European Cybersecurity certification scheme for Cloud Services and compatibility with EU regulations – what is missing?

06 May 2025 European Cybersecurity certification scheme for Cloud Services and compatibility with EU regulations – what is missing?

Executive summary

EUCS last draft version ( V1.0.413 | March 2024 ) from ENISA is today on hold for multiple reasons and no feedback is provided about a “High+” level, apparently no more included in the latest draft version. [see strengthening-cloud-security-and-safeguarding-digital-autonomy]

A EUCS level “High+” is missing to support compatibility of existing European regulations (GDPR, Data Act, NIS2) and the need to establish, by a European certification, sovereign usage of cloud infrastructures.

TS18026 technical standard – Three-level approach for a set of cybersecurity requirements for cloud services – has been written to provide security organizational and technical requirements for cloud services. It is supposed to be used as a technical backbone of the EUCS document. Thus we will mention below very interesting requirements in the TS18026 which can support the definition of a EUCS “high+” along with appropriate scope of usage for a better adequacy with EU regulations