TL;DR

Nearly all major cloud certifications — ISO 27001, SOC 2, BSI C5, Gaia-X — verify security practice but never test whether a foreign government can compel access to customer data. Only France’s SecNumCloud framework tests that question directly, using an ownership cap: no more than 24% non-EU capital individually or 39% collectively. With the EU’s proposed Cloud and AI Development Act (CADA) set to replace badges with assurance levels in public procurement, buyers in regulated industries are being urged to ask vendors about ownership and jurisdiction, not certificates.

Every major certification a cloud vendor displays — ISO 27001, SOC 2 Type II, BSI C5, Gaia-X membership — can be real, independently audited, and still fail to answer the question that decides whether regulated European customers can store data with that vendor: can a foreign government compel access to it? According to an analysis published by Thorsten Meyer AI on 16 July 2026, exactly one European framework tests that question — France’s SecNumCloud — and it does so not with a security control but with a number: a 24% cap on non-EU ownership.

The distinction at the heart of the analysis divides certifications into two categories. ISO 27001, SOC 2, BSI C5, Gaia-X, and the draft EUCS certify practice — access controls, encryption, incident response, business continuity, audit trails. They ask whether a provider operates competently and securely. They say nothing about jurisdiction. Germany’s BSI C5, the federal baseline since 2022, comes closest: it requires disclosure of the provider’s place of jurisdiction and data location, meaning buyers must still document residual US CLOUD Act risk in their own data protection impact assessments.

SecNumCloud, administered by France’s cybersecurity agency ANSSI, is the outlier. Its version 3.2 framework imposes more than 360 criteria — including EU domicile, EU-only storage, and audited key custody — and caps capital and voting rights held by non-EU companies at 24% individually and 39% collectively. The result, per the analysis: OVHcloud, Outscale, Scaleway, Numspot, and Cloud Temple qualify; AWS, Microsoft Azure, and Google Cloud are structurally ineligible in their native form; and only roughly nine to ten providers hold the qualification at all. The US hyperscalers reach the French market only through structures that change control — S3NS (Thales plus Google) and Bleu (Capgemini plus Orange, built on Azure).

The analysis frames the difference bluntly: C5 tells you the gun is in the room by forcing jurisdiction disclosure; SecNumCloud requires there be no gun, enforced through the ownership cap. It also flags open questions from public information — the proposed Cohere–Aleph Alpha combination at roughly 90% Canadian ownership would sit about four times over the cap, while Mistral’s non-EU venture capital share has never been publicly tested against it.

At a glance
analysisWhen: published 16 July 2026; CADA remains a…
The developmentA widely shared industry analysis published 16 July 2026 lays out why nearly all ‘sovereign cloud’ certifications verify security practice but never test legal sovereignty — and why France’s SecNumCloud 24% ownership cap is the exception.
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Why Ownership Now Decides European Cloud Deals

For buyers in regulated European industries — finance, health, government — the gap between practice certifications and sovereignty testing has direct procurement consequences. A vendor can pass every security audit on offer and still be legally reachable by extraterritorial US law, because none of the mainstream frameworks test who ultimately controls the company. The analysis argues the word ‘sovereign’ has been marketed into meaninglessness, and that the only useful questions are arithmetic: who owns the provider, and what law reaches it.

The stakes extend to the European AI sector, where champions such as Mistral attract substantial non-EU investment that has not been publicly measured against the 24/39 thresholds. The analysis also acknowledges the counter-critique: the ownership-cap approach is partly protectionist — an argument credited with killing the proposed EUCS ‘High+’ sovereignty tier — and holds that both things can be true at once. For architects, one practical warning stands out: sovereign infrastructure running beneath a non-EU-controlled SaaS layer does not constitute a sovereign stack.

Amazon

European cloud sovereignty certification

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

How the Certification Landscape Got Here

The sovereignty debate sharpened in mid-2025, when Microsoft told customers in May that encryption made government access ‘technically impossible,’ then acknowledged roughly a month later that it could not guarantee immunity from US authorities — a gap the analysis describes as thirty days between the marketing and the law. Meanwhile, the EU-wide EUCS certification scheme has remained unadopted after its highest sovereignty tier was stripped from the draft, leaving SecNumCloud — around ten times the complexity of ISO 27001 — as the only framework that tests ownership. ANSSI and Germany’s BSI have jointly committed to developing common criteria specifying where failure is disqualifying.

What the Analysis Leaves Open

Several elements remain unresolved. The CADA proposal is not law, and its final shape — including how national labels like SecNumCloud would map to its Article 17 recognition — could change in the legislative process. EUCS remains unadopted, and whether a sovereignty tier is ever restored is unclear. The ownership questions raised about Mistral and the Cohere–Aleph Alpha combination are explicitly framed as open questions from public information, not assertions of non-compliance. The source material also stresses that none of this constitutes legal advice; buyers are directed to counsel for specific assessments.

CADA and the Shift From Badges to Assurance Levels

The next milestone is the fate of the proposed Cloud and AI Development Act (COM(2026) 502), which would establish four Union assurance levels for public procurement. If it passes, the analysis argues, the badge on a vendor’s website stops mattering and the assurance level takes over — though national labels would not be banned, and a SecNumCloud-qualified provider would still need separate recognition under the new framework. In parallel, the ANSSI–BSI joint work on common criteria is expected to specify where failure is disqualifying. The analysis predicts CADA will be the framework the industry is arguing about by 2027, and recommends buyers start asking vendors for their CADA recognition roadmap now.

Key Questions

What is the 24% rule in SecNumCloud?

SecNumCloud, France’s ANSSI-administered cloud qualification, requires that capital and voting rights held by non-EU companies not exceed 24% individually or 39% collectively. The threshold is checkable from a company’s capitalization table and is designed to prevent non-EU governments from compelling access to data through corporate control.

Does ISO 27001 or SOC 2 prove a cloud provider is sovereign?

No. ISO 27001 and SOC 2 certify security practice — controls, processes, and operations. They do not test jurisdiction or ownership, so they say nothing about whether a foreign government could compel access to your data.

Can AWS, Azure, or Google Cloud meet SecNumCloud requirements?

Not in their native form, because their non-EU ownership far exceeds the caps. They reach the French sovereign market through structures that change control, such as S3NS (Thales plus Google) and Bleu (Capgemini plus Orange on Azure).

What is CADA and why does it matter?

The proposed Cloud and AI Development Act (COM(2026) 502) would create four Union assurance levels for public procurement. Its recitals concede that existing cybersecurity certification is not suited for addressing sovereignty concerns. It is currently only a proposal, not law.

What should buyers ask cloud vendors about sovereignty?

The analysis recommends six questions, starting with: who is your ultimate parent and where is it incorporated, and what percentage of capital and voting rights is held by non-EU entities. Others cover written statements on extraterritorial law, key custody, which certifications test ownership versus practice, and the vendor’s CADA roadmap.

Source: Thorsten Meyer AI

Pet-care content is informational — consult your veterinarian for advice about your animal.
You May Also Like

HEPA Filters Explained: What They Do for Pet Owners (and What They Don’t)

Many pet owners wonder how HEPA filters improve air quality and what they can’t do, so discover the full story inside.

The Safety Card, Played From Every Side: David Sacks, Anthropic, and the Fable Standoff

David Sacks says a cyber jailbreak led to a Fable S ban; Anthropic says the flaw was minor. Key evidence remains non-public.

The Door: Why the Interface Is Worth More Than the Model

SpaceX’s reported $60B Cursor deal has sharpened the case that AI interfaces may control users, data and model routing.

Spotting Early Signs of Canine Parvovirus—A Vet’s Guide

I’m here to help you recognize the early signs of canine parvovirus before it becomes life-threatening; discover the crucial details to protect your dog.