Back

The EU Cybersecurity Act and What It Means for Cloud Vendors

Rotem Natan
Rotem Natan
Apr 30, 2026 | 11 Minutes
FedRAMP
Vulnerability Management
FIPS
The EU Cybersecurity Act and What It Means for Cloud Vendors

Key Takeaways

  • EUCS is Europe's answer to FedRAMP - a unified cybersecurity certification scheme for cloud services built by ENISA under the EU Cybersecurity Act, with three assurance levels (Basic, Substantial, High) recognized across all 27 member states.
  • It replaces a patchwork of national schemes like Germany's C5, France's SecNumCloud, and Spain's ENS, eliminating duplicate assessments for cloud vendors selling across the EU.
  • The "High" assurance level was politically contentious over sovereignty and immunity from non-EU legal access (the U.S. CLOUD Act). Recent drafts softened the requirements, but the legal eligibility criteria remain in flux.
  • EUCS sits inside a broader EU cybersecurity stack - alongside NIS2, DORA, and the Cyber Resilience Act - that has dramatically tightened the regulatory environment for any vendor selling software or services into Europe.
  • The engineering work is largely the same as FedRAMP - validated cryptography, hardened images, SBOMs in SPDX/CycloneDX, signed provenance, and documented continuous vulnerability management. The frameworks differ in language and politics, not in what engineers actually have to build.

If FedRAMP is the gateway to the U.S. federal cloud market, EUCS is shaping up to be its European counterpart - and the rules of entry are very different. For cloud vendors, software vendors, and any company that sells services into European public sector or critical infrastructure customers, understanding EUCS is no longer optional.

This post walks through what EUCS is, how it sits inside the broader EU cybersecurity legal framework, the controversies that have delayed its adoption, and what it ultimately means for engineering teams trying to ship into the European market.

What is EUCS?

EUCS stands for the European Cybersecurity Certification Scheme for Cloud Services. It is a voluntary (for now) certification scheme being developed by ENISA, the European Union Agency for Cybersecurity, under the authority of the EU Cybersecurity Act of 2019.

Think of it as Europe's structured answer to a question every regulator has been asking: how do we know a cloud service is actually secure? EUCS provides a standardized way to assess and certify cloud services against a common European baseline, replacing the patchwork of national schemes (Germany's C5, France's SecNumCloud, Spain's ENS) that has historically governed public sector cloud procurement. EUCS defines three assurance levels:

  • Basic - self-assessed, lightweight, suitable for low-risk use cases.
  • Substantial - third-party assessed, aligned roughly with what most large enterprises expect from their cloud providers today.
  • High - third-party assessed with rigorous security controls, intended for critical and sensitive workloads.

In structure, EUCS will feel familiar to anyone who has been through a SOC 2, ISO 27001, or FedRAMP assessment. It defines control objectives across categories like organization of information security, asset management, cryptography, physical security, operational security, communications, supplier management, and incident response. Cloud service providers that achieve certification can carry an EUCS mark recognized across all 27 EU member states - eliminating the need to repeat assessments for each national scheme.

The EU Cybersecurity Act: where EUCS comes from

The EU Cybersecurity Act, formally Regulation (EU) 2019/881, did two important things. First, it made ENISA a permanent EU agency with a clear mandate. Second, it established the European Cybersecurity Certification Framework - the legal scaffolding that lets the EU create cross-border, harmonized certification schemes for ICT products, services, and processes.

EUCS is the first major scheme being built under that framework, but it will not be the last. ENISA is also working on schemes for 5G networks, IoT devices, AI systems, and managed security services. Together they are intended to give European customers - public sector, regulated industries, and increasingly enterprises - a recognizable baseline of cybersecurity assurance, much the way the CE mark works for product safety.

The Cybersecurity Act sits alongside other recent European legislation that touches cloud and software security:

  • NIS2 Directive (2022) - expanded cybersecurity obligations for "essential" and "important" entities, with explicit incident reporting and supply chain security requirements.
  • DORA (Digital Operational Resilience Act, 2022) - financial sector cyber resilience and ICT third-party risk management.
  • Cyber Resilience Act (2024) - security requirements for products with digital elements, covering both hardware and software, with mandatory CE-style marking.

The cumulative effect: any company shipping software or services into Europe is now operating in a much more prescriptive cybersecurity regulatory environment than it was five years ago.

Where EUCS gets controversial: the sovereignty debate

EUCS has had a difficult adolescence. The original draft included sovereignty-style requirements at the High assurance level - most notably that a certified provider's data and operations had to be immune from non-EU legal access, which would have effectively excluded U.S. hyperscalers (AWS, Microsoft Azure, Google Cloud) under the U.S. CLOUD Act.

That triggered a transatlantic policy fight that the Cross-Border Data Forum has documented thoroughly in its analysis of EUCS and FedRAMP. The forum's piece is one of the better neutral comparisons of how the two schemes diverge - not just on technical controls, but on the deeper question of what "sovereignty" means in cloud security and how cybersecurity certification is being used as a tool of digital industrial policy. Subsequent EUCS drafts softened the sovereignty requirements significantly, and the scheme has been through multiple iterations since. As of this writing, EUCS has not been formally adopted as a binding implementing act, though member states and ENISA continue to refine the text. For cloud vendors, this means the technical controls in EUCS are stable enough to plan against; the legal eligibility criteria for the High level remain in flux.

What EUCS means for software and cloud vendors

If you sell into the EU market, especially into public sector, regulated industries (finance, healthcare, energy), or any "essential entity" under NIS2, you should expect EUCS certification (or its national-scheme equivalents during the transition) to become a procurement gate within the next two to three years.

Practically, that means:

  • Your software supply chain needs to be traceable. SBOMs (in SPDX or CycloneDX) and signed provenance are not optional - they are required evidence for the Substantial and High levels.
  • Your container and VM images need to be hardened to a recognized baseline and configured to use validated cryptographic modules. The EU scheme accepts a range of standards, but FIPS-validated crypto is broadly accepted across schemes and remains the safest cross-jurisdiction choice.
  • Your vulnerability management has to be continuous and documented. EUCS, like FedRAMP, expects evidence of ongoing scanning, remediation SLAs, and a transparent record of unfixed vulnerabilities with justifications.
  • Your incident response has to satisfy NIS2 reporting timelines (24-hour early warning, 72-hour incident notification) - even if EUCS itself does not directly mandate them.

If that list looks familiar, it should. It is broadly the same list a FedRAMP authorization demands, with European labels.

Where Echo fits

Most of the work of meeting EUCS - and FedRAMP, and SecNumCloud, and C5 - happens at the same place: the container image. That is where cryptographic modules live, where hardening configurations land, where unpatched CVEs accumulate, and where SBOM and provenance evidence either exists or does not.

Echo ships pre-hardened, FIPS-validated, STIG-compliant container images with continuous CVE management, signed provenance, and SBOMs in both SPDX and CycloneDX. The result is the same on either side of the Atlantic: engineers spend their time on product instead of plumbing, and audit evidence is produced automatically rather than scrambled together at the last minute.

Whether you are pursuing FedRAMP, EUCS, or both in parallel, the engineering foundation is the same. Echo gives you that foundation pre-built.

FAQ

What is EUCS and who needs to care about it? EUCS is the European Cybersecurity Certification Scheme for Cloud Services, developed by ENISA under the EU Cybersecurity Act. It creates a single certification recognized across all 27 EU member states. Any cloud or software vendor selling into European public sector, regulated industries, or critical infrastructure should expect EUCS to become a procurement requirement within the next two to three years.

How does EUCS compare to FedRAMP? The two schemes are structurally similar - both require validated cryptography, hardened configurations, continuous vulnerability management, and auditable evidence. The key differences are political, not technical: EUCS is built around European sovereignty concerns and maps to EU-specific legislation like NIS2 and DORA, while FedRAMP is anchored in NIST SP 800-53. Engineers building for one are largely building for both.

What are the three EUCS assurance levels? EUCS defines Basic (self-assessed, low-risk use cases), Substantial (third-party assessed, aligned with standard enterprise expectations), and High (rigorous third-party assessment for critical and sensitive workloads). Substantial and High are the levels relevant to most vendors targeting public sector or regulated industry customers, and both require SBOMs, signed provenance, and documented vulnerability management.

Why has EUCS taken so long to be formally adopted? The High assurance level originally included sovereignty requirements that would have effectively excluded U.S. hyperscalers operating under the CLOUD Act, triggering a significant transatlantic policy dispute. Subsequent drafts softened those requirements, but the legal eligibility criteria for the High level remain unresolved. The technical controls are stable enough to build against; the political framework is still being finalized.

How does Echo help vendors prepare for EUCS certification? Echo ships pre-hardened, FIPS-validated container images with continuous CVE management, signed provenance, and SBOMs in both SPDX and CycloneDX — the core evidence requirements at the Substantial and High assurance levels. Whether teams are pursuing EUCS, FedRAMP, or both simultaneously, Echo provides the same compliant engineering foundation, eliminating the manual plumbing that typically consumes the most pre-audit time.

What are the 7 blind spots in your vulnerability scans?

Discover when "0 vulnerabilities" doesn't actually mean you're clean.

Read now →

Ready to eliminate vulnerabilities at the source?

FedRAMP
Vulnerability Management
FIPS