TL;DR
A new analysis argues that every mainstream cloud security certification — ISO 27001, SOC 2, BSI C5, Gaia-X — tests how a provider operates, not who controls it or which government can compel access to its data. Only France’s SecNumCloud tests that, via a 24% cap on non-EU ownership. The proposed EU Cloud and AI Development Act could make sovereignty assurance levels, not vendor badges, the deciding standard by 2027.
Every security badge a cloud vendor can show a European buyer — ISO 27001, SOC 2 Type II, BSI C5, Gaia-X membership — can be real, independently audited and correctly displayed, yet none of them answers the question that decides regulated deals: can a foreign government compel access to the data? That is the finding of an analysis published 16 July 2026 by Thorsten Meyer AI, which argues that exactly one European framework tests that question — France’s SecNumCloud — and it does so not with a security control but with a number: a 24% cap on non-EU ownership.
Under SecNumCloud version 3.2, issued by French cybersecurity agency ANSSI, capital and voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. The rule is checkable from a cap table, and it sits alongside more than 360 criteria covering EU domicile, EU-only storage and audited key custody. Only around nine or ten providers hold the qualification, including OVHcloud, Outscale, Scaleway, Numspot and Cloud Temple.
According to the analysis, AWS, Microsoft Azure and Google Cloud are structurally ineligible in their native form because of their US parentage. The merged Cohere–Aleph Alpha entity sits at roughly 90% Canadian ownership — about four times over the individual cap — while the non-EU venture share in French AI champion Mistral has never been publicly tested against the threshold.
The analysis draws a sharp line between disclosure and immunity. Germany’s BSI C5, the federal baseline since 2022, requires providers to declare which jurisdiction’s law reaches them — buyers must still document residual US CLOUD Act risk in their data protection impact assessments. The drafted EUCS scheme had its ‘High+’ sovereignty tier stripped out before adoption. As the analysis puts it: C5 tells you the gun is in the room; SecNumCloud requires there be no gun.
The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty
ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.
C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.
Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.
The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.
Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.
Why One Number Now Decides European Cloud Deals
For buyers in regulated European industries — finance, health, public administration — the distinction is commercial, not academic. A provider can pass every audit of its security practice while remaining subject to extraterritorial laws like the CLOUD Act, which can compel US-controlled companies to produce data regardless of where it is stored. Certifications answer ‘do you run this competently?’; sovereignty asks ‘who ultimately controls you, and what law can reach you?’
Microsoft illustrated the gap better than any critic, the analysis notes. In May 2025 the company said encryption rendered outside access ‘technically impossible’; roughly one month later it acknowledged under oath in France that it cannot guarantee immunity from US authorities. The episode hardened procurement thinking across the continent.
The rule does not ban American technology — it forces a change of control over it. That is why structures such as S3NS (Thales with Google) and Bleu (Capgemini and Orange running on Azure) exist: joint ventures engineered to bring ownership below the cap.
European cloud sovereignty certification
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
The Certification Pile-Up Behind the Sovereignty Fight
Europe’s cloud assurance landscape sorted into two piles over the past decade, the analysis explains. The first certifies practice: ISO 27001, SOC 2, BSI C5 and most of the drafted EUCS test access controls, encryption, incident response and audit trails. The second — a pile of one — tests ownership. Gaia-X, often mistaken for a sovereignty label, is an interoperability and portability initiative whose members include AWS, Azure and Google.
The EU’s attempt at a unified scheme, EUCS, lost its highest sovereignty tier after sustained criticism — including from the Cross-Border Data Forum — that ownership requirements amounted to protectionism. The analysis concedes the point partly stands: SecNumCloud is partly protectionist, and that critique is exactly why EUCS High+ died. Both things, it argues, are true at once.
“Cybersecurity Act certification is not suited for addressing sovereignty concerns.”
— European Commission, CADA draft recitals (COM(2026) 502)
cloud security compliance tools
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Untested Ownership and an Unadopted Rulebook
CADA is only a proposal, and the EUCS remains unadopted; neither framework currently binds procurement. Whether national labels like SecNumCloud would survive intact is unclear — the draft would not ban them, but a SecNumCloud-qualified provider would still need separate recognition under the act’s Article 17.
The ownership questions raised around individual companies are open questions drawn from public information, not assertions of non-compliance. Mistral’s non-EU venture share, for example, has never been formally tested against the cap. And the analysis itself carries a caveat: none of this is legal advice.
data sovereignty testing software
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
CADA’s Assurance Levels and the 2027 Rulebook Fight
The proposed Cloud and AI Development Act would set four Union assurance levels for public procurement. If it passes, the badge on a vendor’s website stops mattering and the assurance level starts — making CADA, the analysis predicts, the framework everyone will be arguing about by 2027. In parallel, ANSSI and Germany’s BSI have jointly committed to common criteria specifying where failure is disqualifying.
For buyers acting now, the analysis offers six questions, led by two it says end meetings when unanswered: who is your ultimate parent and where is it incorporated, and what percentage of capital and voting rights is held by non-EU entities? It also warns that sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack — the check applies at every layer.
EU cloud provider security certification
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
What is the 24% rule?
It is SecNumCloud’s ownership test: capital and voting rights held by non-EU companies must not exceed 24% for any single entity or 39% in aggregate. The rule is designed so that no non-EU government can compel a qualified provider through corporate control.
Which providers currently hold SecNumCloud qualification?
Roughly nine or ten providers, including OVHcloud, Outscale, Scaleway, Numspot and Cloud Temple. AWS, Azure and Google Cloud are structurally ineligible in their native form, which is why joint ventures like S3NS and Bleu were created.
Does ISO 27001 or BSI C5 protect against the US CLOUD Act?
No. Both certify security practice, not jurisdiction. C5 requires providers to disclose which laws reach them, but buyers must still record residual CLOUD Act exposure in their data protection impact assessments.
What is CADA and when could it take effect?
The Cloud and AI Development Act (COM(2026) 502) is a proposed EU law creating four Union assurance levels for public procurement. It has not been adopted; there is no confirmed date, though the analysis expects it to dominate debate by 2027.
Is SecNumCloud protectionism?
Partly, the analysis concedes — that same critique killed the EUCS ‘High+’ sovereignty tier. But it argues the ownership cap also answers a real legal exposure that no security audit addresses. Both things, it says, are true.
Source: Thorsten Meyer AI