What is EUCS and does it affect cloud tenders?

EUCS (EU Cybersecurity Certification Scheme for Cloud Services) is a certification framework under ENISA establishing three assurance levels: Basic, Substantial, and High. For EU public sector cloud procurement — especially central government and critical infrastructure — EUCS High or Substantial compliance is increasingly referenced in tender specifications. While not yet legally mandatory, contracting authorities in France (SecNumCloud), Germany (BSI C5), and Netherlands (NEN 7510) already use national equivalents that EUCS aligns to.

Can US hyperscalers (AWS, Azure, GCP) win EU government cloud tenders?

AWS, Microsoft Azure, and Google Cloud participate in EU public procurement, often through EU-incorporated subsidiaries. However, data sovereignty requirements — particularly for French 'Système d'Information Sensible' (SIS), German 'VS-NfD' classified environments, and GDPR Article 44 third-country transfer restrictions — increasingly require EU-owned or operated cloud infrastructure for sensitive government workloads. Hyperscalers have responded with sovereign cloud offerings (Azure Government, AWS EU Sovereign Cloud).

What CPV codes cover cloud computing tenders?

Cloud services span: 72000000 (IT services general), 72212000 (Programming services for specific cloud), 48000000 (Software packages/SaaS), 72250000 (System support services/managed cloud), 72700000 (Network services/connectivity). Many cloud tenders use outcome-based CPV codes reflecting the service type rather than technology (e.g., 48800000 for information systems and servers).

◆ TenderMetric Intelligence Team · Last Reviewed: April 2026 · Sources: TED Europa · EU Publications Office · European Commission

◆ EU Procurement Intelligence — Key Facts

✓ The EU public procurement market is worth €2 trillion+ annually — approximately 14% of EU GDP
✓ TED Europa publishes 700,000+ contract notices per year across all 27 EU member states
✓ EU procurement thresholds in 2026: €143,000 (supplies/services, central) · €5.538M (works)
✓ Open procedures account for ~67% of all above-threshold EU contracts — the most accessible route for new bidders
✓ All above-threshold contracts must be published in the Official Journal of the EU (OJEU) under Directive 2014/24/EU

← Back to Insights

Sector Guide TM-INS-084 // 9 min read // MARCH 2026

EU Cloud Computing Tenders 2026: IaaS, PaaS, and SaaS Government Procurement

EU public sector cloud adoption is accelerating — but procurement is complex. EUCS certification, GDPR data residency requirements, national security classifications, and procurement framework structures all shape whether and how cloud vendors can compete for government contracts.

Quick Answer

EU public cloud procurement exceeds €12B annually and grows at ~25% per year. Major frameworks exist at EU institution level (DIGIT), national level (G-Cloud equivalents), and agency level. Key requirements: EUCS certification (or national equivalent like C5/SecNumCloud), GDPR-compliant data processing agreements, EU data residency for sensitive workloads, and ISO 27001 + SOC 2 Type II. Framework agreements dominate — individual direct-award cloud tenders are less common above €140K threshold.

The EU Cloud Procurement Landscape

EU government cloud procurement operates across three levels, each with different frameworks, requirements, and entry strategies:

1. EU Institutional Level — DIGIT Frameworks

The European Commission's DIGIT (Directorate-General for Informatics) manages cloud framework agreements for EU institutions including the Commission, Parliament, Council, and EU agencies. The current CLOUD framework (DIGIT/TM/2021-G4) covers IaaS, PaaS, and SaaS. Qualification is highly competitive — but a DIGIT award gives access to 50+ EU institutions as call-off buyers. These tenders appear on TED under contracting authority "European Commission."

2. National G-Cloud Equivalents

Several EU member states operate national cloud qualification frameworks where approved vendors can receive direct award call-offs:

France: UGAP cloud catalogue + SecNumCloud certification for sensitive systems
Germany: Rahmenvertrag IT-Infrastrukturleistungen (ITZBund central framework)
Netherlands: Rijksoverheid cloud framework (DICTU-managed)
Spain: SARA network + CTIC-managed cloud services catalogue
Poland: CHMURA.GOV.PL national sovereign cloud (Naukowa i Akademicka Sieć Komputerowa)

3. Individual Agency and Municipal Tenders

Below the national framework level, thousands of individual public authorities run their own cloud procurement — typically for specific applications (HR system SaaS, document management, video conferencing, backup). These are the most accessible entry point for smaller cloud vendors. Value typically €50K–€2M. Published on TED or national portals.

EUCS: The Emerging Certification Standard

The EU Cybersecurity Certification Scheme for Cloud Services (EUCS), developed by ENISA, will become the primary conformity assessment standard for EU government cloud procurement. Three assurance levels:

Level	Target Use Case	Key Requirements
Basic	Non-sensitive workloads	Self-assessment, ISO 27001
Substantial	Internal government systems	Third-party audit, SOC 2 Type II, GDPR compliance
High	Critical infrastructure, classified	EU ownership/control requirements, national security vetting

The controversial "EU ownership" requirement at High assurance level — which would effectively exclude US hyperscalers from the most sensitive EU government workloads — was debated throughout 2025. Watch for final EUCS adoption in 2026, which will reshape competitive dynamics significantly.

Data Residency and GDPR: The Decisive Requirements

For EU public sector cloud, data residency requirements are now standard in most tender specifications. Key provisions typically required:

Data stored in EU/EEA: All personal and government data must remain in EU/EEA data centres
No third-country transfers: Schrems II compliance — no transfer to US or other third countries without adequate protection
Data Processing Agreement (DPA): Standard Contractual Clauses (SCCs) or equivalent, signed at contract award
Sub-processor disclosure: Full list of sub-processors with locations and purposes
Data deletion: Certified deletion procedures within 30 days of contract termination

Gaia-X: EU Sovereign Cloud Initiative

Gaia-X is the EU's federated data infrastructure initiative — creating standards for interoperable, sovereign cloud services. Membership in the Gaia-X Association is increasingly a positive signal in tender evaluations. Gaia-X-compliant data spaces are being built for health (Health-X), manufacturing (Manufacturing-X), and mobility (Mobility Data Space) — each generating specific procurement opportunities for cloud providers on these platforms.

Win Strategy for Cloud Vendors

1. Get national certification first: BSI C5 (Germany), SecNumCloud (France), or ENS Alto (Spain) are national cloud certifications that satisfy immediate procurement requirements and map to EUCS Substantial/High. Pick one major market and certify there first.

2. Target the SaaS layer: IaaS competition is dominated by hyperscalers. SaaS applications procured by EU public authorities — document management, HR systems, collaboration tools, case management — are far more accessible to mid-size vendors with the right certifications and integration capabilities.

3. Lead with Gaia-X compatibility: For data-sensitive sectors (health, finance, logistics), Gaia-X node certification differentiates European cloud vendors from non-EU competition in evaluation criteria.

4. Monitor DIGIT PIN notices: The European Commission publishes Prior Information Notices months before cloud framework competitions open. Use this time to assess fit and prepare qualification documentation.

Key Takeaways

EUCS (EU Cloud Cybersecurity Scheme) is replacing fragmented national certifications — Substantial level will be required for most EU public authority cloud contracts by 2027.
IaaS competition is dominated by AWS, Azure, and Google — mid-size vendors should focus on the SaaS application layer where relationships and sector expertise matter more.
Gaia-X compatibility is an emerging scoring criterion for data-sensitive sectors (health, finance, logistics) — membership signals commitment to EU data sovereignty.
Framework agreements are the dominant procurement vehicle for cloud — DIGIT S3 (European Commission) and national equivalents lock in vendors for 4-year terms.
Prior Information Notices (PINs) from DG DIGIT and national central purchasing bodies signal framework re-competitions 3–6 months in advance.

Actionable Steps

Obtain a national cloud certification (BSI C5, SecNumCloud, or ENS Alto) in your primary target market — these satisfy current requirements and map to EUCS Substantial.
Apply for Gaia-X Association membership — certification costs are manageable and the signal value in EU public procurement evaluations is growing.
Monitor DG DIGIT PIN notices on TED (buyer: "European Commission, DG DIGIT") to track framework competition timelines 6–12 months ahead.
Identify national central purchasing bodies (CPBs) in your target member states and apply for their cloud framework agreements — they aggregate demand from hundreds of public bodies.
Use TenderMetric IT Services and Software filters to monitor live cloud-related tenders by country — combine with keyword searches for "cloud", "SaaS", "IaaS".

Find Cloud Procurement Tenders

TenderMetric monitors live EU cloud, IT, and software tenders daily from TED Europa across all 27 member states.

Browse IT Tenders → Browse Software Tenders →

◆

TenderMetric Intelligence Team

EU Procurement Research & Analysis · Last updated April 2026

Analysis compiled from TED Europa (Official Journal of the EU), European Commission procurement data, and CPV code classifications. TenderMetric tracks 10,000+ active EU procurement notices across all 27 member states, updated daily from the TED open data feed.

Get Weekly EU Tender Alerts

New tenders from TED Europa across all 27 EU member states — every Monday. Free forever.

◆ EU Procurement Intelligence at a Glance

10K+

Active tenders tracked

27

EU member states

€2T+

Annual market value

Daily

Data refresh from TED

◆ EU Contract Value Distribution (above-threshold)

Works contracts (construction, infrastructure) ~52%

Services contracts (IT, consulting, healthcare) ~35%

Supplies contracts (equipment, goods) ~13%

SME award rate (% of contracts to SMEs) ~45%

Source: European Commission Public Procurement Statistics — approximate figures based on TED Europa data.

◆ EU Procurement Lifecycle (Open Procedure)

Day 1

Contract Notice Published (TED)

Day 1–35

Tender Preparation & Submission

Day 35–70

Evaluation & Clarifications

Day 70–85

Standstill Period (10 days)

Day 85

Contract Award Decision

Day 90+

Contract Signature & Start

Timeline is indicative. Open procedure minimum: 35 days from publication to submission deadline (Directive 2014/24/EU).

◆

About the Author

TenderMetric Research Team

EU Procurement Intelligence Specialists · tendermetric.com

Our analysts monitor 10,000+ EU procurement notices daily across construction, IT, healthcare, defense, and energy sectors. All data sourced from TED Europa and the EU Publications Office.

📋 10K+ tenders tracked 🇪🇺 27 member states 🔄 Updated: April 2026

◆ Common Questions About EU Procurement

What is TED Europa and where do EU tenders come from? +

TED (Tenders Electronic Daily) is the online version of the Supplement to the Official Journal of the EU, published by the EU Publications Office. It publishes procurement notices above EU thresholds from all 27 member states, EU institutions, and affiliated bodies — approximately 700,000+ notices per year. TenderMetric aggregates and enriches this data daily.

What are the EU procurement thresholds in 2026? +

For 2026–2027, the EU procurement thresholds are: €143,000 for supplies and services by central government authorities; €221,000 for supplies and services by sub-central authorities; €5,538,000 for works contracts. Utilities and defence sectors have separate thresholds. Contracts above these values must be published on TED.

Can non-EU companies bid on EU public tenders? +

Third-country participation depends on international agreements. Countries covered by the WTO Government Procurement Agreement (GPA) — including the US, UK, Canada, Japan, and others — generally have access to EU tenders above GPA thresholds. Countries without GPA coverage may be excluded from specific lots. Always check the contract notice for nationality restrictions.

What is an ESPD and is it required? +

The European Single Procurement Document (ESPD) is a self-declaration form used across the EU as preliminary evidence of a bidder's suitability. It replaces multiple national certificates at the tender stage — you only need to submit the actual certificates if you win. The ESPD is mandatory for all above-threshold EU procurements and can be completed via the eESPD online service.

How can SMEs compete for EU public contracts? +

SMEs win approximately 45% of EU public contracts by value. Key strategies: focus on lots (contracting authorities must divide large contracts into lots where feasible); form consortia with complementary firms; target sub-central authorities (municipalities, regions) where competition is lower; use framework agreements as a stepping stone to larger contracts. The ESPD simplifies the qualification process specifically to reduce SME burden.

Browse Active EU Tenders

By Sector: Construction IT Services Healthcare Engineering Energy Environment Education Defense Software Transport R&D Finance

By Country: Germany France Italy Spain Poland Netherlands Belgium Sweden Austria Greece Portugal Czech Republic