Summary
EU governments are buying cloud security services at a pace that would have been unthinkable five years ago β and the contracts are getting larger. Framework agreements for cloud security posture management, compliance auditing, and architecture consulting now routinely reach β¬5Mββ¬10M for large contracting authorities. The driver is not ambition but obligation: ENISA's EU Cloud Certification Scheme (EUCS), NIS2 Article 21 supply chain requirements, and data sovereignty politics following the Schrems II ruling have created a procurement environment where getting cloud security wrong carries regulatory risk, not just technical risk.
Why 2025β2026 Is a Turning Point
The Schrems II ruling in 2020 invalidated the EU-US Privacy Shield, but its practical impact on government cloud procurement took years to work through procurement cycles. By 2025, ministries of interior across multiple member states had begun inserting explicit EUCS alignment clauses into cloud service tender specifications. The timing matters: ENISA published its candidate EUCS scheme in 2022, and the High assurance level β the one that imposes structural restrictions on which providers can qualify β is expected to be formally adopted under the Cybersecurity Act during 2025β2026.
This regulatory timetable has created a procurement window. Contracting authorities that locked in multi-year cloud contracts before EUCS High was defined are now approaching renewal. That means a wave of recompetitions over the next 24 months, many of which will require vendors to demonstrate EUCS alignment or equivalent national certification for the first time.
The Three EUCS Assurance Levels β What They Mean for Vendors
ENISA's EUCS scheme defines three assurance levels that map directly to the sensitivity of data being processed. Understanding which level applies to a given tender is the first practical step in assessing your eligibility.
Basic covers routine administrative data with no special sensitivity. Most productivity workloads β email, document collaboration, HR systems β fall here. AWS, Microsoft Azure, Google Cloud, and other major hyperscalers can qualify without structural restrictions. Contract values for Basic-level cloud security work typically run β¬500Kββ¬3M for a 4-year framework.
Substantial applies to personal data and operationally sensitive systems where a breach would cause significant harm. EU institutions' DIGIT framework contracts for cloud infrastructure largely target this level. Providers must demonstrate robust incident response, supply chain controls, and penetration testing regimes. ISO 27001 certification is a baseline requirement; SOC 2 Type II reports are increasingly requested as supplementary evidence.
High is where the political and commercial stakes are sharpest. This level is intended for classified or critical infrastructure data, and ENISA's current draft requires that the cloud service is controlled by an entity incorporated in an EU member state, with no non-EU law that could compel data disclosure applying to the operational entity. In practice, this means AWS, Microsoft Azure, and Google Cloud β as US-headquartered companies subject to the US Cloud Act and FISA Section 702 β cannot straightforwardly qualify at High level, even through EU-based subsidiaries, unless those subsidiaries have genuine operational independence that withstands legal scrutiny.
The providers that gain structurally from EUCS High are European-origin cloud operators: OVHcloud (France, holder of France's SecNumCloud certification), Scaleway (also French), T-Systems Open Telekom Cloud (Germany), and Hetzner. These providers have been actively marketing their EUCS-alignment credentials to public sector buyers since 2023. For cloud security vendors, this means your product's underlying infrastructure matters as much as its feature set when tendering for high-assurance contracts.
NIS2 Article 21 and the Supply Chain Obligation
Beyond EUCS, NIS2's Article 21 requires essential and important entities β which includes public administrations in most member states β to implement measures addressing security in network and information systems, including supply chain security. For cloud security procurement, this translates into a concrete tender requirement: contracting authorities must be able to demonstrate that their cloud providers and cloud security service suppliers have been assessed and that appropriate contractual controls are in place.
This has made cloud security auditing a fast-growing procurement category in its own right. National CERTs β ANSSI (France), BSI (Germany), NCSC (Netherlands), CERT-EU for EU institutions β have been issuing guidance that contracting authorities are translating into tender technical specifications. A tender from a ministry of interior for a cloud security audit will typically reference NIS2 Article 21, ENISA's cloud security guidelines, and the relevant national transposition law, then ask bidders to demonstrate they can assess compliance against all three simultaneously.
What Gets Procured and at What Scale
Cloud security procurement in the EU public sector is not monolithic. The largest category by contract value is cloud security architecture and consulting β typically procured as 4-year framework agreements with mini-competitions for individual call-offs. A framework set up by a ministry of defence or interior for cloud security architecture services will commonly carry a ceiling value of β¬5Mββ¬10M, with individual call-offs ranging from β¬200K for a focused review to β¬2M+ for a full zero-trust architecture programme.
Data residency compliance auditing has grown sharply since 2023. These contracts β procured under CPV 79212000-3 (auditing services) β typically run β¬300Kββ¬1.5M for a single audit engagement covering a ministry's entire cloud estate. The scope covers verification that data remains within EU borders, that sub-processors in the cloud provider's supply chain meet GDPR Article 28 requirements, and that contractual data processing agreements are enforceable under applicable law.
Cloud Security Posture Management (CSPM) tooling and Cloud Access Security Broker (CASB) services are usually procured via IT framework agreements rather than standalone contracts. The EU institutions' DIGIT framework, for instance, bundles CSPM capability within broader IT security service lots. National framework vehicles β Germany's EVB-IT, France's UGAP digital catalogue, the UK-derived frameworks some Nordic countries model their approaches on β handle much of the commodity CSPM and CASB spend below the EU publication threshold.
Key CPV Codes to Monitor
The CPV taxonomy predates cloud computing, so there is no dedicated cloud security code. Effective monitoring requires combining CPV codes with keyword searches on TED ("cloud security", "CASB", "CSPM", "data residency", "EUCS").
- 48730000-4 β Security software packages (CSPM and CASB tools)
- 72220000-3 β Systems and technical consultancy services (cloud architecture review, zero-trust design)
- 79212000-3 β Auditing services (data residency compliance audits, EUCS readiness assessment)
- 72222300-0 β Information technology services (broad cloud security services)
- 72315000-6 β Data network management (cloud network security, SD-WAN security)
Tenders for container and Kubernetes security β a fast-growing niche as government DevOps matures β often appear under 72220000-3 or within larger IT security framework lots. Searching by keyword is more reliable than CPV alone for this sub-category.
Qualification Requirements That Actually Matter
Most cloud security tenders above β¬500K impose minimum qualification requirements at two levels: company and personnel. At company level, ISO 27001 certification is a near-universal baseline, and SOC 2 Type II reports β while originating in US audit standards β are increasingly requested by EU contracting authorities as supplementary assurance. For contracts involving EUCS High-aligned infrastructure, demonstrating that your own service infrastructure is hosted on EUCS-certified or SecNumCloud-certified platforms is becoming a scored award criterion rather than merely a pass/fail gate.
At personnel level, cloud-platform certifications (AWS Certified Security Specialty, Microsoft Azure Security Engineer Associate, Google Professional Cloud Security Engineer) are commonly required for named key experts. For contracts with heavy regulatory compliance content, evaluators also look for staff with backgrounds in EU law or data protection β a former national DPA staff member on a bid team is genuinely valued.
The winning bid strategy in this category rewards regulatory fluency over technical feature lists. Evaluators β often working in ministries with CISO offices and legal departments both reviewing bids β respond to proposals that frame cloud security as a governance solution. That means demonstrating how your service makes the contracting authority's NIS2 Article 21 obligations documentable, how your audit methodology maps to ENISA guidelines, and how your SLA provisions allocate liability in terms that a ministry's legal team will recognise. Price sensitivity is markedly lower in cloud security than in commodity IT procurement β quality-to-price ratios in the 70/30 or even 80/20 range are not unusual.