Published
Webinar Summary: Cloud Cybersecurity, Sovereignty, and EU Competitiveness
By: Matthias Bauer Guifré Margarit i Contel
Subjects: Digital Economy European Union Sectors Services
The rapid evolution of cloud computing presents Europe with a unique opportunity to strengthen its digital landscape. However, balancing cybersecurity, sovereignty, and competitiveness remains a complex challenge. This was the focus of our recent ECIPE webinar “Cloud Cybersecurity, Sovereignty, and EU Competitiveness”, which brought together experts to explore the EU Cybersecurity Certification Scheme (EUCS) and its implications for innovation, security, and market openness.
The EUCS, developed under the auspices of ENISA, aims to establish robust cybersecurity standards for cloud services. It has the potential to bolster trust in digital technologies while addressing cyber risks across critical industries. Yet, as Matthias Bauer, ECIPE Director and moderator of the discussion, pointed out, concerns linger over sovereignty requirements embedded in early drafts of the EUCS. These requirements, when mandated by EU and Member State law, could exclude non-European vendors from high-assurance services, exacerbating Europe’s technological lag.
Citing ECIPE research, Bauer noted a staggering $1.4 trillion investment gap between Europe and the United States in ICT and cloud-related sectors. The stakes are high: sovereignty-focused measures could cost the EU up to €600 billion annually in GDP while hampering its ability to harness global innovation.
For startups, the implications of sovereignty requirements are particularly acute. Maxime Ricard, Policy Manager for AI and Digital Policy at Allied for Startups, emphasised the need for a harmonised, inclusive EUCS framework. He highlighted how fragmented and restrictive policies stifle startups’ ability to scale.
“Startups always want to access the best solutions available, regardless of the nationality of providers, in order to scale effectively,” Ricard said. He called for pragmatic policies that enhance cybersecurity without limiting access to global innovation. Sovereignty requirements, he argued, could unintentionally increase costs and reduce access to cutting-edge solutions, disproportionately impacting smaller enterprises.
Marcus Corry, Director of Technology and Operations at AFME, brought the financial sector’s perspective to the table. While welcoming uniform cybersecurity standards, he criticised the EUCS development process for its lack of transparency. “The opaqueness of the process gives rise to a lot of potential for unintended consequences,” he observed.
Corry pointed out that sovereignty discussions must be addressed through primary legislation rather than technical implementing acts to ensure stakeholder engagement and minimise unintended risks. Drawing parallels with the Digital Operations Resilience Act (DORA), he highlighted how broader consultation during its development helped refine its approach to third-country providers.
Damien Rilliard, EMEA Sovereignty Lead at Oracle, framed sovereignty as a double-edged sword. While recognising the need for stringent data localisation and governance measures, he cautioned against excluding non-European companies from contributing to the EU’s digital ecosystem.
“If we exclude innovation brought by non-EU companies, we risk forbidding the EU industry from bridging its technological gap,” Rilliard noted. He pointed to Oracle’s EU Sovereign Cloud as an example of balancing sovereignty with inclusivity, demonstrating how foreign providers can operate securely within Europe while adhering to local laws and standards.
Throughout the discussion, a recurring theme was the importance of avoiding regulatory fragmentation. The panellists agreed that harmonising cybersecurity standards across Member States is critical for ensuring legal clarity and fostering innovation. Fragmentation, they warned, could deter investment and complicate compliance, particularly for startups and SMEs.
Rilliard also emphasised the need to distinguish between sovereignty and cybersecurity, noting that a sovereign system without robust cybersecurity measures is ultimately insecure. “You need the best cybersecurity and the best sovereignty together if you want to really be protected,” he said.
As the EU looks to finalise the EUCS, the panellists offered a wish list for the incoming European Commission. Ricard called for startup-friendly policies, urging policymakers to adopt a harmonised approach and avoid sovereignty requirements that hinder scalability. Corry recommended a holistic review of existing cybersecurity frameworks to streamline overlapping initiatives and ensure effectiveness.
Rilliard echoed these sentiments, advocating for a balanced approach that maintains market openness while addressing legitimate sovereignty concerns. He concluded with a hopeful note: “We need to harness the most advanced innovation in the cloud, wherever it comes from, to ensure Europe’s competitiveness.”
The webinar underscored the delicate balancing act required to navigate cybersecurity, sovereignty, and competitiveness in the cloud era. As Bauer summarised, “Avoiding fragmentation, avoiding discrimination, and engaging in stocktaking are essential for moving ahead.”
With so much at stake, the EU’s approach to cloud cybersecurity will be pivotal in shaping its digital and technological competitiveness. Only through non-discriminatory and transparent policies can Europe adapt the best technologies available in global markets, close its technological gap, and secure its place in the global digital economy.
You can watch the full event below: