EU sovereign cloud scheme could invite ‘forum shopping’

The European Union's proposed Cybersecurity Certification Scheme for Cloud Services (EUCS), designed to bolster digital sovereignty and harmonize cloud security standards, faces significant challenges, particularly concerning the potential for 'forum shopping'. While the EUCS aims to provide a unified framework for cloud service providers (CSPs) across three assurance levels, the removal of explicit sovereignty requirements in recent drafts has sparked fears that US cloud giants might cherry-pick national assessors in Member States with less stringent conditions. This could undermine the scheme's objective of enhancing security and fostering a truly sovereign European cloud ecosystem, creating market fragmentation and potentially lowering overall cybersecurity standards. The interplay with existing regulations like GDPR, NIS2, and the Data Act further complicates the landscape, necessitating a robust and harmonized approach to prevent regulatory arbitrage.

The European Union has embarked on an ambitious journey to strengthen its digital sovereignty, a critical component of which is the establishment of a robust and harmonized cybersecurity framework for cloud services. At the heart of this initiative lies the European Cybersecurity Certification Scheme for Cloud Services (EUCS), developed under the EU Cybersecurity Act. Intended to standardize security requirements and foster trust in cloud offerings across the bloc, the EUCS is a pivotal instrument in the EU's broader digital strategy.

However, the path to a unified European cloud security standard is fraught with challenges. A key concern emerging from the ongoing development of the EUCS is the potential for 'forum shopping' by major cloud service providers, particularly those headquartered outside the EU. The recent removal of explicit sovereignty requirements, such as mandating EU headquarters or immunity from non-EU laws for the highest assurance levels, has raised fears that providers might seek certification in Member States perceived as having more lenient assessment criteria. This could inadvertently lead to a fragmentation of standards, undermine the EUCS's core objectives, and create an uneven playing field in the European cloud market.

This article delves into the intricacies of the EUCS, examining its objectives, the contentious debate surrounding sovereignty requirements, and the implications of 'forum shopping' for legal practitioners and the wider digital economy. It will also explore how the EUCS interacts with other foundational EU legal instruments like the General Data Protection Regulation (GDPR), the NIS2 Directive, and the Data Act, highlighting the complex regulatory environment cloud service providers must navigate.

The concept of digital sovereignty has gained significant traction within the EU, driven by concerns over data protection, cybersecurity, and reliance on non-EU technology providers. This push is underpinned by several key legislative acts. The General Data Protection Regulation (GDPR), for instance, establishes stringent rules for the processing of personal data, emphasizing data sovereignty by ensuring EU residents' data is protected under EU law, irrespective of its storage or processing location. It also restricts cross-border data transfers to countries without adequate protection and limits foreign government access to EU data.

Complementing GDPR, the NIS2 Directive (Regulation (EU) 2022/2555), which replaced its predecessor in October 2024, significantly enhances cybersecurity risk management and incident reporting obligations for a broad range of 'essential' and 'important' entities, including cloud service providers. NIS2 grants Member States the power to mandate that these critical entities utilize cloud services certified under the EUCS, effectively making the voluntary scheme a de facto requirement for many. Furthermore, the Data Act (Regulation (EU) 2023/2854), applicable from September 2025, aims to foster competition and reduce vendor lock-in by facilitating switching between cloud service providers through the removal of technical and contractual barriers to data portability. It also introduces safeguards against international governmental access to non-personal data held within the EU.

The EUCS itself, developed by the European Union Agency for Cybersecurity (ENISA) under the EU Cybersecurity Act, is designed to provide a unified cybersecurity certification framework for cloud services across three assurance levels: basic, substantial, and high. The scheme's objective is to enhance trust in cloud services by defining a common set of security requirements and harmonizing standards, thereby avoiding fragmentation across Member States. However, the precise requirements for the highest assurance levels, particularly those related to 'sovereignty', have been a point of intense debate and revision.

The core tension within the EUCS lies in reconciling the desire for a truly sovereign European cloud ecosystem with the practical realities of a globalized market dominated by non-EU providers. Early drafts of the EUCS included explicit 'sovereignty requirements' for the highest assurance level, such as mandating that CSPs be headquartered in the EU and immune from non-EU laws like the US CLOUD Act. The US CLOUD Act, which allows US authorities to compel US-based companies to provide data regardless of its storage location, directly conflicts with GDPR Article 48, creating a significant compliance dilemma for EU businesses using US cloud providers.

However, a March 2024 revision of the EUCS controversially removed these explicit sovereignty requirements, proposing instead to leave such matters to national regulators. This decision has been met with strong criticism from some European industry stakeholders and Member States, who argue that it risks fragmenting the market and undermining the very purpose of a unified certification framework. The fear is that this 'light-touch' mechanism could invite 'certification shopping,' where US cloud giants, or any CSP, might strategically seek certification in Member States with the least stringent or most lenient conditions. Such a scenario would not only distort competition but also effectively lower overall security standards across the EU, contradicting the scheme's original intent to enhance cybersecurity.

The European Commission's own Cloud Sovereignty Framework, launched as part of its strategic procurement efforts, introduces 'Sovereignty Effectiveness Assurance Levels (SEAL)' with explicit thresholds for data sovereignty, technological autonomy, and full sovereignty, indicating a continued commitment to these principles at the institutional level. This divergence between the Commission's procurement framework and the latest draft of the EUCS highlights the ongoing internal debate and the political nature of what was initially conceived as a technical certification. While US providers are actively developing 'European Sovereign Cloud' offerings, physically and logically isolated within the EU and operated by EU-resident staff, the fundamental jurisdictional conflict with laws like the CLOUD Act persists, even with these advanced technical and operational controls.

The interplay with other EU regulations further complicates the landscape. The Data Act's provisions on cloud switching and data portability, while aimed at reducing vendor lock-in, do not directly address the 'sovereignty' concerns related to foreign governmental access. Similarly, while NIS2 mandates robust cybersecurity measures and can make EUCS certification a requirement, it does not inherently resolve the jurisdictional challenges posed by non-EU laws. The absence of a clear, harmonized EU-wide stance on sovereignty within the EUCS could therefore lead to a patchwork of national requirements, making compliance more complex for CSPs and potentially less effective for users seeking true digital sovereignty.

The ongoing debate surrounding the EUCS and its sovereignty provisions underscores a critical juncture for Europe's digital future. For legal practitioners, the potential for 'forum shopping' presents a complex compliance challenge. Clients, particularly those operating in critical sectors or handling sensitive data, will need to carefully assess not only the technical security measures of their cloud providers but also the jurisdictional risks associated with their chosen certification body and the provider's ultimate legal domicile. The absence of a unified and robust sovereignty requirement within the EUCS could necessitate more granular contractual clauses and due diligence, potentially leading to increased legal costs and administrative burdens.

Practitioners should closely monitor the finalization of the EUCS and any subsequent national implementations, as the landscape remains fluid. The interplay between the EUCS, GDPR, NIS2, and the Data Act will continue to evolve, demanding a holistic approach to cloud governance and risk management. Advocating for clearer, harmonized sovereignty standards at the EU level remains crucial to prevent market fragmentation and ensure that the EU's digital sovereignty ambitions are fully realized, rather than undermined by regulatory loopholes. The ultimate success of the EUCS will hinge on its ability to provide unambiguous assurance against foreign legal interference, fostering genuine trust and resilience in the European cloud market.