TL;DR

A July 16, 2026 analysis by Thorsten Meyer AI finds that mainstream cloud certifications — ISO 27001, SOC 2, BSI C5, Gaia-X — verify security practice but not whether a foreign government can compel access to data. Only France’s SecNumCloud tests that, through a cap of 24% individual and 39% collective non-EU ownership. The proposed EU Cloud and AI Development Act could replace the badge system with four Union assurance levels.

An analysis published July 16, 2026 by Thorsten Meyer AI lays out a gap at the center of European cloud and AI procurement: the certifications vendors display most prominently — ISO 27001, SOC 2 Type II, BSI C5 and Gaia-X membership — are genuine, independently audited credentials, yet none of them answers the question that decides sovereign deals: can a foreign government compel access to the data. According to the report, exactly one European framework tests that question, and it does so not with a security control but with a number — the 24% ownership cap inside France’s SecNumCloud qualification.

SecNumCloud, the qualification issued by French cybersecurity agency ANSSI, requires that capital and voting rights held by companies not based in the EU stay below 24% individually and 39% collectively — a test the report describes as checkable directly from a cap table. The current version, v3.2, spans more than 360 criteria, roughly ten times the complexity of ISO 27001 by the analysis’s count, and adds EU domicile, EU-only storage and audited key custody. Only about nine or ten providers hold it, among them OVHcloud, Outscale, Scaleway, Numspot and Cloud Temple.

The same arithmetic leaves AWS, Microsoft Azure and Google Cloud structurally ineligible in their native form, the report says. Among AI providers, it calculates that the merged Cohere–Aleph Alpha entity sits at roughly 90% Canadian ownership — about four times over the cap — while Mistral’s non-EU venture capital share has never been publicly tested. SecNumCloud does not ban American technology, the analysis adds; it forces a change of control over it, which is why S3NS pairs Thales with Google and Bleu pairs Capgemini and Orange on Azure.

The report draws a sharp line between disclosure and immunity. Germany’s BSI C5, the federal baseline since 2022, requires providers to declare their place of jurisdiction — buyers still document residual US CLOUD Act risk in their data protection impact assessments. SecNumCloud requires that no non-EU law reach the provider at all. Microsoft illustrated the gap in mid-2025: in May it said encryption made access ‘technically impossible,’ and roughly a month later conceded it could not guarantee immunity from US authorities, according to the report’s account.

At a glance
analysisWhen: analysis published July 16, 2026; CADA…
The developmentA July 16, 2026 analysis from Thorsten Meyer AI details why mainstream cloud and AI certifications fail to test foreign-government access risk — and why France’s SecNumCloud 24% ownership cap is the only European check that does.
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Why Ownership, Not Security Practice, Decides Deals

For buyers in regulated European industries — finance under DORA, healthcare, the public sector — the distinction is commercial, not academic. A vendor can pass every security audit and still be legally compellable by a foreign government, because those audits test how a company operates, not who controls it. The analysis argues that procurement teams relying on badges alone may be signing contracts that leave extraterritorial access risk unaddressed. It recommends six questions for any vendor, starting with the ultimate parent’s place of incorporation and the exact percentage of non-EU capital and voting rights; if a vendor cannot answer those two immediately, the report says, ‘the rest of the meeting is theatre.’ It also warns that sovereign infrastructure running beneath a non-EU-controlled SaaS layer does not amount to a sovereign stack.

Amazon

ISO 27001 certification

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

How EUCS Lost Its Sovereignty Tier

The debate predates this report. The planned EU Cybersecurity Certification Scheme (EUCS) originally included a ‘High+’ sovereignty tier, but that layer was stripped out during drafting, leaving security levels without CLOUD Act immunity; the scheme remains unadopted. Gaia-X, the European data-infrastructure initiative, covers interoperability and declared policy rather than security audits — and counts AWS, Microsoft and Google among its members. The DORA regime designated critical third-party technology providers in November 2025, tightening oversight of hyperscalers without settling the jurisdiction question. France went furthest on its own: ANSSI’s qualification has become the de facto sovereignty benchmark, a position the proposed Cloud and AI Development Act now threatens to reorganize.

“Cybersecurity Act certification is not suited for addressing sovereignty concerns.”

— CADA draft recitals, COM(2026) 502

Amazon

cloud security certification

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Untested Champions and an Unadopted Rulebook

Several points remain open. CADA is a proposal, not law, and EUCS is still unadopted; either could change shape before taking effect. The ownership questions raised about Mistral and other European AI champions are, in the report’s own framing, open questions drawn from public information, not findings of non-compliance. Critics also dispute the premise: the Cross-Border Data Forum and industry group CISPE have framed ownership caps as partly protectionist, an argument the analysis acknowledges helped kill the EUCS High+ tier. Whether the 24/39 thresholds survive contact with a Union-wide assurance system — or get diluted in the process — is not yet clear.

Amazon

French SecNumCloud provider

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

CADA Levels and Joint ANSSI–BSI Criteria

The next milestone is legislative. The proposed Cloud and AI Development Act, COM(2026) 502, would create four Union assurance levels for public procurement. National labels would not be banned, but even a SecNumCloud-qualified provider would still need separate recognition under Article 17. In parallel, ANSSI and Germany’s BSI have jointly committed to common criteria specifying where failure is disqualifying. If CADA passes, the analysis concludes, the badge on a vendor’s website stops mattering and the assurance level starts — a shift it expects the market to be arguing about by 2027.

Amazon

ownership cap compliance software

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

What is the 24% rule?

It is SecNumCloud’s ownership test: capital and voting rights held by non-EU companies must stay below 24% for any single holder and 39% combined. The figures are verifiable from a provider’s cap table rather than through a technical audit.

Does SecNumCloud ban US technology?

No. It requires a change of control, not exclusion. Approved offerings such as S3NS (Thales with Google) and Bleu (Capgemini and Orange, built on Azure) run American technology inside EU-controlled structures.

Are ISO 27001 and SOC 2 useless for sovereignty?

They certify security practice — access controls, encryption, incident response — not jurisdiction. According to the analysis, they say nothing about whether a foreign government can compel access to data.

What is CADA?

The proposed Cloud and AI Development Act, COM(2026) 502, would set four Union assurance levels for public procurement. It remains a proposal and is not yet law.

What should buyers ask vendors first?

The report’s first two questions: who is the ultimate parent and where is it incorporated, and what percentage of capital and voting rights is held by non-EU entities. Vendors unable to answer immediately warrant caution.

Source: Thorsten Meyer AI

This content is for general information only and is not financial, tax or legal advice. Consult a qualified professional for decisions about your money.
You May Also Like

Can Manus AI Be the Ultimate Bridge Between Human Minds and AI?

Beneath the surface of Manus AI lies the potential to revolutionize human creativity and collaboration, but what challenges await this new frontier?

Trump says U.S., Iran ‘very close’ to deal and urges calm after Israeli strikes

Trump states the U.S. and Iran are ‘very close’ to reaching a deal and urges calm following recent Israeli military actions. Details are still emerging.

Countering Sovereignty: The Case For Prioritizing AI Model Effectiveness

Thorsten Meyer AI says most companies should favor model performance over costly sovereign AI infrastructure unless law requires it.

China Economic Data Surprises on the Downside, HSBC Says

China’s economic growth slowed in April, with investment falling and retail sales barely rising, according to HSBC. The data signals potential headwinds for the world’s second-largest economy.