The rise of cloud computing has been transformative for startups, enabling them to scale rapidly and compete with larger enterprises. For startups, cloud infrastructure provides unparalleled scalability, cost-efficiency, and access to cutting-edge tools that would have been out of reach just a few years ago. Yet, the regulatory framework surrounding its use is critical. Startups need a secure cloud environment, but they also require the flexibility to choose the best services available globally. The European Cybersecurity Certification Scheme for Cloud Services (EUCS) plays a key role in this by setting security standards across the EU. However, delays in finalising the latest version of the EUCS have left startups in limbo, unable to fully benefit from the cloud’s transformative potential.
Why does the EUCS matter to startups?
Cloud services are already central to European businesses that are increasingly using them. In 2023, 45.2% of EU enterprises with more than 10 employees reported using cloud computing services. In digital frontrunners like Finland, the adoption rate even reaches 78.3%. For startups, the cloud is an essential tool to compete on a global scale. The scalability it offers allows new companies to grow quickly, without the need for heavy upfront investment in infrastructure.
The EUCS is crucial for securing this ecosystem. Designed by the EU’s cybersecurity agency (ENISA), the EUCS aims to harmonise the certification of cloud services across Europe, providing businesses with a single set of cybersecurity standards. This would ensure both a higher level of security and reduced regulatory fragmentation, making it easier for startups to navigate the compliance landscape. Importantly, the latest draft of the EUCS aligns with the requests of Allied for Startups and its members by excluding sovereignty requirements! This exclusion reflects a commitment to fostering a competitive environment that supports innovation among startups while ensuring robust security measures.
Why would delay of the EUCS hurt startups?
Unfortunately, in June 2024, the adoption of the EUCS text was postponed. Reports suggest that the European Commission is now considering additional non-binding guidance, which could delay the implementation of the scheme even further. For startups, this delay is not just an inconvenience – it is a significant barrier to growth. Without a finalised EUCS, many startups are left navigating a fragmented regulatory environment, unsure of which security standards to follow. Startups, particularly those in fast-moving sectors like AI and data analytics, need a secure and flexible cloud environment to flourish. Any delay in implementing the EUCS threatens to stifle the very innovation that Europe needs to remain competitive in the global market.
New Commissioners to the rescue?
There is hope, however. The appointment of Ekaterina Zaharieva as the first-ever Startup Commissioner reflects the European Commission’s growing recognition of the role startups play in driving the digital economy. Additionally, Henna Virkkunen, the newly appointed Executive Vice-President for Tech Sovereignty, Security, and Democracy, has committed to accelerating the adoption of EU cybersecurity certification schemes. This presents a critical opportunity to fast-track the EUCS and ensure that startups have access to the secure cloud environment they need to thrive.
Conclusion
The EUCS is a crucial piece of the puzzle in securing Europe’s digital future. The latest draft, which excluded harmful sovereignty requirements, represents a balanced and forward-thinking approach to cloud security. However, bureaucratic delays in its adoption are holding startups back at a time when they need clear, unified cybersecurity standards more than ever. With the right leadership, the EU has an opportunity to fast-track the adoption of the EUCS and create a secure and competitive cloud environment that empowers startups to scale, innovate, and compete globally.