European cloud buyers are staring down three separate certification frameworks — SecNumCloud, BSI C5, and the GAIA-X Sovereignty Index. Each one measures different things and carries different weight in procurement. And because “sovereign cloud” has become a marketing term that everyone from hyperscalers to local hosters is slapping on their brochures, knowing how to read these certifications has become a practical business skill. Without it, you can’t tell genuine sovereignty from sovereignty washing.
This article maps all three frameworks side by side, explains why GAIA-X Level 3 currently excludes AWS European Sovereign Cloud, and gives you a decision framework based on your regulatory environment. It closes with five questions you can use to interrogate any vendor claiming sovereign certification. If you haven’t already read about the CLOUD Act mechanics these certifications are designed to address, start there — this article assumes you already understand European cloud procurement as a jurisdictional risk decision.
Why does the European sovereign cloud certification landscape exist?
Short answer: because data residency and data sovereignty are not the same thing — and that legal distinction has real consequences.
The US CLOUD Act of 2018 lets US authorities compel any US-headquartered provider to hand over customer data, regardless of where it physically sits. So a US hyperscaler with EU-based servers can offer you data residency — your data stays in Europe. What it cannot offer is data sovereignty — protection from a US government request. DPIAs for US hyperscaler services almost always flag the CLOUD Act as a significant risk.
Three frameworks emerged to define what genuine immunity from extraterritorial law actually requires:
- SecNumCloud — France’s national certification, administered by ANSSI, the French national cybersecurity agency
- BSI C5 — Germany’s cloud security attestation standard, developed by the Federal Office for Information Security
- GAIA-X Sovereignty Index — a pan-European multi-stakeholder framework founded jointly by France and Germany in 2019
The landscape is also politically contested. CISPE, the EU cloud provider trade association, has accused the EU Cloud Sovereignty Framework of favouring incumbent US hyperscalers, and in April 2026 launched its own auditable sovereign/resilient framework. All of which means independent evaluation criteria — not just looking at which badges a vendor displays — is the only reliable procurement tool.
What does SecNumCloud actually require, and why does it exclude US-parent providers?
SecNumCloud is France’s national cloud security certification, administered by ANSSI. It is the most stringent certification in Europe and the only framework that explicitly requires a cloud provider to be both legally domiciled and operationally independent within the EU.
Here is what it actually requires:
- EU legal domicile: Registered office within the EU
- Extraterritorial law immunity: The provider must be immune to requests from public authorities of third countries relying on the extra-territoriality of their law
- Data location: All client data stored and processed exclusively within the EU
- Key custody: Encryption keys under EU control, subject to audit
The exclusion of US-parent providers is not a side effect — it is the design intent. AWS ESC GmbH is a wholly-owned Amazon Inc. subsidiary. However its European operations are organised, Amazon Inc. remains subject to the CLOUD Act. That’s disqualifying.
Outscale, a Dassault Systèmes subsidiary, is the benchmark SecNumCloud-certified provider — it hosts France’s Visio video-conferencing platform for all French civil servants. SecNumCloud is increasingly referenced as a pan-European standard, not just a French domestic requirement. Its rigour makes it the benchmark against which all other sovereignty claims are measured.
What is BSI C5, and why does AWS ESC hold it while remaining CLOUD Act-exposed?
BSI C5 (Cloud Computing Compliance Criteria Catalogue) is the German Federal Office for Information Security’s attestation standard for cloud security. It covers 121 controls across 17 security domains.
Here’s the critical distinction, and it is worth paying attention to: BSI C5 is an attestation — a third-party auditor confirms the provider’s controls exist. SecNumCloud is a certification — an independent authority confirms legal eligibility. That difference matters far more than most procurement checklists acknowledge.
BSI C5 does not require EU legal domicile. It does not require immunity from non-EU extraterritorial laws. And it does not evaluate parent-company legal structure. AWS ESC holds BSI C5 attestation — and that is legitimate for what C5 measures. It demonstrates documented security controls. It does not demonstrate insulation from CLOUD Act requests directed at Amazon Inc.
The line to remember: no technical or organisational workaround can transform a US corporation into a genuinely sovereign European entity. OVHcloud holds both C5 and SecNumCloud. STACKIT and Hetzner hold C5 but not SecNumCloud. Treat C5 as a security floor, not a sovereignty ceiling.
What is the GAIA-X Sovereignty Index, and where is the Level 3 threshold?
GAIA-X was founded in 2019 by France and Germany and operates as a Belgian non-profit with European-dominated governing bodies. The GAIA-X Sovereignty Index defines four compliance levels:
Level 1 — Basic Compliance: Fundamental security controls; achievable by most providers including US hyperscalers. Appropriate for standard enterprise SaaS.
Level 2 — Enhanced Data Protection: Stronger data protection controls; compatible with EU data residency commitments even if the provider is subject to extraterritorial law. For general enterprise GDPR workloads.
Level 3 — Full Sovereignty: European headquarters required; provider must not be subject to non-EU extraterritorial laws; EU-controlled key custody. Required for regulated industries, defence, and critical infrastructure.
Level 4 — Classified/Air-Gapped: The most restricted tier — military, intelligence, classified national security.
Level 3 is where CLOUD Act exposure stops being a risk factor you can manage with contractual measures and becomes outright disqualifying.
AWS ESC cannot currently qualify for GAIA-X Level 3 because Amazon Inc. remains subject to the CLOUD Act. No amount of European operational restructuring resolves the parent company’s US legal obligations. Level 3 was explicitly designed to exclude providers whose parent companies are subject to extraterritorial non-EU law — a direct response to US hyperscalers joining GAIA-X while remaining CLOUD Act-exposed. As competition expert Cristina Caffarra put it: “The intention behind Gaia-X was good. The problem was that American companies lobbied to be included. Once Microsoft, Google, and AWS were inside Gaia-X, the initiative lost its purpose.” The fact that Level 3 holds as a real threshold despite all that lobbying is worth noting. For a detailed examination of why the AWS European Sovereign Cloud cannot currently meet GAIA-X Level 3 — including the corporate structure analysis and a ten-question vendor evaluation checklist — see the full technical and legal breakdown.
How do SecNumCloud, BSI C5 and GAIA-X Level 3 compare — and which level does your regulatory environment require?
With the three frameworks mapped, here is how they stack up.
Framework Comparison
Type: SecNumCloud is a certification; BSI C5 is an attestation; GAIA-X Level 3 is a compliance level.
Issuing body: ANSSI (SecNumCloud); BSI (C5); GAIA-X AISBL (Level 3).
EU legal domicile required: SecNumCloud — yes. BSI C5 — no. GAIA-X Level 3 — yes.
Extraterritorial law immunity required: SecNumCloud — yes. BSI C5 — no. GAIA-X Level 3 — yes.
Encryption key custody: SecNumCloud — EU-held, audited. BSI C5 — operational controls only. GAIA-X Level 3 — EU-controlled.
US-parent provider eligible: SecNumCloud — no. BSI C5 — yes. GAIA-X Level 3 — no.
AWS ESC eligible: SecNumCloud — no. BSI C5 — yes (attested). GAIA-X Level 3 — no.
Decision Framework by Regulatory Environment
GDPR only (standard SaaS): GAIA-X Level 2 or BSI C5 is proportionate. CLOUD Act risk is manageable with contractual measures. Example providers: AWS ESC (C5), Azure EU Data Boundary.
GDPR + DORA (financial sector): GAIA-X Level 3 or SecNumCloud is required. DORA applies regardless of size — a 50-person FinTech is in scope alongside major banks. Example providers: OVHcloud, STACKIT, Outscale. For a full breakdown of which EU-native providers hold SecNumCloud or BSI C5 certification and what workloads each can serve, see the EU provider landscape overview.
GDPR + sector-specific (health, defence, critical infrastructure): SecNumCloud or GAIA-X Level 3 is required. Extraterritorial law immunity and verified key custody are necessary. Example providers: Outscale (SecNumCloud), STACKIT.
French public sector: SecNumCloud is mandatory. No exceptions for hyperscalers. Example provider: Outscale.
Cross-EU regulated industries: GAIA-X Level 3 is recommended. Providers: EU-native providers with Level 3 status.
The AWS Sovereign Reference Framework
AWS has published its own Sovereign Reference Framework (ESC-SRF), available through AWS Artifact — covering governance independence, operational control, data residency, and technical isolation. It is SOC 2 attested; third-party validation is expected in 2026. Worth reading, but it is not a sovereignty certification equivalent to SecNumCloud or GAIA-X Level 3. Its scope is operational sovereignty: what AWS does, not what law applies to Amazon Inc.
Microsoft illustrated exactly how big that gap is. In May 2025 it claimed encryption features would make access to its European sovereign cloud “technically impossible,” then one month later acknowledged it could not guarantee complete immunity from US authorities. Operational controls and parent-company legal exposure are two entirely different questions.
Five questions to ask before accepting any “sovereign cloud” certification claim
These questions are designed to cut through sovereignty washing — the practice of marketing US-owned infrastructure as “sovereign” by locating datacenters in Europe without resolving CLOUD Act exposure.
1. Is the certification independent of the vendor?
Genuine certifications like SecNumCloud and BSI C5 are issued by independent government bodies — ANSSI and the BSI. Self-attested frameworks are the vendor’s own documentation of their own controls. Ask: who issued this, and what authority do they hold independent of the vendor?
2. Does the certification explicitly require immunity from extraterritorial laws?
BSI C5 does not. GAIA-X Level 3 and SecNumCloud do. If a certification does not explicitly address extraterritorial law exposure, it doesn’t address the CLOUD Act. And keep in mind: CLOUD Act requests come with gag orders — any contractual transparency clause is effectively meaningless once a warrant has been served.
3. Who holds the encryption keys?
If the vendor holds the keys, a CLOUD Act request compels key disclosure. BYOK and HYOK help — but only if the key management infrastructure is entirely outside the provider’s control. Keys stored in the provider’s own key management service don’t count, even if they are labelled “customer-managed.” Ask: can the provider, at any point, technically access your encryption keys?
4. Is the provider legally domiciled in the EU?
European subsidiary structures of US-parent companies do not resolve the parent’s extraterritorial obligations. The question is not where the staff are or where the servers are — it is whether the ultimate parent is incorporated under non-EU law. If yes, the provider is subject to non-EU extraterritorial law regardless of datacenter location.
5. Who audits compliance, and how often?
SecNumCloud requires ongoing re-audit by ANSSI. BSI C5 Type II attestations cover operational effectiveness over a sustained period. Ask when the last audit occurred, who conducted it, and whether full reports are available. Vendors reluctant to share audit details are treating certification as a marketing asset, not a compliance obligation.
Sovereignty washing detection summary
If a vendor’s “sovereign” offering is a subsidiary of a US-headquartered parent and the vendor cannot explicitly state that its parent is not subject to the CLOUD Act, the offering is sovereignty washing — regardless of which badges it displays.
The contrast is pretty stark: Outscale (EU-domiciled, SecNumCloud-certified, no US parent) passes all five questions. AWS ESC (EU-operated, BSI C5-attested, 100% Amazon Inc. subsidiary) fails on questions 2 and 4. That is the practical difference between sovereign and sovereignty-washed.
For a complete framework covering vendor selection, certification requirements, and procurement decision-making across all dimensions of jurisdictional risk in cloud procurement, the full series overview consolidates everything covered here alongside the legal, provider, and open-source layers.
FAQ
What is SecNumCloud certification and who administers it?
SecNumCloud is France’s national cloud security certification, administered by ANSSI. It requires EU legal domicile, immunity from non-EU extraterritorial laws, EU-only data storage, and audited key custody. Outscale (Dassault) is the primary certified provider; AWS ESC cannot hold it.
Is BSI C5 attestation sufficient for GDPR compliance with US hyperscalers?
BSI C5 demonstrates implemented security controls and is a required baseline for German public sector procurement. It does not address CLOUD Act exposure. A C5-attested provider with a US parent still requires you to document and accept residual CLOUD Act risk in your DPIA. Security floor, not sovereignty ceiling.
Where can I find the AWS European Sovereign Cloud Sovereign Reference Framework?
In AWS Artifact, accessible from the AWS Management Console. It covers governance independence, operational control, data residency, and technical isolation. SOC 2 attested; third-party validation expected in 2026. Scope is operational sovereignty — not legal immunity from the CLOUD Act.
Why can’t AWS ESC qualify for GAIA-X Level 3?
Level 3 requires the provider not be subject to non-EU extraterritorial laws. AWS ESC GmbH is a wholly-owned subsidiary of Amazon Inc. — a US corporation subject to the CLOUD Act. European subsidiary structure does not resolve the parent’s US legal obligations. It is explicit in Level 3’s design.
What is the difference between GAIA-X Level 2 and Level 3?
Level 2 can be met by providers with EU data residency commitments even if the parent is a US company. Level 3 adds the European headquarters requirement and explicit immunity from extraterritorial law — the threshold that excludes US-parent providers. Level 2 covers general enterprise GDPR workloads; Level 3 is required for regulated industries and government workloads. Roughly 10% of European cloud customers need Level 3.
Is the GAIA-X Sovereignty Index legally enforceable?
Voluntary, not binding — but increasingly embedded in public procurement requirements and enterprise tender specifications. GDPR, DORA, and sector-specific regulations create the binding legal obligations; GAIA-X Level 3 provides evidence of compliance. Enforceability may increase as EU procurement policy evolves.
What cloud providers currently hold SecNumCloud certification?
Outscale (Dassault) is the primary certified provider. A small number of additional EU-native providers are pursuing certification. US-parent hyperscalers (AWS, Microsoft, Google) are structurally ineligible. ANSSI maintains the authoritative registry. For a full rundown, see which EU-native providers hold SecNumCloud or BSI C5 certification.
What is CISPE and why does it criticise the EU Cloud Sovereignty Framework?
CISPE is the EU trade association for European-native cloud providers. Its criticism: the EU Cloud Sovereignty Framework lets large US providers claim compliance without meeting the substantive sovereignty criteria that European providers are built around. In April 2026, CISPE launched its own auditable sovereign/resilient badge system — 40+ services at launch.
What is sovereignty washing and how do I identify it?
Sovereignty washing is marketing US-owned infrastructure as “sovereign” by locating datacenters in Europe without resolving CLOUD Act exposure. Key markers: the ultimate parent is incorporated outside the EU; the provider cannot state it is not subject to non-EU extraterritorial law. If the sovereignty claim relies on “data stays in Europe,” it is describing data residency, not data sovereignty — legally distinct.
Does encryption key management (BYOK/HYOK) resolve CLOUD Act exposure?
It reduces it, but doesn’t eliminate it. If key management is genuinely outside the provider’s control and the provider never has technical access, it cannot supply decrypted data under a CLOUD Act request. But if keys are stored in the provider’s own key management service — even in a “customer-managed” arrangement — the provider retains access. Ask specifically: can the provider technically access your keys at any point?
What workloads genuinely require GAIA-X Level 3 or SecNumCloud certification?
Military and defence; critical infrastructure under NIS2; financial services under DORA; health sector data with cross-border sensitivity; government applications where a GDPR Article 35 DPIA flags CLOUD Act exposure as unacceptable. Roughly 10% of European cloud customers fall here. For the remaining 90% — most SMB SaaS, FinTech, and EdTech companies — BSI C5 or GAIA-X Level 2 may be proportionate to actual risk.
What does “European HQ” mean in the context of GAIA-X Level 3?
The ultimate parent company must be legally incorporated and domiciled within the EU. A European subsidiary, European regional HQ, or European-citizen leadership within a US-parent structure does not satisfy it. A European-citizen CEO of an AWS European subsidiary does not make AWS ESC Level 3-eligible — Amazon Inc. remains the legally relevant entity.
