TL;DR
A 16 July 2026 analysis by Thorsten Meyer AI argues that widely displayed cloud certifications — ISO 27001, SOC 2, BSI C5, Gaia-X — prove security practice but never test whether a foreign government can compel access to customer data. Only France’s SecNumCloud tests that question, via a 24% individual and 39% collective cap on non-EU capital and voting rights. The proposed Cloud and AI Development Act (CADA) could soon replace badge-based procurement with Union assurance levels.
An analysis published on 16 July 2026 by Thorsten Meyer AI argues that every compliance badge a European cloud vendor can display — ISO 27001, SOC 2 Type II, BSI C5, Gaia-X membership — is real, audited and correctly shown, yet none answers the question that decides regulated-industry deals: can a foreign government compel access to the data? According to the analysis, exactly one European framework tests that question, France’s SecNumCloud, and it does so not with a security control but with a number: 24%.
The SecNumCloud test is an ownership cap, not a technical control: capital and voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively, checkable from a cap table. The analysis lists OVHcloud, Outscale, Scaleway, Numspot and Cloud Temple as qualifying, while AWS, Microsoft Azure and Google Cloud are described as structurally ineligible in their native form. It calculates that the Cohere–Aleph Alpha combination sits at roughly 90% Canadian ownership, about four times over the cap, and notes that Mistral’s non-EU venture capital share has never been publicly tested — framing these as open questions from public information, not assertions of non-compliance.
The analysis sorts the certification alphabet into two piles. One pile certifies how a provider operates — access controls, encryption, incident response, audit trails. The other asks who ultimately controls the provider and which law can reach it. BSI C5, the German federal baseline since 2022, sits between the two: it requires disclosure of the place of jurisdiction but grants no immunity, meaning buyers still document residual CLOUD Act risk in their data protection impact assessments. The EUCS scheme, as drafted, had its “High+” sovereignty tier stripped out, so EUCS High does not equal CLOUD Act immunity either.
The analysis cites Microsoft’s own 2025 statements as the clearest illustration: in May 2025 the company said encryption made access “technically impossible”, and one month later acknowledged it could not guarantee immunity from US authorities. SecNumCloud, the analysis stresses, does not ban American technology — it forces a change of control over it, pointing to S3NS (Thales with Google) and Bleu (Capgemini with Orange, on Azure) as the resulting structures.
The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty
ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.
C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.
Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.
The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.
Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.
Why Ownership Arithmetic Now Decides Cloud Deals
For buyers in regulated European sectors, the finding rearranges procurement. Treating ISO 27001 or a Gaia-X label as proof of sovereignty conflates competence with control, the analysis argues, and the gap is legal rather than technical: a perfectly audited provider can still be reachable by extraterritorial law. That is why SecNumCloud’s roughly 360-plus criteria — EU domicile, EU-only storage, audited key custody, the ownership cap — carry weight that no security audit can substitute, and why only around nine to ten providers hold the qualification.
The practical consequence is a due-diligence checklist. The analysis offers six questions for any vendor: who is the ultimate parent and where is it incorporated; will the provider state in writing that it is not subject to non-EU extraterritorial law; what percentage of capital and voting rights is held by non-EU entities; who holds the encryption keys and can they be compelled to produce them; which certifications test ownership versus practice; and what is the provider’s CADA recognition roadmap. If a vendor cannot answer the first and third immediately, it says, “the rest of the meeting is theatre.” It also warns buyers to check the stack: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The analysis is candid that the sovereignty push is partly protectionism — and notes that this critique is exactly why the EUCS High+ tier died. Its advice is to stop asking whether a provider is “sovereign”, a word it says has been marketed into meaninglessness, and instead ask the arithmetic: who owns you, and what law reaches you?
European cloud sovereignty certification
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
The Certification Pile-Up Behind the Debate
European cloud buyers have spent years assembling compliance evidence from a growing set of frameworks. ISO 27001 and SOC 2 attest security practice and process. BSI C5 verifies implemented controls and requires jurisdiction disclosure. Gaia-X addresses interoperability and declared policies — and counts AWS, Azure and Google among its members. SecNumCloud, the ANSSI qualification now at version 3.2, is the outlier that puts the French state behind roughly ten times ISO 27001’s complexity.
The policy ground is shifting underneath all of them. The proposed Cloud and AI Development Act, COM(2026) 502, would set four Union assurance levels for public procurement, and its own recitals concede that Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels would not be banned, but even a SecNumCloud provider would still need separate Article 17 recognition. Meanwhile ANSSI and BSI have jointly committed to common criteria specifying where failure is disqualifying.
“Cybersecurity Act certification is not suited for addressing sovereignty concerns.”
— CADA recitals, COM(2026) 502
Untested Cap Tables and an Unadopted Rulebook
Almost every load-bearing element here is still provisional. CADA is a proposal, not law, and the EUCS scheme remains unadopted, so the framework that would replace badge-based procurement does not yet exist. The analysis itself flags that Mistral’s non-EU venture share has never been publicly tested, and presents its ownership questions — including for European champions “nobody has asked” — as open questions from public information, not findings of non-compliance. Whether SecNumCloud’s French qualification will map cleanly onto CADA’s Article 17 recognition, and how the protectionism critique shapes the final text, also remain open. The source material is explicit that none of this constitutes legal advice.
CADA’s Path and Joint ANSSI-BSI Criteria Ahead
The immediate milestone is the legislative progress of CADA, COM(2026) 502. If it passes, the badge on a vendor’s website stops mattering and the Union assurance level starts, with four levels governing public procurement. In parallel, ANSSI and BSI are due to deliver their jointly committed common criteria, specifying where failure is disqualifying — work that could effectively harmonize French and German sovereignty testing. Vendors selling into regulated European industries will need a credible CADA recognition roadmap, and buyers should expect ownership percentages to become a standard line item in cloud and AI negotiations. The analysis predicts the framework everyone will be arguing about by 2027 is not a certification at all.
Key Questions
What is the 24% rule in European cloud sovereignty?
It is SecNumCloud’s ownership cap: capital and voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. It is the only certification criterion in Europe that tests whether a foreign government could compel access to a provider’s data, and it is checkable directly from a cap table.
Do ISO 27001, SOC 2 or BSI C5 certify that a provider is sovereign?
No, according to the analysis. These frameworks certify security practice and controls, not jurisdiction. BSI C5 goes furthest by requiring disclosure of the place of jurisdiction, but buyers must still document residual CLOUD Act risk themselves.
Can AWS, Microsoft Azure or Google Cloud qualify under SecNumCloud?
Not in their native structures — the analysis describes them as structurally ineligible due to non-EU ownership. The workarounds are changes of control: S3NS pairs Thales with Google, and Bleu pairs Capgemini with Orange on Azure.
What is the Cloud and AI Development Act (CADA)?
CADA, formally COM(2026) 502, is a proposed EU act that would create four Union assurance levels for public procurement of cloud and AI services. Its recitals state that Cybersecurity Act certification is not suited for addressing sovereignty concerns. It remains a proposal, not adopted law.
What should buyers ask cloud vendors about sovereignty?
The analysis recommends six questions covering the ultimate parent’s place of incorporation, a written statement on non-EU extraterritorial law exposure, the exact percentage of non-EU capital and voting rights, encryption key custody, which certifications test ownership versus practice, and the vendor’s CADA recognition roadmap.
Source: Thorsten Meyer AI