TL;DR

An analysis published 16 July 2026 by Thorsten Meyer AI argues that mainstream certifications such as ISO 27001, SOC 2, BSI C5 and Gaia-X test security practice but not ownership, leaving unanswered whether a foreign government can compel access to customer data. Only France’s SecNumCloud framework, which caps non-EU ownership at 24% individually and 39% collectively, tests that question. The proposed Cloud and AI Development Act (CADA) would replace the badge system with four Union assurance levels for public procurement.

Of every certification badge a European cloud or AI vendor can display, only one tests the question that decides regulated-industry deals — whether a foreign government can compel access to customer data — and it does so with a number: a 24% cap on non-EU ownership, according to an analysis published 16 July 2026 by Thorsten Meyer AI. The report argues that widely held credentials such as ISO 27001, SOC 2, BSI C5 and Gaia-X certify how a provider operates, not who controls it — a gap that matters now because the European Commission’s proposed Cloud and AI Development Act (CADA) would push those badges aside in public procurement.

The framework at the center of the argument is SecNumCloud, the qualification issued by France’s cybersecurity agency ANSSI. Version 3.2 imposes more than 360 criteria, including EU domicile, EU-only storage and audited key custody. Its sovereignty test is an ownership rule: capital and voting rights held by companies based outside the EU must not exceed 24% individually or 39% collectively. According to the analysis, only about nine or ten providers hold the qualification, among them OVHcloud, Outscale, Scaleway, Numspot and Cloud Temple. AWS, Microsoft Azure and Google Cloud are structurally ineligible in their native form. The report places the Cohere–Aleph Alpha combination at roughly 90% Canadian ownership, about four times over the cap, and notes that Mistral’s non-EU venture capital share has never been publicly tested.

The other major labels fall short of that test, the analysis says. ISO 27001 and SOC 2 certify security practice — access controls, encryption, incident response — without touching jurisdiction. Germany’s BSI C5, the federal baseline since 2022, requires disclosure of the provider’s place of jurisdiction, so buyers still document residual US CLOUD Act exposure in their data protection impact assessments. Gaia-X addresses interoperability and portability, counts AWS, Azure and Google among its members, and is not a security audit. The draft EUCS scheme sets three security levels, but its “High+” sovereignty tier was stripped out during negotiations.

The proposed CADA regulation, COM(2026) 502, would set four Union assurance levels for public procurement. Its own recitals concede that Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels would not be banned, but a SecNumCloud-qualified provider would still need separate recognition under Article 17. ANSSI and BSI have also jointly committed to common criteria specifying where failure is disqualifying.

At a glance
analysisWhen: analysis published 16 July 2026; CADA r…
The developmentA 16 July 2026 analysis by Thorsten Meyer AI contends that of all European cloud certifications, only SecNumCloud’s 24% ownership cap tests whether foreign law can reach customer data, just as the proposed CADA regulation threatens to make existing vendor badges irrelevant.
Top Steam deals right now
Warhammer 40,000: Space Marine 2-70%$17.99
Grand Theft Auto V Enhanced-50%$14.99
Grand Theft Auto V Enhanced-50%$14.99
Gamble With Your Friends-38%$4.95
Palworld-30%$20.99
PowerWash Simulator 2-25%$18.74
DELTARUNE-20%$19.99
Burglin’ Gnomes-20%$7.99
Live · Steam store (current discounts)
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Why the Ownership Question Decides European Deals

For buyers in regulated European industries — finance under DORA, healthcare, public administration — the distinction is practical, not academic. A certification can confirm that a provider runs competently while saying nothing about whether a foreign court or intelligence law can reach the data it holds. The analysis frames the gap bluntly: BSI C5 tells you which law reaches your provider; SecNumCloud requires that no non-EU law can reach it at all.

Microsoft illustrated the gap better than any critic, the report says. In May 2025 the company suggested encryption made access “technically impossible”; roughly a month later it acknowledged it could not guarantee immunity from US authorities. The report also stresses that SecNumCloud does not ban American technology — it forces a change of control over it, which is why S3NS pairs Thales with Google and Bleu pairs Capgemini and Orange on Azure. The protectionism critique, raised by groups such as the Cross-Border Data Forum, is partly fair, the analysis concedes, and is exactly why the EUCS “High+” tier died.

Amazon

EU cloud sovereignty certification

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

How Europe’s Cloud Labels Split Into Two Camps

European cloud assurance has accumulated an alphabet soup of labels over the past decade. ISO 27001 and SOC 2 spread from the security industry; BSI C5 became Germany’s federal baseline in 2022; Gaia-X emerged as a policy-driven interoperability project. All of them, in the analysis’s framing, ask “do you run this competently and securely?” SecNumCloud asks a different question: “who ultimately controls you, and what law can reach you?” It is roughly ten times the complexity of ISO 27001, which helps explain the small number of qualified providers.

The EU-wide attempt to harmonize cloud certification, EUCS, remains unadopted after its sovereignty tier was removed under pressure from member states and industry. Meanwhile the DORA CTPP designations of November 2025 put large cloud providers under direct financial-sector oversight, sharpening the procurement stakes. Against that backdrop, the Commission tabled CADA in 2026 as a dedicated cloud and AI rulebook rather than another certification scheme.

“is not suited for addressing sovereignty concerns”

— CADA proposal recitals, COM(2026) 502

Untested Ownership and an Unadopted Rulebook

Several points in the debate remain open. The ownership positions of some European AI champions, including Mistral, have never been publicly tested against the 24% threshold; the analysis presents these as open questions drawn from public information, not assertions of non-compliance. The exact count of SecNumCloud-qualified providers is small and shifts as the catalogue is updated. And the political fate of both CADA and EUCS is unresolved — one is a proposal, the other unadopted — so the framework that will govern procurement after 2027 is not yet settled law.

CADA’s Fate and Six Questions for Vendors

The immediate milestone is the legislative progress of CADA. If it passes, the badge on a vendor’s website stops mattering and its Union assurance level starts — though SecNumCloud providers would still need Article 17 recognition. The joint ANSSI–BSI common criteria work is the other process to watch, since it will define where failure is disqualifying across two of Europe’s largest markets.

For buyers, the analysis distills the due diligence into six questions:

  • Who is your ultimate parent, and where is it incorporated?
  • Will you state in writing that you are not subject to non-EU extraterritorial law?
  • What percentage of capital and voting rights is held by non-EU entities?
  • Who holds the keys, and can you be compelled to produce them?
  • Which of your certifications tests ownership, and which tests practice?
  • What is your CADA recognition roadmap?

The report’s closing advice: check the whole stack, because sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.

Key Questions

What is the 24% rule in European cloud certification?

It is SecNumCloud’s ownership test: capital and voting rights held by non-EU companies must not exceed 24% individually or 39% collectively. Because control tracks ownership, the cap is designed to keep non-EU extraterritorial law — such as the US CLOUD Act — from reaching certified providers, and it can be checked directly from a cap table.

Which providers currently meet the SecNumCloud sovereignty test?

Only about nine or ten providers hold the qualification, including OVHcloud, Outscale, Scaleway, Numspot and Cloud Temple. AWS, Microsoft Azure and Google Cloud are structurally ineligible in their native form, which is why they participate through controlled joint ventures such as S3NS (Thales and Google) and Bleu (Capgemini and Orange on Azure).

Does ISO 27001 or BSI C5 protect data from the US CLOUD Act?

No. ISO 27001 and SOC 2 certify security practice, not jurisdiction. BSI C5 requires providers to disclose their place of jurisdiction, so buyers must still document residual CLOUD Act risk in their data protection impact assessments. Only SecNumCloud’s ownership cap is designed to make non-EU legal reach structurally impossible.

What is CADA and when could it take effect?

The Cloud and AI Development Act, COM(2026) 502, is a European Commission proposal that would create four Union assurance levels for public procurement. It is still a proposal, so there is no confirmed start date; if adopted, assurance levels would matter more than vendor badges, though SecNumCloud providers would still need separate Article 17 recognition.

Does SecNumCloud ban American technology?

No. According to the analysis, it forces a change of control over non-EU technology rather than banning it — which is why qualified offerings exist that run on Google and Microsoft stacks through European-controlled entities. The report concedes the framework is partly protectionist, a critique that contributed to the removal of the EUCS “High+” sovereignty tier.

Source: Thorsten Meyer AI

You May Also Like

US Election 2028: Republican Candidate Predictions & Tips

Predictions for the Republican presidential candidate in 2028 are emerging based on Google Trends data, with early tips and potential front-runners.

Ocean Cleanup Targets Plastic Trash In Southern California

Ocean Cleanup has deployed a new trash collection system at Bollona Creek, aiming to reduce plastic pollution before it reaches the ocean in Southern California.

Jeff Goldblum Dreams Up an Old Hollywood-Inspired Guesthouse to Match His Eccentric Taste

Actor Jeff Goldblum transforms his outdated guesthouse into a vibrant, Hollywood-inspired space, blending vintage charm with modern design.

Water cannon fired as crowds face off against police near Belfast

Police deployed water cannon during violent clashes with protesters near Belfast, after unrest triggered by recent violence and social tensions.