TL;DR
An analysis published 16 July 2026 by Thorsten Meyer AI argues that the certifications cloud and AI vendors commonly display — ISO 27001, SOC 2, BSI C5, Gaia-X — test security practice, not ownership, and so cannot answer whether a foreign government can compel access to customer data. Only France’s SecNumCloud framework tests that question, via a cap limiting non-EU capital and voting rights to 24% individually and 39% collectively, a threshold that excludes AWS, Azure and Google Cloud in their native form. The proposed Cloud and AI Development Act (COM(2026) 502) could soon replace national badges with Union-wide assurance levels.
The security badges that cloud and AI vendors most often display in Europe — ISO 27001, SOC 2 Type II, BSI C5 and Gaia-X membership — do not answer the question that decides whether a regulated organisation can place data with a provider: can a foreign government compel access to it? That is the central finding of an analysis published 16 July 2026 by Thorsten Meyer AI, which argues that exactly one European framework tests that question, and it does so with a number rather than a security control: under France’s SecNumCloud qualification, capital and voting rights held by non-EU companies must not exceed 24% individually or 39% collectively — a threshold that leaves AWS, Microsoft Azure and Google Cloud structurally ineligible in their native form.
The report sorts the certification landscape into two categories. The first — ISO 27001, SOC 2, BSI C5 and, in its current draft, the EUCS — certifies practice: access controls, encryption, incident response, business continuity and audit trails. Germany’s BSI C5 goes furthest in this group by requiring disclosure of the provider’s place of jurisdiction, but it confers no immunity; buyers must still document residual US CLOUD Act risk in their data protection impact assessments. Gaia-X, the report notes, is an interoperability and policy initiative, not a security audit, and counts AWS, Azure and Google among its members. The EUCS scheme’s proposed “High+” sovereignty tier was stripped during drafting, so even a future EUCS High label would not equal CLOUD Act immunity.
The second category contains one entry. SecNumCloud version 3.2, backed by France’s ANSSI, applies more than 360 criteria covering EU domicile, EU-only storage, audited key custody and the 24/39 ownership cap — a test the report describes as checkable directly from a capitalisation table. Only around nine to ten providers hold the qualification, among them OVHcloud, Outscale, Scaleway, Numspot and Cloud Temple. The framework does not ban American technology; it forces a change of control over it, which is why structures such as S3NS (Thales with Google) and Bleu (Capgemini and Orange on Azure) exist.
The analysis points to Microsoft as the clearest illustration of the gap between marketing and law. In May 2025, the company said encryption made outside access “technically impossible”; roughly one month later, it acknowledged it could not guarantee immunity from US authorities. Thirty days separated the two statements, the report notes.
The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty
ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.
C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.
Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.
The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.
Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.
Why Ownership, Not Badges, Decides These Deals
For buyers in regulated European industries — finance, health, the public sector — the distinction is commercial, not academic. A provider can pass every security audit on offer and still sit under a parent company subject to non-EU extraterritorial law, meaning the audit says nothing about whether customer data can be compelled. The report frames this as arithmetic: not “is this provider sovereign?” — a word it argues has been marketed into meaninglessness — but “who owns you, and what law reaches you?“
The practical consequence falls on procurement teams. The analysis recommends six questions for any vendor, starting with the identity and incorporation of the ultimate parent company and the exact percentage of capital and voting rights held by non-EU entities; if a vendor cannot answer those two immediately, it argues, “the rest of the meeting is theatre.” It also warns buyers to check the full stack: sovereign infrastructure running under a non-EU-controlled SaaS layer is not, on this test, a sovereign stack.

Providing Assurance to Cloud Computing through ISO 27001 Certification: How Much Cloud is Secured After Implementing Information Security Standards
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
How SecNumCloud Became the Sovereignty Benchmark
SecNumCloud originated with ANSSI, France’s cybersecurity agency, and its qualification carries French state backing — a status the report contrasts with the voluntary, practice-based audits that dominate vendor marketing. BSI C5 has been the German federal baseline since 2022, while the EU-wide EUCS scheme remains unadopted after its sovereignty tier was removed — a deletion the report links directly to the long-running protectionism critique levelled at European cloud rules, including by groups such as the Cross-Border Data Forum. “Is it also protectionism? Partly, yes,” the analysis concedes, adding that both things can be true at once.
Attention is now shifting from certifications to legislation. The proposed Cloud and AI Development Act, COM(2026) 502, would establish four Union assurance levels for public procurement, and ANSSI and Germany’s BSI have jointly committed to developing common criteria specifying where failure is disqualifying.
“Certifications prove practice. Only one of them tests ownership.”
— Thorsten Meyer AI, “The 24% Rule”

SOC2 Cloud Compliance Mastery: Master SOC 2 For Cloud Tools | Secure Collaboration Fast | SOC 2 Controls Simplified | Trusted Compliance Blueprint | Fast-Track Cloud Compliance | SOC 2 For SaaS
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Open Questions Around Europe’s AI Champions
The ownership test cuts into uncomfortable territory, and the source is explicit that these are open questions drawn from public information, not assertions of non-compliance. The combined Cohere–Aleph Alpha entity is described as roughly 90% Canadian-owned — about four times over the individual cap — while Mistral’s non-EU venture capital share has never been publicly tested against the threshold. Neither company’s current cap-table position has been formally assessed against SecNumCloud criteria.
The legal landscape is equally unsettled. CADA is a proposal, not law, and its final scope, assurance levels and timetable could change in negotiation. The EUCS remains unadopted, and whether its stripped-down “High” level regains any sovereignty component is unresolved. The report also stresses that its reading is not legal advice and that buyers should obtain counsel before acting on it.
France SecNumCloud certification products
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
CADA Could Replace Badges With Assurance Levels
The next milestone is the legislative path of COM(2026) 502. If adopted, the badge on a vendor’s website would stop being the deciding artefact and the assigned Union assurance level would take its place in public procurement. National labels would not be banned, but even a SecNumCloud-qualified provider would still need separate recognition under Article 17, according to the report — meaning today’s gold standard would not automatically convert.
In parallel, the ANSSI–BSI joint work on common criteria is expected to define which failures are disqualifying across borders, and vendors selling into regulated European sectors will face growing pressure to publish a credible CADA recognition roadmap. The report’s prediction is blunt: by 2027, the framework the market argues about will not be a certification at all.

Magicmoon 15.6" Privacy Filter Screen Protector, Anti-Spy/Glare Film for 15.6 inch 1920 x 1080 Resolution Widescreen Notebook Laptop with 16:9 Aspect Ratio (Not for 16:10) (Touch Screen Not Compatible)
Compatible Models: Width: 13 9/16" (13.5 inch/344 mm), Height: 7 5/8" (7.6 inch/194 mm), Diagonal: 15.6" (396.24 mm)…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
What is the 24% rule?
It is the ownership test inside France’s SecNumCloud v3.2 qualification: capital and voting rights held by companies based outside the EU must not exceed 24% individually or 39% collectively. The idea is that below those thresholds, no non-EU owner can control the provider, so no non-EU law — such as the US CLOUD Act — can reach customer data through the ownership chain.
Do ISO 27001 or SOC 2 prove a provider is sovereign?
No, according to the analysis. Those certifications test security practice — controls, encryption, incident response and continuity — but say nothing about ownership or jurisdiction. A fully certified provider can still have a non-EU parent subject to extraterritorial law.
Which providers currently hold SecNumCloud qualification?
Only around nine to ten providers, including OVHcloud, Outscale, Scaleway, Numspot and Cloud Temple, per ANSSI’s qualified-provider catalogue as cited in the report. AWS, Azure and Google Cloud are described as structurally ineligible in their native form, participating instead through controlled ventures such as S3NS (Thales with Google) and Bleu (Capgemini and Orange on Azure).
Does SecNumCloud ban American technology?
No. It requires a change of control over that technology rather than its exclusion — which is why joint structures pairing US platforms with European majority ownership exist. The report acknowledges a protectionism critique of this approach but notes the ownership test itself is checkable from a cap table.
What is the Cloud and AI Development Act (CADA)?
A proposed EU regulation, COM(2026) 502, that would set four Union assurance levels for public procurement of cloud and AI services. Its recitals state that existing Cybersecurity Act certification is “not suited for addressing sovereignty concerns.” It is not yet law, and even SecNumCloud providers would need separate recognition under its Article 17 if adopted.
Source: Thorsten Meyer AI