Quick Answer
EU public cloud procurement exceeds €12B annually and grows at ~25% per year. Major frameworks exist at EU institution level (DIGIT), national level (G-Cloud equivalents), and agency level. Key requirements: EUCS certification (or national equivalent like C5/SecNumCloud), GDPR-compliant data processing agreements, EU data residency for sensitive workloads, and ISO 27001 + SOC 2 Type II. Framework agreements dominate — individual direct-award cloud tenders are less common above €140K threshold.
The EU Cloud Procurement Landscape
EU government cloud procurement operates across three levels, each with different frameworks, requirements, and entry strategies:
1. EU Institutional Level — DIGIT Frameworks
The European Commission's DIGIT (Directorate-General for Informatics) manages cloud framework agreements for EU institutions including the Commission, Parliament, Council, and EU agencies. The current CLOUD framework (DIGIT/TM/2021-G4) covers IaaS, PaaS, and SaaS. Qualification is highly competitive — but a DIGIT award gives access to 50+ EU institutions as call-off buyers. These tenders appear on TED under contracting authority "European Commission."
2. National G-Cloud Equivalents
Several EU member states operate national cloud qualification frameworks where approved vendors can receive direct award call-offs:
- France: UGAP cloud catalogue + SecNumCloud certification for sensitive systems
- Germany: Rahmenvertrag IT-Infrastrukturleistungen (ITZBund central framework)
- Netherlands: Rijksoverheid cloud framework (DICTU-managed)
- Spain: SARA network + CTIC-managed cloud services catalogue
- Poland: CHMURA.GOV.PL national sovereign cloud (Naukowa i Akademicka Sieć Komputerowa)
3. Individual Agency and Municipal Tenders
Below the national framework level, thousands of individual public authorities run their own cloud procurement — typically for specific applications (HR system SaaS, document management, video conferencing, backup). These are the most accessible entry point for smaller cloud vendors. Value typically €50K–€2M. Published on TED or national portals.
EUCS: The Emerging Certification Standard
The EU Cybersecurity Certification Scheme for Cloud Services (EUCS), developed by ENISA, will become the primary conformity assessment standard for EU government cloud procurement. Three assurance levels:
| Level | Target Use Case | Key Requirements |
|---|---|---|
| Basic | Non-sensitive workloads | Self-assessment, ISO 27001 |
| Substantial | Internal government systems | Third-party audit, SOC 2 Type II, GDPR compliance |
| High | Critical infrastructure, classified | EU ownership/control requirements, national security vetting |
The controversial "EU ownership" requirement at High assurance level — which would effectively exclude US hyperscalers from the most sensitive EU government workloads — was debated throughout 2025. Watch for final EUCS adoption in 2026, which will reshape competitive dynamics significantly.
Data Residency and GDPR: The Decisive Requirements
For EU public sector cloud, data residency requirements are now standard in most tender specifications. Key provisions typically required:
- Data stored in EU/EEA: All personal and government data must remain in EU/EEA data centres
- No third-country transfers: Schrems II compliance — no transfer to US or other third countries without adequate protection
- Data Processing Agreement (DPA): Standard Contractual Clauses (SCCs) or equivalent, signed at contract award
- Sub-processor disclosure: Full list of sub-processors with locations and purposes
- Data deletion: Certified deletion procedures within 30 days of contract termination
GAIA-X and OVHcloud SecNumCloud: EU Sovereignty in Practice
GAIA-X is the EU's federated cloud infrastructure initiative — defining technical specifications for interoperable, sovereignty-respecting cloud services. The GAIA-X Association publishes compliance labels for cloud providers, and membership is increasingly referenced in tender evaluation criteria for data-sensitive sectors. GAIA-X-compliant data spaces are under active development for health (Health-X), manufacturing (Manufacturing-X), and mobility (Mobility Data Space) — each generating specific procurement opportunities for participating cloud providers.
France's SecNumCloud certification — awarded by ANSSI (the French national information security agency) — is currently the strictest national cloud security scheme in the EU. OVHcloud holds SecNumCloud certification, making it the only large-scale cloud provider that is both fully EU-controlled and certified at this level. For French public sector procurement involving "Systèmes d'Information Sensible" (SIS), SecNumCloud is a hard requirement — not a scoring criterion. This model is being watched across the EU as a template for what EUCS High assurance level will mean in practice: effective exclusion of non-EU-owned providers from the most sensitive government workloads.
Win Strategy for Cloud Vendors
1. Get national certification first
BSI C5 (Germany), SecNumCloud (France), or ENS Alto (Spain) are national cloud certifications that satisfy immediate procurement requirements and map to EUCS Substantial/High. Pick one major market and certify there first.
2. Target the SaaS layer
IaaS competition is dominated by hyperscalers. SaaS applications procured by EU public authorities — document management, HR systems, collaboration tools, case management — are far more accessible to mid-size vendors with the right certifications and integration capabilities.
3. Lead with Gaia-X compatibility
For data-sensitive sectors (health, finance, logistics), Gaia-X node certification differentiates European cloud vendors from non-EU competition in evaluation criteria.
4. Monitor DIGIT PIN notices
The European Commission publishes Prior Information Notices months before cloud framework competitions open. Use this time to assess fit and prepare qualification documentation.
Key Takeaways
- EUCS (EU Cloud Cybersecurity Scheme) is replacing fragmented national certifications — Substantial level will be required for most EU public authority cloud contracts by 2027.
- IaaS competition is dominated by AWS, Azure, and Google — mid-size vendors should focus on the SaaS application layer where relationships and sector expertise matter more.
- Gaia-X compatibility is an emerging scoring criterion for data-sensitive sectors (health, finance, logistics) — membership signals commitment to EU data sovereignty.
- Framework agreements are the dominant procurement vehicle for cloud — DIGIT S3 (European Commission) and national equivalents lock in vendors for 4-year terms.
- Prior Information Notices (PINs) from DG DIGIT and national central purchasing bodies signal framework re-competitions 3–6 months in advance.
Actionable Steps
- Obtain a national cloud certification (BSI C5, SecNumCloud, or ENS Alto) in your primary target market — these satisfy current requirements and map to EUCS Substantial.
- Apply for Gaia-X Association membership — certification costs are manageable and the signal value in EU public procurement evaluations is growing.
- Monitor DG DIGIT PIN notices on TED (buyer: "European Commission, DG DIGIT") to track framework competition timelines 6–12 months ahead.
- Identify national central purchasing bodies (CPBs) in your target member states and apply for their cloud framework agreements — they aggregate demand from hundreds of public bodies.
- Use TenderMetric IT Services and Software filters to monitor live cloud-related tenders by country — combine with keyword searches for "cloud", "SaaS", "IaaS".
◆ Primary Sources & Further Reading
Find Cloud Procurement Tenders
TenderMetric monitors live EU cloud, IT, and software tenders daily from TED Europa across all 27 member states.