TL;DR
A widely circulated analysis published on 16 July 2026 argues that mainstream cloud certifications such as ISO 27001, SOC 2 and BSI C5 verify security practice but not ownership — and that only France’s SecNumCloud framework tests whether a foreign government could compel access to data, via a cap limiting non-EU capital and voting rights to 24% individually and 39% collectively. The proposed EU Cloud and AI Development Act (CADA) could soon replace national badges with Union-wide assurance levels, though it remains only a draft.
A new analysis published on 16 July 2026 by Thorsten Meyer AI argues that nearly every certification badge cloud and AI vendors display — ISO 27001, SOC 2 Type II, BSI C5, Gaia-X membership — verifies how a provider operates, but none of them answer the question that decides regulated European deals: can a foreign government compel access to the data? According to the report, exactly one European framework tests that question, and it does so with a number: 24%.
The number comes from SecNumCloud, the French security qualification backed by national cybersecurity agency ANSSI. Under version 3.2 of its rules, capital and voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively — a check the report notes can be run directly from a company’s capitalization table. The framework carries more than 360 criteria, requires EU domicile, EU-only storage and audited key custody, and only around nine to ten providers currently hold it, including OVHcloud, Outscale, Scaleway, Numspot and Cloud Temple, according to ANSSI’s qualified-provider catalogue.
By contrast, the report states that AWS, Microsoft Azure and Google Cloud are structurally ineligible in their native form because of their US ownership, and that the Cohere–Aleph Alpha combination, at roughly 90% Canadian ownership, sits about four times over the individual cap. The analysis separates other schemes by what they test: ISO 27001 and SOC 2 audit security controls and processes; Germany’s BSI C5, the federal baseline since 2022, requires disclosure of the place of jurisdiction but offers no immunity from extraterritorial law; Gaia-X addresses interoperability and is not a security audit; and the draft EUCS scheme had its ‘High+’ sovereignty tier stripped out during negotiations.
The report cites Microsoft’s own statements as the clearest illustration of the gap: in May 2025 the company said encryption made access to certain data ‘technically impossible,’ and roughly one month later acknowledged it could not guarantee immunity from US authorities.
The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty
ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.
C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.
Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.
The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.
Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.
Why Ownership, Not Security Practice, Decides These Deals
For buyers in regulated European sectors — finance, health, public administration — the distinction determines whether a contract is legally defensible. The report’s framing is blunt: certifications prove practice, while only one tests ownership. A provider can pass every security audit and still be reachable by extraterritorial legislation such as the US CLOUD Act, a residual risk that buyers must still document in their data protection impact assessments even under Germany’s C5 scheme.
The ownership test has also reshaped the market rather than excluding American technology. SecNumCloud does not ban US platforms; it forces a change of control over them. That is why S3NS pairs Thales with Google and Bleu combines Capgemini and Orange on Microsoft Azure, according to the report. The analysis also warns buyers to check the full stack: sovereign infrastructure underneath a non-EU-controlled software layer is not a sovereign stack. For procurement teams, the practical consequence is a short list of questions — ultimate parent, non-EU capital share, key custody — that determine whether the rest of a vendor meeting matters at all.
EU cloud sovereignty certification
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
How Europe’s Sovereignty Debate Reached This Point
European efforts to certify cloud trustworthiness have been running for years, largely on separate tracks. ISO 27001 and SOC 2 became the default commercial proof of security practice. Germany’s BSI C5 added mandatory disclosure of applicable jurisdictions in 2022. Gaia-X launched as a federated data infrastructure initiative — with AWS, Microsoft and Google among its members — and the EU’s EUCS cybersecurity certification scheme was drafted with three assurance levels, though its strictest sovereignty tier was removed after lobbying and criticism that it amounted to protectionism, a critique voiced by groups including the Cross-Border Data Forum.
The latest turn is legislative. The proposed Cloud and AI Development Act (CADA), COM(2026) 502, would create four Union assurance levels for public procurement. Its own recitals concede that Cybersecurity Act certification ‘is not suited for addressing sovereignty concerns.’ Separately, ANSSI and BSI have jointly committed to developing common criteria specifying where failure is disqualifying — a sign that national and EU-level approaches are starting to converge.
“Certifications prove practice. Only one of them tests ownership.”
— Thorsten Meyer AI report, ‘The 24% Rule,’ 16 July 2026
SecNumCloud certified cloud provider
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Open Questions Around Mistral and CADA’s Fate
Several points remain unresolved. The report flags Mistral — Europe’s highest-profile AI champion — as a case where the non-EU venture capital share has never been publicly tested against the cap, describing it as an open question from public information rather than any assertion of non-compliance. The exact ownership arithmetic of other European AI firms is similarly unverified.
On the policy side, CADA is only a proposal and the EUCS remains unadopted. Whether the final legislation preserves meaningful sovereignty requirements, and how national labels such as SecNumCloud will map onto its Article 17 recognition process, is not yet clear. The report also acknowledges the protectionism critique of ownership-based rules as partly valid — noting both things can be true at once.
European data sovereignty cloud services
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
CADA Negotiations and Joint ANSSI–BSI Criteria Ahead
The next milestone is the legislative progress of CADA through the European Parliament and Council. If adopted, the badge on a vendor’s website would matter less than its assigned Union assurance level, and national labels would need separate recognition — a SecNumCloud provider would still require Article 17 approval to serve EU public procurement under the new scheme.
In parallel, the joint ANSSI–BSI work on common criteria is expected to define which failures are disqualifying across the two largest national frameworks. The report suggests buyers use the interim to demand written answers on ultimate parentage, non-EU capital percentages and key custody — and to ask every vendor, including the European champions, for their CADA recognition roadmap.

Providing Assurance to Cloud Computing through ISO 27001 Certification: How Much Cloud is Secured After Implementing Information Security Standards
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
What is the 24% rule in cloud sovereignty?
It is the ownership test in France’s SecNumCloud qualification: capital and voting rights held by non-EU companies must not exceed 24% individually or 39% collectively. The aim is to keep providers beyond the reach of extraterritorial laws such as the US CLOUD Act.
Does ISO 27001 or SOC 2 prove a cloud provider is sovereign?
No. According to the report, those certifications audit security practice — access controls, encryption, incident response — but say nothing about ownership or jurisdiction, so they cannot answer whether a foreign government could compel access to data.
Which providers currently meet the SecNumCloud standard?
Only around nine to ten providers hold the qualification, including OVHcloud, Outscale, Scaleway, Numspot and Cloud Temple, per ANSSI’s catalogue. AWS, Azure and Google Cloud are structurally ineligible natively but participate through controlled ventures such as S3NS (Thales and Google) and Bleu (Capgemini and Orange on Azure).
Does SecNumCloud ban American technology?
No. The report says it forces a change of control over US technology rather than excluding it, which is why joint structures with European majority control have been created to run Google and Microsoft platforms under the qualification.
What is the Cloud and AI Development Act and is it in force?
CADA (COM(2026) 502) is a proposed EU law that would set four Union assurance levels for public procurement of cloud and AI services. It is not yet adopted; if passed, it would sit alongside national labels, which would still need separate recognition under its Article 17.
Source: Thorsten Meyer AI