EU Data Centre and Cloud Procurement 2026: Gaia-X, EUCS, NIS2 Requirements, and Sovereign Cloud Tenders

EUCS Cloud Certification: The Three Assurance Levels

The EU Cybersecurity Agency (ENISA) is finalising the EU Cloud Services Scheme (EUCS) — the first EU-wide certification framework for cloud services. Understanding the assurance levels is essential for suppliers bidding on cloud tenders and for contracting authorities specifying requirements:

The High assurance level includes contested sovereignty requirements — originally proposed to require EU-based legal entities and EU-citizen staff to handle sensitive data. Non-EU hyperscalers (AWS, Microsoft Azure, Google Cloud) have lobbied against these requirements. The current draft allows non-EU hyperscalers to achieve High certification through EU-incorporated subsidiaries — but the political debate continues, making EUCS High the most watched certification standard in EU procurement.

NIS2 Requirements in Cloud Tender Specifications

NIS2 Directive (2022/2555), transposed by member states by October 2024, creates security obligations for essential and important entities that are flowing directly into cloud procurement specifications. Key clauses appearing in 2026 cloud tenders:

• Supply chain security (Article 21): Essential entities must manage cybersecurity risks in their supply chain — meaning cloud and data centre providers must demonstrate their own NIS2 compliance or equivalent security measures. Tenders increasingly require ISO 27001 + NIS2-aligned control frameworks as a minimum technical requirement.
• Incident reporting obligations: Cloud contracts must specify response times for security incident notification — NIS2 requires initial notification within 24 hours, detailed report within 72 hours. Contract SLAs must align with these statutory timelines.
• Business continuity and disaster recovery: NIS2 requires essential entities to have tested BCM plans — cloud contracts specify minimum RTO/RPO (Recovery Time/Point Objectives) and require annual DR test evidence from providers.

Data Act Portability: Avoiding Cloud Lock-In in Contracts

The EU Data Act (2023/2854), applicable from September 2025, imposes specific obligations on cloud contracts including mandatory switching assistance and data portability. For procurement officers drafting cloud contracts:

• Switching assistance obligation: Cloud providers must provide comprehensive switching assistance — including data export in interoperable formats, equivalent functionality during transition, and no lock-in via technical restrictions. This must be specified in the contract with defined timelines (maximum 30 calendar days for data export).
• Egress fee elimination: From September 2027, cloud providers cannot charge data egress fees for data transferred out of their platform — removing a major historical lock-in mechanism. Contracts signed now should include provisions reflecting this future obligation.
• Essential requirements for interoperability: The Data Act mandates that cloud providers comply with technical standards for data portability — specifying open data formats and APIs that allow contracting authorities to switch providers without re-engineering dependent applications.