📊 Full opportunity report: Why The 24% Rule Is Essential For Evaluating AI Sovereignty Certifications on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

The 24% ownership limit in France’s SecNumCloud framework is crucial for ensuring legal sovereignty over cloud and AI services. It uniquely tests control by foreign entities, affecting European data security and jurisdictional independence.

France’s SecNumCloud framework includes a unique ownership cap of 24%, designed to ensure legal sovereignty over data and AI services. This rule is now a key criterion for providers aiming to meet European AI and cloud sovereignty standards, making it a critical development for European data security and jurisdictional independence.

SecNumCloud, created by France’s ANSSI, is a government-issued qualification that extends beyond traditional security certifications. Unlike ISO 27001 or SOC 2, which assess security practices, SecNumCloud explicitly tests ownership and control over data by imposing a 24% ownership limit on foreign entities. This arithmetic threshold ensures that no single non-EU company can exert undue influence or legal control over the service, thus safeguarding EU legal sovereignty.

As of mid-2026, only about ten providers, including OVHcloud, 3DS Outscale, and Scaleway, have obtained an active SecNumCloud qualification, with more in the pipeline. The framework is mandatory for hosting sensitive French public-sector data and is increasingly being adopted for critical infrastructure, especially under the EU’s NIS2 directive.

Notably, the ownership cap is a straightforward, checkable arithmetic rule, making it a practical and enforceable control measure. It is designed to prevent foreign governments or corporations from gaining dominant control, which could otherwise compromise data sovereignty and legal independence.

At a glance
analysisWhen: developing as of mid-2026, with current…
The developmentThe article explains why the 24% ownership rule in France’s SecNumCloud framework is essential for evaluating AI sovereignty and legal control over data.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

The Critical Role of the 24% Ownership Cap in Data Sovereignty

The 24% ownership rule is fundamental because it directly addresses the control and jurisdictional independence of cloud and AI providers operating within Europe. By legally restricting foreign ownership, it ensures that EU data remains under European control and immune from extraterritorial laws like the US CLOUD Act. This threshold effectively makes SecNumCloud a test of sovereignty, not just security practices, which is a significant evolution in cloud certification standards.

For European organizations, this means that choosing a provider with SecNumCloud certification—and compliance with the 24% rule—offers stronger legal protections and reduces the risk of foreign government access or influence over sensitive data. It also sets a precedent for other jurisdictions aiming to assert sovereignty over their digital infrastructure.

However, critics note that this measure is only one part of a broader sovereignty framework, and actual control also depends on legal, operational, and geopolitical factors. The rule’s effectiveness will depend on how widely it is adopted and enforced across the EU and beyond.

Amazon

European cloud sovereignty certification

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Background of the 24% Control Threshold in European Cloud Security

The concept of sovereignty in cloud and AI services has gained prominence amid increasing concerns over data jurisdiction and foreign influence. France’s SecNumCloud was introduced in 2016 by ANSSI as a government-backed qualification to ensure robust security and sovereignty standards. Unlike typical certifications, it incorporates legal sovereignty as a core criterion, notably through the 24% ownership cap.

This threshold was designed in response to the growing presence of US and non-EU cloud providers, which, despite holding certifications like ISO 27001 or BSI C5, remain subject to foreign laws such as the CLOUD Act. The rule aims to prevent foreign entities from gaining majority or controlling stakes, which could compromise EU data sovereignty.

Since its creation, the framework has been adopted primarily by French providers and is increasingly seen as a model for European sovereignty efforts, especially as the EU pushes for more control over critical infrastructure and sensitive data under directives like NIS2.

While other standards like BSI C5 focus on security controls and jurisdiction disclosure, SecNumCloud’s ownership rule explicitly links legal sovereignty to ownership structure, making it a unique and rigorous benchmark.

“The 24% ownership cap in SecNumCloud is the most straightforward, checkable measure of sovereignty, directly linking ownership structure to legal control.”

— Thorsten Meyer

Amazon

AI data sovereignty compliance tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Unresolved Questions About the 24% Ownership Limit’s Effectiveness

While the ownership cap offers a clear arithmetic control, it remains uncertain how effectively it prevents foreign influence in practice. Critics argue that ownership is only one aspect of sovereignty, and operational, legal, and geopolitical factors could still undermine control.

Additionally, the framework’s adoption outside France and the EU is still limited, and enforcement mechanisms are evolving. It is also unclear how the rule will adapt to complex corporate structures or future legal challenges.

Further, the impact on global cloud provider strategies and whether the 24% limit will become a de facto standard across Europe or remain a national-specific measure are still developing issues.

Amazon

cloud security compliance software

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Future Adoption and Enforcement of the 24% Control Rule

As of mid-2026, more providers are pursuing SecNumCloud certification, aiming to meet the ownership threshold and expand their presence in European markets. The French government and EU regulators are likely to strengthen enforcement and potentially extend the sovereignty framework to other sectors and countries.

European policymakers may also refine the ownership rules, possibly setting similar standards across member states. Meanwhile, US and non-EU cloud giants are exploring ways to comply, such as restructuring ownership or establishing local control entities, to meet the sovereignty criteria.

In the coming months, expect increased debate over the effectiveness of the 24% rule, its adoption across Europe, and its influence on global cloud and AI sovereignty strategies.

Amazon

ownership verification tools for cloud providers

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

Why is the 24% ownership limit important for AI sovereignty?

The 24% ownership limit ensures that no single foreign entity can exert control over a cloud or AI provider, safeguarding EU legal sovereignty and preventing foreign governments from accessing or influencing sensitive data.

How does SecNumCloud differ from other security certifications?

Unlike ISO 27001 or SOC 2, which focus on security practices, SecNumCloud explicitly tests ownership and control over data, including a legal sovereignty criterion through the ownership cap.

Can a provider with US ownership still meet the sovereignty standards?

Yes, if the US parent company’s ownership stake is below 24%, the provider can meet the control requirement. However, the provider remains subject to US law unless it establishes EU-controlled structures.

Will the 24% rule become a standard across Europe?

It is possible, as the EU considers similar sovereignty measures, but currently, it is primarily a French framework. Broader adoption depends on regulatory developments and industry response.

What are the practical challenges providers face in meeting the 24% limit?

Providers must carefully structure ownership and control arrangements, often requiring complex corporate restructuring and legal safeguards to ensure compliance with the arithmetic threshold.

Source: ThorstenMeyerAI.com

You May Also Like

The referral. How AI search severs the content-for-traffic contract that funded the open web.

AI search now answers queries directly, ending the traditional referral traffic model that funded independent publishers, with significant industry impacts.

Memory Cards In Sales: Strengthening Relationships Before Each Call

Pre-call memory cards for relationship-driven professionals are being tested to improve client interactions by summarizing past conversations and commitments.

How Nanotechnology Is Reshaping Supply Chains

Meticulous advancements in nanotechnology are transforming supply chains, offering innovative solutions that could revolutionize your operations—discover how inside.

Electric Code Calculator

A new mobile and web app offers electricians quick, code-grounded calculations for NEC compliance, addressing a critical industry need amid rising demand.