TL;DR
An analysis published 16 July 2026 argues that widely displayed cloud certifications — ISO 27001, SOC 2, BSI C5, Gaia-X and the draft EUCS — audit security practice but never test whether a foreign government can compel access to data. Only France’s SecNumCloud tests that question, through an ownership cap of 24% individually and 39% collectively for non-EU shareholders. The proposed EU Cloud and AI Development Act (CADA) would replace today’s badge economy with four Union assurance levels, but it remains only a proposal.
Widely displayed “sovereign cloud” certifications — including ISO 27001, SOC 2, BSI C5 and Gaia-X membership — do not actually confirm sovereignty, according to a detailed analysis published on 16 July 2026 by Thorsten Meyer AI, and the gap matters most for buyers in regulated European industries. Each of those badges audits security practice; none tests the question that decides many deals: whether a foreign government can compel access to a provider’s data. Only one European framework, France’s SecNumCloud, tests that question — and it does so with an ownership cap of 24%.
The analysis sorts the certification landscape into two piles. The first pile certifies how a provider operates: ISO 27001 and SOC 2 verify access controls, encryption, incident response, business continuity and audit trails, while saying nothing about jurisdiction. BSI C5, Germany’s federal baseline since 2022, goes a step further by requiring disclosure of the place of jurisdiction — providers must declare which law reaches them — yet buyers still have to document residual US CLOUD Act risk in their own data protection impact assessments. Gaia-X covers interoperability and portability and counts AWS, Microsoft and Google among its members. The draft EUCS certifies security controls at three levels, but its “High+” sovereignty tier was stripped out during drafting.
SecNumCloud, the qualification issued by France’s ANSSI, is described as the outlier. Version 3.2 imposes more than 360 criteria, EU domicile, EU-only storage and audited key custody — plus the ownership test: capital and voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively, verifiable from a cap table. Only around nine to ten providers hold it, including OVHcloud, Outscale, Scaleway, Numspot and Cloud Temple. AWS, Azure and Google Cloud are structurally ineligible in their native form. The analysis also flags that the Cohere–Aleph Alpha combination sits at roughly 90% Canadian ownership — about four times the cap — and that Mistral’s non-EU venture capital share has never been publicly tested.
The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty
ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.
C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.
Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.
The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.
Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.
Why the Badges Leave Buyers Exposed
The finding lands directly on procurement decisions in regulated sectors, where contracts are being signed on the strength of badges that never address the decisive legal question. The analysis points to Microsoft as the clearest illustration: in May 2025 the company said encryption rendered outside access “technically impossible”; roughly a month later it acknowledged it could not guarantee immunity from US authorities —, in the author’s phrasing, thirty days between the marketing and the law. The piece also warns that sovereignty claims stack by layer: sovereign infrastructure running beneath a non-EU-controlled SaaS layer is not a sovereign stack. SecNumCloud does not ban American technology, it notes — it forces a change of control over it, which is why structures such as S3NS (Thales with Google) and Bleu (Capgemini and Orange on Azure) exist.
sovereign cloud certification
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
How Europe’s Cloud Rulebook Got Here
Europe has spent years trying to settle cloud sovereignty through certification. BSI C5 became the German federal baseline in 2022, and the EU’s proposed EUCS scheme — still unadopted — lost its “High+” sovereignty tier after criticism, including from the Cross-Border Data Forum, that sovereignty requirements amounted to protectionism. The analysis concedes that charge partly sticks, while arguing both things can be true at once. In November 2025, DORA oversight designations put major cloud providers under direct financial-sector scrutiny. The newest entry is the proposed Cloud and AI Development Act (CADA, COM(2026) 502), which would set four Union assurance levels for public procurement — and whose own recitals state that Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” ANSSI and Germany’s BSI have jointly committed to common criteria specifying where failure is disqualifying.
“Cybersecurity Act certification “is not suited for addressing sovereignty concerns.””
— European Commission, recitals of the proposed CADA regulation
EU data sovereignty cloud services
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Untested Ownership and an Unwritten Rulebook
Both pillars of the coming framework are unfinished: CADA is only a proposal, and EUCS remains unadopted. Under CADA as drafted, national labels would not be banned, but even a SecNumCloud-qualified provider would still need separate Article 17 recognition, leaving dual-track compliance possible. The ownership questions raised around individual companies — including Mistral’s non-EU venture share — are explicitly framed as open questions drawn from public information, not assertions of non-compliance. The protectionism debate is also unresolved; that critique is precisely why the EUCS High+ tier died, and it will shape the fight over CADA. The analysis itself carries the caveat that it is not legal advice.
French SecNumCloud certified cloud provider
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
CADA’s Path and Six Vendor Questions
The immediate milestone is the legislative progress of CADA: if it passes, the badge on a vendor’s website stops mattering and the Union assurance level starts, with the author predicting the framework will be the main argument in European cloud by 2027. In parallel, ANSSI and BSI are to deliver their joint common criteria. For buyers, the analysis offers six questions to put to any vendor now: who is your ultimate parent and where is it incorporated; will you state in writing that you are not subject to non-EU extraterritorial law; what percentage of capital and voting rights sits with non-EU entities; who holds the encryption keys and can you be compelled to produce them; which of your certifications tests ownership versus practice; and what is your CADA recognition roadmap. The closing advice: do not ask whether a provider is “sovereign” — ask the arithmetic of who owns it and what law reaches it, then check whether the answer sits above or below 24%.
European Union cloud security certification
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
What is the 24% rule in SecNumCloud?
It is an ownership test, not a security control. Capital and voting rights held by companies based outside the EU must not exceed 24% for any single shareholder or 39% collectively. Because it can be checked from a company’s capitalization table, it is the only European framework criterion that directly limits foreign legal leverage over a cloud provider.
Do ISO 27001 or SOC 2 certifications prove cloud sovereignty?
No. Both certify security practice — controls, processes, encryption and incident response — and say nothing about jurisdiction or ownership. A fully compliant provider can still be subject to extraterritorial laws such as the US CLOUD Act.
Can AWS, Microsoft Azure or Google Cloud qualify as sovereign in Europe?
Not in their native form, because their non-EU ownership far exceeds the SecNumCloud cap. They can participate only through change-of-control structures, such as S3NS (Thales with Google Cloud) or Bleu (Capgemini and Orange built on Azure), where European entities hold control.
What is the Cloud and AI Development Act (CADA)?
CADA — proposal COM(2026) 502 — is a planned EU regulation that would set four Union assurance levels for cloud and AI services used in public procurement. Its recitals state that existing Cybersecurity Act certification cannot address sovereignty. It is still only a proposal and has not been adopted.
Is SecNumCloud a form of protectionism?
Critics, including voices in the Cross-Border Data Forum, say sovereignty requirements are partly protectionist, and that argument helped kill the EUCS “High+” tier. The analysis agrees the critique has merit while maintaining that the underlying legal exposure — foreign compulsion of data access — is real regardless.
Source: Thorsten Meyer AI