European Elections 2024: EUCLIDIA Urges to Open Market Access And Foster European Cloud Technologies

EUCLIDIA, the European Cloud Industrial Alliance, is presenting its objectives "EUCLIDIA 2030" for Europe's strategic autonomy and resilience in the cloud. Domination of the European cloud market by a handful of non-EU technologies creates a major risk for Europe's digital security. A new European policy favouring European technologies and technology diversity needs to be drawn up in the run-up to the European elections. 

The European cloud technology market is currently dominated by a few non-EU actors. The "EUCLIDIA Now!" event on 29 September 2022 (Towards a resilient cloud infrastructure in Europe1) showed that all cloud technologies exist in Europe, and that they even account for almost 50% of hyperscaler acquisitions. However, European actors often remain marginalised in the domestic market.

The hurdles to overcome for European technologies to access the EU markets continue to grow. At the European level, no less than 9 regulations, including the Cyber Resilience Act, EUCS and NIS2, are under discussion to add ever more standards to the creation of software in Europe, which will ultimately make it more difficult, if not impossible, to bring European cloud technologies to the EU market. 

In some EU countries, bringing to market a cloud technology already costs more than a million euros and takes more than 24 months to overcome ever-increasing barriers deriving from recent regulations. Ironically, it is now easier for a European cloud technology provider to access the market in China (3 months, hundred thousand euros) or in U.S or Japan where these obstacles do not exist. These barriers effectively prevent European SMEs from accessing the majority of markets on their own continent, whereas hyperscalers which do not comply by these regulations benefit from massive public purchase2 3 4 5 6 7 8 9.

Furthermore, European OECD-inspired regulatory doctrines10 for digital security have repeatedly ignored the essential role of diversity and free competition in resilience, thus further increasing disinterest from policy-makers in the existence of a diverse and striving ecosystem of European cloud technology providers. Cloud infrastructure in Europe currently depends on very few, mostly non-European, cloud technologies11. If there is a breach in one cloud operator, the same breach will likely happen with other operators and possibly impact all European cloud infrastructures. Effective resilience of European digital infrastructure can be achieved by leveraging 300 cloud technologies backed by 100 competitive European companies identified by EUCLIDIA, while entirely fulfilling the EU's cybersecurity objectives.

Facing these concerns and the risk of regulatory capture of the European cloud industry by non-EU players, EUCLIDIA is asking to reduce financial and normative barriers to enable market access for European technology creators, in particular: 

Ensure that the European Union Cybersecurity Certification Scheme for Cloud Services (EUCS) does not become mandatory in the majority of the European cloud market.

Exempt open-source created by private organisations from the costly administrative and technical requirements of the Cyber Resilience Act (CRA) and the Product Liability Act (PLD), just like it is exempted for individuals and governments.

Exempt cloud providers from implementing mandatory interoperability standards if they already provide effective interoperability through another approach.

Lift the ban on publishing AI cloud software without a legal traceability system as planned in the AI Act.

Revise the Digital Services Act (DSA) to put an end to the obligation to include backdoors in cloud software.

Ban pricing or technical barriers set by some cloud providers to prevent interoperability by charging a high price to recover data or by hiding technical information to interact with their service.

Considering the extraordinary diversity and innovation of European cloud technology creates, EUCLIDIA is asking to foster their access to the European market, in particular: 

Favour European technologies based on the principles of cultural exception and subsidiarity. These principles have already been used to protect European steel producers and the clothing industry, as well as in the music and film sectors. Quotas have not only protected these industries, but have also made them leaders in their sectors. From €53bn in 2020, the European cloud market should reach €560bn by 2030. EUCLIDIA is ready to work jointly with governments, policy-makers and companies to improve processes and regulatory frameworks. These aspects are key to secure access to these fast-growing markets for European cloud technologies based on the intrinsic cultural nature of software at the core of virtually all cloud technologies.

Encourage purchasing from SMEs. European cloud technologies are already being used by a majority of CAC40/DAX30 companies and are the core of many hyperscalers services. This European ecosystem is also the best way to respond to the legitimate concerns generated by extraterritorial laws such as the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), the Executive Order 12333, the Foreign Intelligence Surveillance Act (FISA) and the International Traffic in Arms Regulations (ITAR). 

Case Study: European Union (France)

A company in France which creates a CRM software with AI and decides to propose it as a cloud service (SaaS) may have to spend 24 months and 1,600,000 euros to implement all regulations. 

Due to the NIS2 directive, the majority of the market will require the SaaS to pass "SecNumCloud" qualification or a European equivalent. Government, cities, operators of public infrastructure, operators of public services, etc. are all under the umbrella of NIS2. Larger companies tend to also follow the NIS2 directive, making the SecNumCloud close to mandatory. 

In addition, various regulations (CRA, PLD, AI Act) impose auditing the source to comply with certain public policy objectives. This requires to hire a team or a consulting firm, at a huge cost for an SME employing only a few employees.

Adding backdoors is also required for a cloud service (LPM, DSA, Chat Control), something that is not necessary for on-premise software. This requires to hire engineers.

It might also be wise to mitigate litigation risks by patent trolls now that the Unified Patent Court (UPC) is enforcing the most extreme doctrines on patentability of software. According to the Law, software can not be patented in Europe. But there are a lot of software patents that were granted using a legal trick that was ruled as "contra legem" in French courts. With the UPC, French courts rulings can be superseded, opening the door to constant litigation by patent trolls as it exists in the US. 

Regulation Status Action Time Cost Side effects
SecNumCloud Effective Hire a team of 3 and purchase services from cybersecurity firm to co
nduct qualification of the SaaS 
24m 1 M€ Innovation is slowed down by having to go through the qualification process again. Use of open source is discouraged by stronger code audit requirements in the qualification process. Exporting outside EU becomes more difficult due to fear from customers that they could be monitored.
CRA Planned Implement a legal traceability system and hire a cybersecurity firm to audit the software coe and process. 12m 50 K€ Use of open source is discouraged by stronger code audit requirements.
PLD Planned
AI Act Planned Hire a team of 2 to implement traceability and alignment of CRM AI model 12m 200 K€ Participation to open source development is slowed down or discouraged by the requirement to assess AI impact before any publication.
DSA Effective Add backdoors to the CRM 6m 50 K€ Exporting outside EU becomes more difficult due to fear from customers that they could be monitored.
LPM Effective
Chat Control Planned
SREN Planned Implement interoperability standard defined by goverment in addition to already available inteoperability standards present in the solution 12m 100 K€  
UPC Effective Face recurring litigations by patent trolls that enforce the EPC doctrine on software patents through the UPC despite this doctrine being ruled as "contra legem" by national courts. Hire engineers and patent attorneys to mitigate this risk. 12m 200K€  
Total     24m 1.6 M€  

Case Study: China

A company in China which creates a CRM software with AI and decides to propose it as a cloud service (SaaS) may have to spend 3 months and 25,000 euros to implement all regulations. 

In an effort to strengthen cybersecurity and protect sensitive data, the Chinese government has implemented regulatory measures for cloud service providers. These measures aim to ensure the security and compliance of cloud services in China while also facilitating market access for domestic enterprises.

As part of these regulations, a Chinese cloud service provider must initially obtain an ICP (Internet Content Provider) license, a mandatory requirement for companies operating within the country. The cost of this license does not exceed 60,000 RMB (8,000 euros). Following this, the cloud service provider must establish a proper Beian system for the client, connected to the local public authority platform, with the Beian system incurring a cost of 15,000 RMB (2,000 euros). Lastly, the provider must undergo security assessments and obtain rating reports, incurring a cost of around 100,000 RMB (15,000 euros).

Consequently, a local company seeking to provide a cloud service on public markets will need to invest approximately 25,000 euros, navigating through these regulatory requirements imposed by the Chinese government.

Regulation Status Action Time Cost Side effects
ICP license Effective Hire consulting firm 3m 8K  None
Beian system Effective Hire consulting firm 3m 2K None
Security and rating assessments Effective Hire consulting firm 3m 15K None
Total     3m 25k   

Case Study: U.S 

A company in the U.S which creates a CRM software with AI and decides to propose it as a cloud service (SaaS) has no national regulation to comply by. It will thus spend zero month and zero dollar to access the majority of the market.

Only providing a cloud service to the U.S Federal government, a tiny share of the cloud market in the U.S, requires spending at leasr 250,000 dollars to go through the Federal Risk and Authorization Management Program (FedRAMP). Like in the EU, this regulation contributes to the exclusion of smaller companies and the strengthening of dominant and financially strongers companies in the cloud market12. However, the cost of U.S Federal regulations are still three to four times lower European and French ones.

The U.S has now also committed itself to introducing more regulation in the name of a cybersecurity imperative. However, Mark Burgess has shown that adding bureaucratic procedures in the name of cybersecurity tends to hinder cybersecurity13. Bureaucracy encourages a preference for scrupulous monitoring of procedures put in place to the detriment of rapid reaction, which is key to neutralising a cyber attack. Furthermore, the lack of diversity for the resilience of cloud infrastructures was also pointed out by senior risk managers of top U.S financial institutions. According to them, "Tri-opoly of cloud vendors [AWS, Azure, GCP] “poses systemic risk”14

Regulation (majority) Status Action Time Cost Side effects
None     0m 0$  
Total     0m 0$  
Regulation (federal government) Status Action


Time Cost Side effects
FedRAMP Effective Hire one or two consultants specializing in FedRAMP compliance 6m 250 K$ uncertain
Total     6m 250 K$  



1.  (2022) EUCLIDIA demonstrates European resilient clouds backed by 100 European companies, Euclidia Publications.

2. (2021) Government of Greece and AWS sign Statement of Strategic Intent to accelerate the formation of regional space hub, Amazon. 

3. Grallet, G (2021) « Que la SNCF confie son cloud à Amazon est une hérésie »​​​​​​​, Le Point 

4. (2019) AWS IoT Helps Deutsche Bahn Improve Operational Efficiency across 6,500 trains and 37,000 miles of Track, Amazon

5. (2022) AU CNAM, un laboratoire virtuel au cœur de l’apprentissage immersif, Microsoft

6. (2022) Cyprus reaches for the cloud with AWS, Financial Mirror.​​​​​​​ 

7. Comune di Padova: Keeping local citizens informed in real time with Google Cloud, Google Cloud.

8. Swinhoe, D (2023) Microsoft's Italian Azure region to open soon​​​​​​​, DCD. 

9. University of Barcelona Institute of Cosmos Sciences: Unveiling the mysteries of our galaxy with Google Cloud, Google Cloud. 

10. OECD (2022), OECD Policy Framework on Digital Security​​​​​​​, OECD Publishing, Paris.

11. As cybersecurity expert Eric Filiol explained back in 2022, "The real problem - and it's a global hypocrisy - is that all systems are under attack because they use the same technologies"​​​​​​​. In Debey, A (2023) «La nouvelle loi européenne sur le numérique est un jeu de dupes irréalisable»​​​​​​​, L'Impertinent.

12. All-In-Podcast (2023) All-In Summit: Bill Gurley presents 2,851 Miles, Youtube

13. Burgess, M. and Debois, P. (2021) Promising Digital Risk Management: What not to do in Cybersecurity, XtAxis Press

14. Xiao, M (2023) Banks call for direct oversight of cloud providers by US regulators, Risk.net