TL;DR
A July 16, 2026 analysis by Thorsten Meyer AI finds that mainstream cloud certifications — ISO 27001, SOC 2, BSI C5, Gaia-X — verify security practice but not whether a foreign government can compel access to data. Only France’s SecNumCloud tests that, through a cap of 24% individual and 39% collective non-EU ownership. The proposed EU Cloud and AI Development Act could replace the badge system with four Union assurance levels.
An analysis published July 16, 2026 by Thorsten Meyer AI lays out a gap at the center of European cloud and AI procurement: the certifications vendors display most prominently — ISO 27001, SOC 2 Type II, BSI C5 and Gaia-X membership — are genuine, independently audited credentials, yet none of them answers the question that decides sovereign deals: can a foreign government compel access to the data. According to the report, exactly one European framework tests that question, and it does so not with a security control but with a number — the 24% ownership cap inside France’s SecNumCloud qualification.
SecNumCloud, the qualification issued by French cybersecurity agency ANSSI, requires that capital and voting rights held by companies not based in the EU stay below 24% individually and 39% collectively — a test the report describes as checkable directly from a cap table. The current version, v3.2, spans more than 360 criteria, roughly ten times the complexity of ISO 27001 by the analysis’s count, and adds EU domicile, EU-only storage and audited key custody. Only about nine or ten providers hold it, among them OVHcloud, Outscale, Scaleway, Numspot and Cloud Temple.
The same arithmetic leaves AWS, Microsoft Azure and Google Cloud structurally ineligible in their native form, the report says. Among AI providers, it calculates that the merged Cohere–Aleph Alpha entity sits at roughly 90% Canadian ownership — about four times over the cap — while Mistral’s non-EU venture capital share has never been publicly tested. SecNumCloud does not ban American technology, the analysis adds; it forces a change of control over it, which is why S3NS pairs Thales with Google and Bleu pairs Capgemini and Orange on Azure.
The report draws a sharp line between disclosure and immunity. Germany’s BSI C5, the federal baseline since 2022, requires providers to declare their place of jurisdiction — buyers still document residual US CLOUD Act risk in their data protection impact assessments. SecNumCloud requires that no non-EU law reach the provider at all. Microsoft illustrated the gap in mid-2025: in May it said encryption made access ‘technically impossible,’ and roughly a month later conceded it could not guarantee immunity from US authorities, according to the report’s account.
The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty
ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.
C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.
Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.
The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.
Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.
Why Ownership, Not Security Practice, Decides Deals
For buyers in regulated European industries — finance under DORA, healthcare, the public sector — the distinction is commercial, not academic. A vendor can pass every security audit and still be legally compellable by a foreign government, because those audits test how a company operates, not who controls it. The analysis argues that procurement teams relying on badges alone may be signing contracts that leave extraterritorial access risk unaddressed. It recommends six questions for any vendor, starting with the ultimate parent’s place of incorporation and the exact percentage of non-EU capital and voting rights; if a vendor cannot answer those two immediately, the report says, ‘the rest of the meeting is theatre.’ It also warns that sovereign infrastructure running beneath a non-EU-controlled SaaS layer does not amount to a sovereign stack.
ISO 27001 certification
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
How EUCS Lost Its Sovereignty Tier
The debate predates this report. The planned EU Cybersecurity Certification Scheme (EUCS) originally included a ‘High+’ sovereignty tier, but that layer was stripped out during drafting, leaving security levels without CLOUD Act immunity; the scheme remains unadopted. Gaia-X, the European data-infrastructure initiative, covers interoperability and declared policy rather than security audits — and counts AWS, Microsoft and Google among its members. The DORA regime designated critical third-party technology providers in November 2025, tightening oversight of hyperscalers without settling the jurisdiction question. France went furthest on its own: ANSSI’s qualification has become the de facto sovereignty benchmark, a position the proposed Cloud and AI Development Act now threatens to reorganize.
“Cybersecurity Act certification is not suited for addressing sovereignty concerns.”
— CADA draft recitals, COM(2026) 502
cloud security certification
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Untested Champions and an Unadopted Rulebook
Several points remain open. CADA is a proposal, not law, and EUCS is still unadopted; either could change shape before taking effect. The ownership questions raised about Mistral and other European AI champions are, in the report’s own framing, open questions drawn from public information, not findings of non-compliance. Critics also dispute the premise: the Cross-Border Data Forum and industry group CISPE have framed ownership caps as partly protectionist, an argument the analysis acknowledges helped kill the EUCS High+ tier. Whether the 24/39 thresholds survive contact with a Union-wide assurance system — or get diluted in the process — is not yet clear.
French SecNumCloud provider
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
CADA Levels and Joint ANSSI–BSI Criteria
The next milestone is legislative. The proposed Cloud and AI Development Act, COM(2026) 502, would create four Union assurance levels for public procurement. National labels would not be banned, but even a SecNumCloud-qualified provider would still need separate recognition under Article 17. In parallel, ANSSI and Germany’s BSI have jointly committed to common criteria specifying where failure is disqualifying. If CADA passes, the analysis concludes, the badge on a vendor’s website stops mattering and the assurance level starts — a shift it expects the market to be arguing about by 2027.
ownership cap compliance software
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
What is the 24% rule?
It is SecNumCloud’s ownership test: capital and voting rights held by non-EU companies must stay below 24% for any single holder and 39% combined. The figures are verifiable from a provider’s cap table rather than through a technical audit.
Does SecNumCloud ban US technology?
No. It requires a change of control, not exclusion. Approved offerings such as S3NS (Thales with Google) and Bleu (Capgemini and Orange, built on Azure) run American technology inside EU-controlled structures.
Are ISO 27001 and SOC 2 useless for sovereignty?
They certify security practice — access controls, encryption, incident response — not jurisdiction. According to the analysis, they say nothing about whether a foreign government can compel access to data.
What is CADA?
The proposed Cloud and AI Development Act, COM(2026) 502, would set four Union assurance levels for public procurement. It remains a proposal and is not yet law.
What should buyers ask vendors first?
The report’s first two questions: who is the ultimate parent and where is it incorporated, and what percentage of capital and voting rights is held by non-EU entities. Vendors unable to answer immediately warrant caution.
Source: Thorsten Meyer AI