EU Cloud Sovereignty After NIS2: What Comes Next for Cloud Providers and Users?

Cloud sovereignty in Europe is entering a new phase.

After the NIS2 Directive came into force in October 2024, many organisations are asking what the next big step will be – sometimes dubbed, a bit loosely, the “EU Cloud Sovereignty Act”. While no single law with that title exists today, the EU is clearly building a de facto cloud sovereignty framework through NIS2, the Data Act, forthcoming Cloud & AI Development Act, the Cloud Sovereignty Framework and the EU Cybersecurity Certification Scheme for Cloud Services (EUCS).

This article explains how cloud obligations are evolving after NIS2, what “EU cloud sovereignty” really means in 2025, and how organisations can adapt their cloud, data centre and security strategies – with practical angles where Score Group and its divisions Noor ITS, Noor Energy and Noor Technology can help.

From NIS2 to cloud sovereignty: where we stand in 2025

NIS2 as the cybersecurity foundation

The NIS2 Directive (EU 2022/2555) is now the baseline for cybersecurity across 18 critical and important sectors in the EU, including digital infrastructure such as cloud computing service providers and data centre services. Member States had to transpose NIS2 into national law by 17 October 2024, with application from 18 October 2024.

NIS2 requires covered entities to implement robust risk management measures, including:

• Security by design and by default for networks and information systems

• Incident prevention, detection, and response capabilities

• Access control, identity and privileged account management

• Supply chain and third-party risk management

• Business continuity, including backup and disaster recovery

For cloud service providers, NIS2 is not only about technical security: it also drives governance, reporting and supervision. National authorities can carry out audits, request information, and impose significant penalties for non-compliance.

NIS2 implementing rules for cloud and data centres

On 17 October 2024, the European Commission adopted implementing acts that specify technical and methodological requirements for several NIS2 subsectors, including:

• Cloud computing service providers

• Data centre service providers

• Managed service providers (MSPs) and managed security service providers (MSSPs)

• Content delivery network (CDN) providers and key online platforms

ENISA is developing detailed technical guidance to help apply these rules in practice, for example in areas such as logging, vulnerability management, secure configuration, backup, and encryption. For organisations using cloud, this means NIS2 controls can no longer be treated as optional “best practices”: they must be reflected in cloud architectures, contracts, and operational playbooks.

Is there an “EU Cloud Sovereignty Act” yet?

Despite frequent references in the media and industry conferences, there is currently no single EU regulation called “EU Cloud Sovereignty Act”. Instead, the EU is assembling a regulatory puzzle that, taken together, shapes how sovereign cloud should be designed, operated and procured:

• NIS2 – Cybersecurity and resilience obligations, including for cloud and data centres

• Data Act – Cloud switching, interoperability and safeguards against unlawful foreign access to non-personal data

• Cloud & AI Development Act (planned) – Upcoming framework to expand sustainable EU data centre capacity and cloud policy

• Cloud Sovereignty Framework & Cloud III DPS – EU procurement and “sovereignty scoring” for cloud services

• EUCS (EU Cybersecurity Certification Scheme for Cloud Services) – A voluntary but influential security certification label for cloud

Understanding what comes “after NIS2” therefore means understanding how these initiatives interact and how they will impact cloud strategy, architecture and sourcing over the next 3–5 years.

The Data Act: cloud switching, interoperability and foreign access

The EU Data Act entered into force in January 2024 and introduces powerful rules for data processing services – a category that includes most cloud and edge services.

Cloud switching and “no lock-in by design”

From September 2025, providers qualifying as data processing services face new obligations around switching, with a complete ban on switching and data egress fees from 12 January 2027. Key aspects include:

• Customers must be able to switch to another provider or to on‑premises infrastructure with minimal friction.

• Notice periods and transition periods are capped (maximum two months’ notice; default 30-day transition, extendable only in justified technical cases).

• Providers must ensure data portability: all exportable data and digital assets must be made available in a commonly used, machine‑readable format.

• Interoperability becomes a regulatory obligation via open, well-documented interfaces (APIs) and support for standard formats.

For Infrastructure as a Service (IaaS), providers must support a level of functional equivalence when customers move to a comparable service: using exported data and digital assets, core functions must deliver materially similar outcomes.

Safeguards against foreign government access

The Data Act also tackles concerns about extraterritorial access to non-personal data by third-country public authorities. Providers must implement technical, organisational and contractual measures to resist unlawful disclosure orders from outside the EU, and subject any such requests to rigorous legal checks.

This is a key component of cloud sovereignty: it goes beyond data residency and focuses on who can lawfully access which data, under which jurisdiction.

Cloud & AI Development Act and a single EU cloud policy

As part of its digital strategy, the European Commission has announced a forthcoming Cloud and AI Development Act, expected to be proposed in 2025. The goal is to at least triple EU data centre capacity within 5–7 years and fully meet the needs of EU businesses and public administrations by 2035.

The Act is expected to:

• Simplify and harmonise permitting for new data centres that meet sustainability and innovation criteria

• Promote energy‑efficient technologies, advanced cooling, and integration of data centres into local energy systems

• Work together with a new single EU-wide cloud policy for public administrations, especially for highly critical use cases

This is highly relevant for organisations planning new data centre projects or hybrid cloud architectures: energy performance, sustainability and location will no longer be only cost or CSR questions, but also regulatory alignment factors.

Cloud Sovereignty Framework, Cloud III DPS and EUCS

Cloud Sovereignty Framework and EU tendering

In October 2025, the Commission launched a €180 million tender under its Cloud III Dynamic Purchasing System (Cloud III DPS), to procure sovereign cloud services for EU institutions over six years. This tender is based on a new Cloud Sovereignty Framework that evaluates providers across eight sovereignty objectives, including:

• Strategic autonomy and supply chain transparency

• Legal exposure to foreign jurisdictions

• Operational sovereignty (who operates which components, where)

• Security, compliance and environmental performance

Although currently applied to EU institutions, this framework is expected to influence how other public buyers and large private organisations define and measure cloud sovereignty in their own RFPs and sourcing strategies.

EUCS: Cybersecurity certification for cloud services

The European Cybersecurity Certification Scheme for Cloud Services (EUCS), developed by ENISA, provides a common EU security certification framework for cloud. It defines controls across multiple domains (e.g. identity, logging, incident management, supply chain) and defines assurance levels.

Early drafts of EUCS contained strong sovereignty and ownership constraints (e.g. requirements to avoid exposure to third-country laws), but many of these have been softened or removed after intense debate. The final scheme is still evolving, but in practice EUCS will act as a security and assurance baseline, especially for public sector and highly regulated industries.

For cloud users, the key questions become:

• Which workloads should require an EUCS-certified service?

• How to map EUCS controls to internal security frameworks and NIS2 risk measures?

• How to include EUCS-related commitments in contracts and SLAs with providers?

Key EU initiatives shaping cloud sovereignty (overview)

Market response: sovereign offerings and EU–US balance

Hyperscalers: EU data boundaries and sovereign clouds

Large non-EU cloud providers are adapting quickly to the new landscape. Examples include:

• Microsoft completing its EU Data Boundary, allowing most customer data for key services to be stored and processed entirely within the EU/EEA.

• AWS European Sovereign Cloud, built and operated entirely within the EU with EU-resident staff, designed for sensitive public sector and regulated workloads.

• Google Cloud emphasising data localisation options and, in 2025, removing some data transfer fees in Europe ahead of Data Act switching rules.

These moves show that even global providers must align with European notions of sovereignty and autonomy to remain competitive for government and critical infrastructure contracts.

European providers: opportunity and pressure

At the same time, European reports highlight that roughly two-thirds of cloud infrastructure in Europe is still provided by US hyperscalers, with EU vendors representing a much smaller share of the market. This creates both an opportunity and a challenge for local providers:

• Opportunity to differentiate on jurisdiction, transparency and proximity to regulators

• Pressure to match hyperscalers on scale, performance, services and innovation

Public policies around sovereign cloud, open-source technologies and trusted cloud labels are therefore not neutral: they can shift the competitive balance in the European cloud market over time.

What “EU cloud sovereignty” means in practice for organisations

Beyond data residency: a multidimensional concept

In practice, EU cloud sovereignty spans several dimensions:

• Jurisdictional control – Limiting exposure to non-EU laws and ensuring challenges to unlawful foreign access

• Operational autonomy – Clear control over operations (who administers systems, from where, using which tools)

• Technical sovereignty – Ability to switch providers, use open standards, avoid hard lock-in

• Security & resilience – Robust cybersecurity, NIS2-level resilience and certified controls

• Sustainability & energy – Efficient data centres, low-carbon energy, integration with local energy systems

Organisations that treat sovereignty as only a data location question will increasingly be out of step with emerging EU expectations.

Key implications for your cloud strategy “after NIS2”

Concretely, the next 2–4 years will require:

• Cloud architecture reviews to support multi-cloud and easy switching, in line with the Data Act

• Contract and SLA updates to integrate NIS2, Data Act and (where relevant) EUCS-related requirements

• Identity and access management upgrades to meet stricter NIS2 access control and logging expectations

• Data classification and residency models that distinguish between critical, sensitive, and standard workloads

• Supply chain due diligence on cloud, MSP and SaaS providers, including jurisdictional and operational aspects

• Energy and sustainability criteria when selecting data centres and planning hybrid architectures

This requires close collaboration between CIO, CISO, DPO, legal, procurement and sustainability teams – and, often, external partners able to integrate energy, infrastructure and new tech perspectives.

How Score Group supports cloud sovereignty and post‑NIS2 transformation

At Score Group, cloud sovereignty is not just a legal debate: it is a concrete design and integration challenge that touches infrastructure, energy, cybersecurity and innovation.

Noor ITS – Secure, sovereign-ready digital infrastructure

Our division Noor ITS focuses on the digital backbone of your organisation. In the context of NIS2, the Data Act and emerging sovereignty frameworks, Noor ITS can help you:

• Design and modernise infrastructure and networks (on‑premises, private cloud, public cloud and hybrid)

• Strengthen cybersecurity through audits, remediation plans, segmentation, identity and access control, and incident response capabilities

• Plan and optimise data centres and colocation strategies in line with energy, resilience and governance needs

• Define and implement cloud & hosting strategies (private, public, hybrid), including multi-cloud and edge architectures compatible with Data Act switching rules

• Enhance your Digital Workplace while maintaining compliance and data protection

• Design and test business continuity and disaster recovery (PRA/PCA) aligned with NIS2 expectations for resilience

We work alongside your legal and compliance teams to ensure that technical choices support your regulatory roadmap, without providing legal advice ourselves.

Noor Energy – Efficient, sustainable data centres and edge sites

As EU policy increasingly couples cloud expansion with energy efficiency and sustainability, our division Noor Energy helps organisations align digital ambitions with energy performance:

• Energy management and monitoring for data centres and technical buildings

• Integration of renewable energy (e.g. solar) and storage to power IT infrastructure

• Smart building management (GTB/GTC) to optimise cooling, lighting and power usage in IT facilities

• Support for electric mobility and on-site infrastructure where relevant

This combination allows you to anticipate emerging criteria of the Cloud & AI Development Act and national sustainability schemes, while reducing operating costs.

Noor Technology – Leveraging AI, automation and IoT securely

Cloud sovereignty and NIS2 do not mean slowing down innovation. With Noor Technology, Score Group helps you deploy AI, RPA and IoT solutions that respect security, compliance and sovereignty constraints:

• Design of AI and data processing pipelines hosted on suitable, compliant cloud or hybrid infrastructures

• RPA and process automation to improve the efficiency and traceability of security and compliance workflows

• Smart Connecting / IoT solutions with secure, monitored connectivity to cloud platforms

• Development of web, mobile and business applications that integrate identity, logging and data protection by design

Our role as a global integrator is to ensure that energy, infrastructure and new technologies move together, “where efficiency embraces innovation”.

FAQ: EU cloud sovereignty and life after NIS2

Does an official “EU Cloud Sovereignty Act” already exist?

No. As of December 2025, there is no single EU regulation called “EU Cloud Sovereignty Act”. Instead, cloud sovereignty emerges from a combination of measures: NIS2 (cybersecurity and resilience), the Data Act (cloud switching, interoperability and foreign access safeguards), the forthcoming Cloud & AI Development Act (data centre capacity and sustainability), the Cloud Sovereignty Framework for EU procurement, and the EUCS cloud security certification scheme. When commentators mention an “EU Cloud Sovereignty Act”, they usually refer informally to this evolving package of rules rather than a specific piece of legislation.

How do NIS2 and the Data Act interact for cloud services?

NIS2 focuses on security and resilience of network and information systems, including cloud and data centre services, while the Data Act focuses on data portability, interoperability and fair switching between providers. For cloud users, this means you must both secure your workloads (NIS2) and design them to be portable and multi‑cloud-ready (Data Act). In practice, architecture decisions such as identity management, logging, backup strategies and API design need to satisfy both sets of expectations. Ignoring one of these dimensions risks creating either security gaps or future lock‑in and compliance issues.

What does “sovereign cloud” mean in operational terms?

Operationally, a sovereign cloud is not just about hosting data in the EU. It involves clarity on who operates which components, from which locations, and under which legal jurisdictions; strong encryption and key management; rigorous control over administrative access; documented supply chains; and the ability to resist unlawful foreign data access requests. It also requires robust security and resilience measures, ideally mapped to frameworks like NIS2 and EUCS. Finally, sovereignty implies choice and reversibility: architectures and contracts must allow you to switch providers or repatriate workloads without undue barriers.

How should a mid-size organisation prepare its cloud strategy for upcoming EU rules?

Start with a clear cloud and data classification: identify which workloads are critical, sensitive or regulated. For critical and NIS2‑relevant systems, review whether current providers and architectures support strong logging, incident response, backup and recovery. In parallel, evaluate your dependence on any single provider and identify quick wins for portability, such as standardising on open formats, containerisation, and well-documented APIs. Update your contracts to reflect Data Act and NIS2 expectations, including exit clauses and security requirements. Finally, align IT, security, legal and procurement on a roadmap – external partners like Score Group can help structure this multi‑year transformation.

Can non‑EU cloud providers still be part of a sovereign cloud strategy?

Yes – but under stricter conditions. EU policy debates have moved away from simple geographic exclusion of non‑EU providers towards risk‑based criteria: legal exposure, operational autonomy, transparency, and technical controls. Non‑EU providers increasingly offer EU‑only regions, EU‑resident operations teams and stronger contractual safeguards. Organisations can include such providers in a sovereign strategy as long as they carefully assess jurisdictional risks, insist on robust encryption and key management, and ensure compliance with NIS2 and the Data Act. A balanced multi‑cloud approach, with both European and global players, often offers the best mix of sovereignty, resilience and innovation.

What’s next?

The period after NIS2 is not the end of EU cloud regulation – it is the beginning of a more mature, sovereignty‑driven framework. Over the next few years, Data Act obligations, the Cloud & AI Development Act and procurement frameworks like the Cloud Sovereignty Framework will reshape how cloud is built, bought and operated in Europe.

If you want to reassess your cloud and data centre strategy, strengthen cybersecurity, or prepare for sovereign and sustainable architectures, Score Group and its divisions Noor ITS, Noor Energy and Noor Technology can accompany you. Together, we design and integrate solutions tailored to your needs – where efficiency truly embraces innovation.