Lex
- BSI C5 (Germany) · BSI