Support the Joint Letter

Urgent Call to Action:
Inclusion of High+
criteria in EUCS


Executive summary


The letter below calls on Member States, ECCG experts and the European Commission to include High+ criteria in the EUCS scheme or, at the very least, to freeze all EUCS discussions until an adequate alternative solution is found.
We invite all like-minded companies and organisations to support the joint letter.

The Letter


Putting EU Digital Sovereignty and Single Market to the test:
A Voluntary EUCS High+ is crucial for Competitiveness, Sovereignty and Digital Leadership

Cloud is the backbone of the digital economy and a key driver to boost European organizations’ digital transformation and, consequently, their competitiveness. To achieve this and encompass new digital evolutions and use cases, in particular AI, European users must have the assurance that these evolutions are not happening without a suitable level of protection of data, including the most sensitive ones. This must be done at EU level to avoid Single Market fragmentation. With the new Commission in place and its clear commitment to digital sovereignty, discussions on the European Cloud Services Cybersecurity Certification Scheme (EUCS) should more than ever proceed with the inclusion of High+ criteria.

This would be fully consistent with the Draghi report, which has for instance recommended the adoption of a single EU wide policy for the procurement of cloud services by public administrations, including data residency requirements and requiring at a minimum EU sovereign control of key elements for security and encryption. This recommendation has also been reflected in the Mission Letter to the Executive Vice-President for Tech Sovereignty, Security and Democracy.

We, as cloud users and providers, representatives from various European countries, economic sectors and all sizes of companies, strongly support the inclusion of High+ criteria in the EUCS, for the following reasons:

  • Ensuring adequate data protection. Such criteria would provide an EU-wide standard allowing users to have transparency, choice, and the necessary protection for their most sensitive data against access or operational disruption resulting from non-EU extraterritorial laws.

  • Guaranteeing freedom of choice. A voluntary High+ EUCS would in no way exclude non-European providers, but simply offer an alternative to European cloud users. Users would retain the freedom to opt for such a level or not: this is about enabling user choice, not about restricting it. Public and private users would be able to opt for High+ for particularly sensitive data while selecting other levels for the rest. We fully support the voluntary and user-centric approach taken so far, which could be explicitly enshrined in the EUCS to avoid any residual doubt about the potential implications of harmonizing such criteria. Last but not least, an EUCS High+ standard would also be fully consistent with recently adopted Gaia-X standards.

  • Indispensable for cloud and AI uptake and successful EU digital transformation. In the absence of such harmonised criteria, numerous users, including a very significant number of EU SMEs, would not be in a position to opt for cloud solutions. They would have to leave their data stored “on-premise” which would impede their digital transformation and capacity to improve their cybersecurity capacities. Worse, they would be left with solutions that may be advertised as ‘sovereign’, but do not offer the protections they need. This scenario would significantly hinder cloud uptake and, hence, the development of common European data spaces and AI in the EU. This would, in turn, have a major impact on the EU industrial competitiveness. Moreover, it would disproportionately burden specific industrial sectors handling highly sensitive data as well as SMEs, which often lack the in-house capabilities and resources to come up with complex tailor-made solutions.

  • Avoiding Single Market’s fragmentation. The absence of an adequate High+ EU-level would further fragment the Digital Single Market into divergent national standards, inducing major administrative complexities and compliance costs and hitting all companies, especially the smaller ones. It would run against the Commission’s overall simplification, competitiveness and Single Market priorities. It would also hinder European cloud providers to scale up their solutions in the Single Market. Any proposal aiming at keeping sovereignty requirements at national level (extension profiles, national labels) will therefore fail to address the issue.

The newly confirmed European Commission has committed itself to digital sovereignty. The EUCS puts the EU’s commitments to the test. It is a first step, but a crucial one. It is an opportunity to achieve greater sovereignty in the cloud space and in AI – one that is user-driven and one that cannot be missed, if the EU wants to truly reduce its dependencies.

A significant number of EU Cloud providers and users across all sectors, nationality and sizes – including 45,000 European SMEs active in the digital sector – have voiced their strong support for the inclusion of such High+ criteria.

Therefore, we, as cloud users and providers and representatives from various European economic sectors, strongly support the inclusion of High+ criteria in the EUCS. At the very least, we call for a freeze of all EUCS-related discussions until an adequate alternative solution is found.


About the initiative




EUCSHighPlus.EU is a community initiative with the aim of informing on the needs of European Cloud users with respect to the EU Cybersecurity Certification Scheme for Cloud Services (EUCS).
European cloud users who agree with this position and want to support the open letter are asked to contact the Airbus Brussels office, Avenue Marnix 28 1000 Brussels, at Airbus-Brussels-Office@airbus.com, which is responsible for this website.

Privacy Notice


Privacy Notice