Startup Ecosystem Statement on the European Cybersecurity Certification Scheme for Cloud Services (EUCS)

November 7, 2023
AI Act - Cybersecurity

Startups are committed to contributing to a competitive, resilient, and innovative cloud ecosystem in Europe, which should continue benefiting from a wide array of cloud service providers. For this reason, we urge policy makers to refrain from adopting sovereignty requirements that would potentially exclude the products of crucial cloud suppliers from the European market. A politically motivated, rather than technical, outcome will be detrimental to European businesses, in particular startups, which are digitally-driven enterprises that heavily rely on the most advanced cloud services to scale. We fear that sovereignty requirements defy the voluntary nature of the EUCS, meaning that startups could be practically forced to miss out on the most innovative cloud products released to the global market, which they rely on to scale.

Thus, we ask policymakers to follow a non-mandatory, pragmatic, and forward-looking approach that is in line with WTO rules, responds to industry needs, and enables new technologies to flourish. Here’s why:

First, startups choose providers that can offer the best and most affordable products to consumers, regardless of market concentration. In fact, in capital-intensive markets such as cloud, which are characterised by economies of scale, this concentration is attributed to high upfront costs and research investments. What’s more concerning are the costs that would result from switching to providers that fail to offer products of equivalent quality at an affordable price.

Second, startups select the best and most affordable cloud providers to leverage the latest cloud technology offerings, allowing them to be at the vanguard of the digital transformation and AI revolution. This choice should be based on the product offered, not on the nationality of the company offering it, consistent with the non-discrimination principles of the WTO. The sovereignty requirements in the current text of the EUCS would considerably reduce cloud offerings in Europe, increase costs, and result in cumbersome governance, potentially having a severe negative effect on startups’ ability to innovate.

Third, imposing sovereignty requirements could potentially undermine the purpose of the scheme, which is to ensure maximum cybersecurity. Without the option to rely on a diverse range of providers, startup-owned data may not be as well protected—something vital for maintaining consumer trust.

An inclusive and non-discriminatory EUCS will contribute to Europe’s digital ambitions, especially its cloud uptake target among businesses of 75%. If done well, the EUCS has the opportunity to set a valuable baseline for cybersecurity and resilience in the internal market. To achieve this goal, policymakers should carefully consider the implications of setting sovereignty requirements for startups and entrepreneurs, as this will inevitably impact the development and deployment of new technologies in Europe.


  • Allied for Startups
  • Beta-i
  • Danish Entrepreneurs
  • Dutch Startup Association
  • Engine
  • InnovUp
  • Roma Startup
  • Startups.be & scale-ups.eu
  • Startup Canada
  • Startup Hungary
  • Startup Poland
  • Spanish Startup Association

Download the PDF here.