The Truth Behind The 24% Rule And AI Sovereignty Certification Gaps

TL;DR

A new analysis of European cloud and AI certifications finds that mainstream badges such as ISO 27001, SOC 2, BSI C5 and Gaia-X test security practice but not ownership or jurisdiction. Only France’s SecNumCloud framework tests whether a foreign government can compel access to data, using a hard cap: non-EU entities may hold no more than 24% of capital individually or 39% collectively. The proposed EU Cloud and AI Development Act (CADA) could replace the current patchwork of labels with four Union assurance levels for public procurement.

A widely cited stack of cloud certifications — ISO 27001, SOC 2 Type II, BSI C5 and Gaia-X membership — does not answer the question that decides regulated European cloud and AI deals: whether a foreign government can compel access to customer data. That is the central finding of an analysis published on 16 July 2026 by Thorsten Meyer AI, which identifies France’s SecNumCloud qualification as the only European framework that tests ownership rather than practice — through a rule capping non-EU capital and voting rights at 24% individually and 39% collectively.

According to the analysis, certifications fall into two distinct categories. ISO 27001, SOC 2, BSI C5 and, in its current draft form, the EU Cybersecurity Certification Scheme (EUCS) certify how a provider operates — access controls, encryption, incident response and audit trails. BSI C5 goes furthest among them by requiring disclosure of the place of jurisdiction, but it does not confer immunity; buyers must still document residual CLOUD Act risk in their data protection impact assessments. Gaia-X, meanwhile, is an interoperability initiative whose members include AWS, Microsoft Azure and Google, not a security audit.

SecNumCloud, administered by France’s ANSSI, is described as the outlier. Version 3.2 imposes more than 360 criteria — roughly ten times the complexity of ISO 27001 — including EU domicile, EU-only storage, audited key custody and the ownership cap. Only around nine to ten providers hold the qualification, among them OVHcloud, Outscale, Scaleway, Numspot and Cloud Temple. AWS, Azure and Google are structurally ineligible in their native form, which is why joint ventures such as S3NS (Thales and Google) and Bleu (Capgemini and Orange, on Azure) were created to change control over American technology rather than exclude it.

The analysis also flags AI-specific exposure: the Cohere–Aleph Alpha combination sits at roughly 90% Canadian ownership, about four times over the individual cap, while Mistral’s non-EU venture capital share has never been publicly tested against the threshold.

At a glance
analysisWhen: analysis published 16 July 2026; CADA r…
The developmentA 16 July 2026 analysis by Thorsten Meyer AI lays out why SecNumCloud’s 24% non-EU ownership cap is the only European certification test of jurisdictional control, just as the proposed Cloud and AI Development Act (COM(2026) 502) moves through Brussels.
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Why Ownership Now Decides European Cloud Deals

For buyers in regulated European industries — finance, health, public administration — the distinction between practice and ownership is becoming a procurement filter, not a technicality. A provider can pass every security audit and still be reachable by extraterritorial foreign law, and no encryption control changes who can be served a legal order. The analysis argues that sovereign infrastructure sitting under a non-EU-controlled SaaS layer is not a sovereign stack, making the ownership question relevant at every layer of an AI deployment, from compute to model provider.

The finding also reframes vendor due diligence. The analysis recommends asking any vendor for its ultimate parent and place of incorporation, the exact percentage of capital and voting rights held by non-EU entities, who holds encryption keys and whether the provider can be compelled to produce them. If a vendor cannot answer the ownership questions immediately, it says, the rest of the meeting is theatre.

Amazon

ISO 27001 cybersecurity certification

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

How SecNumCloud Became the Sovereignty Benchmark

The debate over certification gaps predates this analysis. The EU’s EUCS scheme originally contemplated a “High+” sovereignty tier, but that tier was stripped out during drafting — a decision the analysis links directly to accusations of protectionism from industry and trade groups, including the Cross-Border Data Forum and CISPE. As drafted, EUCS High does not equal CLOUD Act immunity, and the scheme remains unadopted.

Microsoft illustrated the gap in mid-2025, according to the analysis: in May 2025 the company said encryption made access to data technically impossible, then roughly one month later acknowledged it could not guarantee immunity from US authorities. The piece concedes that SecNumCloud is partly protectionist in effect — but argues both things can be true at once, and that the word “sovereign” has been marketed into meaninglessness.

“Cybersecurity Act certification is not suited for addressing sovereignty concerns”

— CADA recitals, COM(2026) 502

Unanswered Questions on Mistral and CADA’s Fate

Several points remain open. Mistral’s non-EU ownership share has never been publicly tested against the 24% cap, and the analysis frames this as an open question drawn from public information — not an assertion of non-compliance. The same applies to other European AI champions whose cap tables have not been scrutinised against the threshold.

The legislative picture is equally unsettled. CADA is a proposal, not law, and its four Union assurance levels exist only on paper. How national labels such as SecNumCloud would map onto the new Article 17 recognition process — and whether the final text keeps the recital language dismissing existing certification for sovereignty purposes — is still to be decided. EUCS, meanwhile, remains unadopted with its sovereignty tier already removed.

CADA Vote and Joint ANSSI-BSI Criteria Ahead

The immediate milestone is the fate of the Cloud and AI Development Act (COM(2026) 502). If adopted, it would establish four Union assurance levels for public procurement, and the badge on a vendor’s website would stop mattering in favour of the assigned assurance level. National labels would not be banned, but even a SecNumCloud-qualified provider would need separate Article 17 recognition under the new framework.

In parallel, ANSSI and Germany’s BSI have jointly committed to developing common criteria that specify where failure is disqualifying — an effort that could harmonise the French and German approaches before CADA lands. The analysis predicts the assurance-level rulebook, not any existing certification, will be the framework the industry argues about by 2027. Buyers are advised to obtain legal counsel rather than treat any of this as settled compliance guidance.

Key Questions

What is the 24% rule?

It is SecNumCloud’s sovereignty test: capital and voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. Because it is an ownership cap rather than a security control, it can be checked directly from a provider’s cap table.

Do ISO 27001 or SOC 2 certification prove data sovereignty?

No. According to the analysis, those frameworks certify security practice — controls, processes and audits — and say nothing about jurisdiction or which government’s law can reach the provider. Only SecNumCloud among European frameworks tests ownership.

Which providers currently hold SecNumCloud qualification?

Roughly nine to ten providers, including OVHcloud, Outscale, Scaleway, Numspot and Cloud Temple. AWS, Microsoft Azure and Google are structurally ineligible in their native form and participate only through European-controlled joint ventures such as S3NS and Bleu.

What is CADA and how would it change procurement?

The proposed Cloud and AI Development Act (COM(2026) 502) would create four Union assurance levels for public procurement. Its recitals state that existing Cybersecurity Act certification is not suited for addressing sovereignty concerns. If passed, assurance levels would displace today’s patchwork of national labels, though providers with national qualifications would still need separate recognition.

Is SecNumCloud a form of protectionism?

Partly, the analysis concedes — and that critique is exactly why the EUCS “High+” sovereignty tier was removed. But it argues the ownership test also reflects a genuine legal exposure, since no technical control overrides a foreign legal order served on a provider’s parent company.

Source: Thorsten Meyer AI

Wellness content on this site is informational and not a substitute for professional medical guidance.
You May Also Like

How Heart Rate Drift Changes Your Long Runs

A deeper understanding of heart rate drift can help optimize your long runs and prevent premature fatigue, so keep reading to learn more.

Heel Drop Demystified: Why It Changes Calf and Achilles Load

No exercise reveals the true impact on your calf and Achilles tendons like the heel drop, and understanding why it changes their load can transform your training.

Outdoor Pace vs Treadmill Pace: The Conversion Rules That Actually Work

Discover why converting outdoor pace to treadmill pace isn’t straightforward and learn the effective rules that really work.

The Treadmill Horsepower Myth That Costs You Money

The treadmill horsepower myth can cost you money—discover the truth behind those flashy ratings and how to choose a truly reliable machine.