📊 Full opportunity report: The 24% Rule: A Key To Understanding AI Sovereignty Certification Gaps on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

The 24% ownership threshold in France’s SecNumCloud framework is a key measure of sovereignty, highlighting gaps in AI and cloud certifications. This rule tests control, not security, revealing sovereignty challenges for foreign-controlled providers.

The 24% ownership cap in France’s SecNumCloud framework is emerging as a critical benchmark for sovereignty certification and control over cloud providers operating within the EU. This rule directly tests ownership and control, not just security practices, highlighting a significant gap in current certification schemes.

SecNumCloud, created by France’s ANSSI, is a qualification scheme that combines security standards with legal sovereignty requirements, including EU domicile, data storage, and immunity from non-EU laws. Its defining feature is the ownership threshold — no more than 24% of voting rights can be held by non-EU entities, or the provider risks losing sovereignty qualification. This arithmetic rule is unique among European frameworks and directly addresses control, not just security practices.

Currently, about nine or ten providers hold active SecNumCloud qualifications, with major players like OVHcloud, Outscale, and Scaleway. These providers must meet strict criteria, including EU data residency and legal control, to qualify. The rule aims to ensure that providers are genuinely under European control, especially for sensitive public-sector data, which is mandated under France’s Cloud au Centre doctrine.

Foreign cloud providers, particularly US-based hyperscalers, cannot meet the ownership threshold directly, leading to innovative workarounds. These include joint ventures like S3NS (Thales–Google) and Bleu (Capgemini and Orange), where control is shifted to European entities to maintain sovereignty qualification, despite the parent companies’ foreign ownership.

At a glance
analysisWhen: developing as of mid-2026
The developmentThe article examines how the 24% ownership rule in France’s SecNumCloud framework impacts AI sovereignty certification gaps and the control of foreign cloud providers.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most „sovereign cloud“ certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The „High+“ sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification „is not suited for addressing sovereignty concerns.“ National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access „technically impossible.“ One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is „sovereign“ — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Implications of the 24% Ownership Cap for AI and Cloud Control

The 24% rule is a powerful control test that moves beyond traditional security certifications, emphasizing ownership and legal jurisdiction. It exposes the limitations of existing certifications like ISO 27001 or BSI C5, which focus on security practices but do not address sovereignty issues. This rule could shape European cloud procurement and influence global strategies, especially as regulators prioritize sovereignty and control over security alone.

For AI and cloud providers, this means that security certifications alone are insufficient to demonstrate sovereignty. Control over data and legal jurisdiction are now central, affecting how international companies structure their European operations. The rule also incentivizes joint ventures and control arrangements that can circumvent direct foreign ownership limits, raising questions about the true independence of some providers claiming sovereignty.

Amazon

EU data sovereignty certification tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

European Sovereignty Frameworks and the 24% Ownership Rule

Since 2016, France’s SecNumCloud has set a high bar for sovereignty, requiring legal domicile, data localization, and immunity from non-EU laws. Its unique ownership threshold is a response to the global dominance of US hyperscalers, which cannot meet the sovereignty criteria directly due to their foreign ownership structures. This has led to innovative control arrangements, such as joint ventures, to meet the 24% limit and qualify for sovereignty status.

Other frameworks, like Germany’s BSI C5, focus on security controls and transparency, including jurisdiction disclosures, but do not impose ownership caps. The key difference is that SecNumCloud explicitly tests for ownership and control, making it a more comprehensive measure of sovereignty. As of mid-2026, the scheme is still emerging, with a handful of providers qualifying and others in development.

US providers, unable to meet the ownership cap directly, are adopting joint ventures and control arrangements to navigate the rule, exemplified by the S3NS and Bleu projects. These efforts highlight the evolving landscape of sovereignty certification and the importance of control over data and legal jurisdiction in Europe.

„SecNumCloud is a government-backed qualification that ensures providers meet strict legal and sovereignty requirements, including ownership controls.“

— ANSSI spokesperson

DeskFX Free Audio Effects & Audio Enhancer Software [PC Download]

DeskFX Free Audio Effects & Audio Enhancer Software [PC Download]

Transform audio playing via your speakers and headphones

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Unresolved Questions About Sovereignty and Control Workarounds

It is still unclear how widely the control workaround strategies, such as joint ventures and control arrangements, will be accepted by regulators and whether they will be considered equivalent to direct ownership under future rules. The long-term effectiveness of the 24% rule in preventing foreign dominance remains to be seen, especially as providers innovate new control structures.

Additionally, the impact of the rule on the overall cloud market and whether it will significantly restrict foreign providers‘ ability to operate within the EU are still developing issues. Regulatory interpretations and enforcement practices are evolving, and more clarity is expected in the coming months.

Amazon

ownership verification tools for cloud providers

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Next Steps for Certification and Sovereignty Enforcement

Moving forward, more cloud providers are expected to seek SecNumCloud qualification by adjusting ownership structures or forming European-controlled joint ventures. Regulatory bodies may also refine rules to address control arrangements explicitly, clarifying whether these will be accepted as sovereignty compliance.

Further developments in the European regulatory landscape could include stricter enforcement of ownership caps or new standards that explicitly address control and legal jurisdiction. The ongoing evolution of these frameworks will shape the future of AI and cloud sovereignty in Europe.

Amazon

European cloud security certification products

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

Why does the 24% ownership rule matter for AI sovereignty?

The 24% ownership rule directly tests who controls a cloud provider, which is essential for ensuring data sovereignty and legal jurisdiction within Europe. It moves beyond security practices to address control and sovereignty concerns that are critical for sensitive AI data and applications.

Can foreign companies still operate in Europe under this rule?

Yes, but they must structure their control arrangements carefully, often through joint ventures or control shifts, to stay within the ownership limits and qualify for sovereignty certification. Direct ownership by non-EU entities exceeding 24% disqualifies providers from SecNumCloud qualification.

Does certification guarantee immunity from non-EU laws?

No, certifications like SecNumCloud demonstrate compliance with sovereignty criteria but do not eliminate legal exposure to laws like the CLOUD Act. They are a control measure, not a legal shield.

Will the 24% rule prevent US hyperscalers from operating in Europe?

Not entirely. US hyperscalers are adapting through joint ventures and control arrangements to meet the ownership cap, but their overall presence may still be limited by other legal and market factors.

What is the significance of joint ventures like S3NS and Bleu?

These ventures demonstrate how foreign providers are circumventing ownership limits by transferring control to European entities, allowing them to qualify for sovereignty certification despite their foreign ownership structures.

Source: ThorstenMeyerAI.com

This content is for general information only and is not financial, tax or legal advice. Consult a qualified professional for decisions about your money.
You May Also Like

Technology Operations Signal Monitor: The Future Of Flipper Zero Development

A new role-filtered signal monitor tracks updates on Flipper Zero development, aiding small software teams in early decision-making about platform changes.

7 Best PC Motherboards for Prime Day Deals in 2026

Explore the best PC motherboard deals for Prime Day 2026, including options for AM4 and AM5 platforms, with detailed analysis to help you choose.

Three Public Vulnerabilities. Chained.

A chain of three public vulnerabilities was exploited in the TanStack npm packages, leading to a major supply-chain compromise on May 11, 2026.

7 Best Internal Solid State Drives for Prime Day Deals in 2026

Explore the best internal SSD deals for Prime Day 2026, featuring top picks like SK Hynix Gold P31 2TB, Corsair MP600 Mini, and more for upgrades and speed.