TL;DR
A July 2026 analysis by Thorsten Meyer AI argues that of all the certifications European cloud and AI vendors display, only France’s SecNumCloud tests actual sovereignty — via a 24% cap on individual non-EU ownership. ISO 27001, SOC 2, BSI C5, Gaia-X and the draft EUCS all certify security practice, not control. The debate matters now because the proposed Cloud and AI Development Act (CADA) would replace the badge patchwork with Union assurance levels for public procurement.
Of the certification badges European cloud and AI vendors display — ISO 27001, SOC 2, BSI C5, Gaia-X — only one framework tests the question that decides regulated-industry deals: whether a foreign government can compel access to customer data. That framework is France’s SecNumCloud, and it answers the question not with a security control but with a number: a 24% cap on individual non-EU ownership. That is the central argument of an analysis published 16 July 2026 by Thorsten Meyer AI, landing as EU lawmakers weigh the proposed Cloud and AI Development Act (CADA).
The SecNumCloud rule, per the qualification’s version 3.2 criteria, is blunt: capital and voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively — checkable from a cap table. The qualification, backed by French cybersecurity agency ANSSI, runs to more than 360 criteria and also requires EU domicile, EU-only storage and audited key custody. Only about 9 to 10 providers hold it, among them OVHcloud, Outscale, Scaleway, Numspot and Cloud Temple. The analysis classifies AWS, Microsoft Azure and Google Cloud as structurally ineligible in their native form, and puts the Cohere–Aleph Alpha combination at roughly 90% Canadian ownership — about four times over the individual cap, based on public information.
Everything else, the analysis argues, certifies practice rather than ownership. ISO 27001 and SOC 2 test security controls and processes and say nothing about jurisdiction. Germany’s BSI C5, a federal baseline since 2022, requires disclosure of the place of jurisdiction — buyers must still document residual US CLOUD Act risk in their data protection impact assessments. Gaia-X covers interoperability and declared policy, and counts AWS, Azure and Google as members. The draft EU Cybersecurity Certification Scheme (EUCS) had its “High+” sovereignty tier stripped out, so even its highest remaining level does not confer CLOUD Act immunity. The analysis frames the difference plainly: C5 tells you which law reaches a provider; SecNumCloud requires that no non-EU law can reach it at all.
The analysis also cites Microsoft as the clearest illustration of the gap between marketing and law: in May 2025 the company said encryption made access to data “technically impossible”; roughly a month later it acknowledged it could not guarantee immunity from US authorities. SecNumCloud does not ban American technology — it forces a change of control over it, which is why structures such as S3NS (Thales with Google) and Bleu (Capgemini and Orange on Azure) exist.
The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty
ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.
C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.
Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.
The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.
Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.
Why One Number Decides Regulated Cloud Deals
For buyers in regulated European industries — banking, health, defense, public administration — the distinction is not academic. A provider can pass every security audit on the market and still be legally reachable by a foreign government, and the buyer carries that residual risk into its own compliance filings. The analysis argues the word “sovereign” has been marketed into meaninglessness, and proposes six questions instead: who the ultimate parent is and where it is incorporated; whether the vendor will state in writing that it is not subject to non-EU extraterritorial law; what percentage of capital and voting rights non-EU entities hold; who holds the encryption keys and whether they can be compelled to produce them; which certifications test ownership versus practice; and what the vendor’s CADA recognition roadmap is. If a vendor cannot answer the parent-company and ownership questions immediately, the analysis says, “the rest of the meeting is theatre.” It also warns that sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack. The piece concedes the protectionism critique — advanced by groups such as the Cross-Border Data Forum — is partly valid, and notes that this same critique is why the EUCS High+ tier died.
SecNumCloud certification cloud provider
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
How Europe’s Certification Alphabet Soup Got Here
The current patchwork grew up alongside the 2018 US CLOUD Act, which lets American authorities compel US-controlled companies to produce data regardless of where it is stored. Europe’s answers split into two tracks. Security certifications — ISO 27001, SOC 2, and Germany’s C5 — matured first and test operational competence. Sovereignty instruments came later and proved harder: the EUCS sovereignty tier was removed during drafting, leaving the scheme unadopted and contested, while national labels such as SecNumCloud filled the gap. In November 2025, DORA-related designations of critical third-party providers added fresh pressure on financial-sector cloud sourcing. ANSSI and Germany’s BSI have since jointly committed to common criteria specifying where failure is disqualifying — an attempt to converge national approaches before Brussels imposes one.
“Cybersecurity Act certification is not suited for addressing sovereignty concerns.”
— Recitals of the proposed Cloud and AI Development Act, COM(2026) 502
EU sovereignty cloud server
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Open Questions Around Mistral, EUCS and CADA
Several key points remain unresolved. CADA is a proposal, not law, and its final text could change substantially. EUCS remains unadopted. Ownership questions in the analysis are framed as open questions from public information, not findings of non-compliance: Mistral AI’s non-EU venture capital share, for example, has never been publicly tested against the cap, and the analysis explicitly says the European champions “nobody has asked” deserve the same scrutiny applied to US hyperscalers. Whether national labels survive under a CADA regime is also unsettled — a SecNumCloud-qualified provider would still need separate recognition under Article 17, and how that process would work in practice is not yet defined.
European cloud security certification
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
CADA Negotiations and a Joint Rulebook Ahead
The next milestone is the legislative progress of CADA (COM(2026) 502), which would establish four Union assurance levels for public procurement. Its own recitals concede that Cybersecurity Act certification “is not suited for addressing sovereignty concerns” — language sovereignty advocates read as vindication. If the act passes, the badge on a vendor’s website stops being the deciding factor and the assurance level takes over, though national labels would not be banned outright. In parallel, the ANSSI–BSI joint work on common criteria is expected to define which failures are disqualifying, potentially creating a de facto European baseline before CADA lands. For buyers, the analysis’s advice is immediate rather than legislative: ask vendors for the ownership arithmetic — who owns them and what law reaches them — and check whether the answer sits above or below 24%.
cloud ownership cap compliance
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
What exactly is the 24% rule?
It is SecNumCloud’s ownership test: capital and voting rights held by non-EU companies must not exceed 24% individually or 39% collectively. It is verifiable from a provider’s capitalization table and is designed to prevent a foreign government from compelling access through corporate control.
Does SecNumCloud ban American technology?
No. It forces a change of control over non-EU technology rather than excluding it. Structures such as S3NS (Thales with Google) and Bleu (Capgemini and Orange on Microsoft Azure) exist precisely so US technology can be delivered under EU-controlled ownership.
Is BSI C5 a sovereignty certification?
No. C5 verifies implemented security controls and requires disclosure of the place of jurisdiction, so buyers know which law reaches a provider — but the residual CLOUD Act risk still has to be documented in the buyer’s own data protection impact assessment. It discloses exposure; it does not remove it.
What would CADA change?
The proposed Cloud and AI Development Act would set four Union assurance levels for public procurement, shifting the deciding factor from vendor-displayed badges to a formal assurance level. National labels would not be banned, but a SecNumCloud provider would still need separate recognition under the act’s Article 17. CADA remains a proposal and could change.
Are Mistral AI or Cohere–Aleph Alpha compliant with the cap?
Unknown in Mistral’s case — its non-EU venture capital share has never been publicly tested against the 24% threshold. The analysis puts Cohere–Aleph Alpha at roughly 90% Canadian ownership based on public information, which would be about four times over the individual cap. These are open questions, not findings of non-compliance.
Source: Thorsten Meyer AI