📊 Full opportunity report: The 24% Rule: A Key To Understanding AI Sovereignty Certification Gaps on ThorstenMeyerAI.com — validation score, market gap, and execution plan.
TL;DR
The 24% ownership threshold in France’s SecNumCloud framework is a key measure of sovereignty, highlighting gaps in AI and cloud certifications. This rule tests control, not security, revealing sovereignty challenges for foreign-controlled providers.
The 24% ownership cap in France’s SecNumCloud framework is emerging as a critical benchmark for sovereignty certification and control over cloud providers operating within the EU. This rule directly tests ownership and control, not just security practices, highlighting a significant gap in current certification schemes.
SecNumCloud, created by France’s ANSSI, is a qualification scheme that combines security standards with legal sovereignty requirements, including EU domicile, data storage, and immunity from non-EU laws. Its defining feature is the ownership threshold — no more than 24% of voting rights can be held by non-EU entities, or the provider risks losing sovereignty qualification. This arithmetic rule is unique among European frameworks and directly addresses control, not just security practices.
Currently, about nine or ten providers hold active SecNumCloud qualifications, with major players like OVHcloud, Outscale, and Scaleway. These providers must meet strict criteria, including EU data residency and legal control, to qualify. The rule aims to ensure that providers are genuinely under European control, especially for sensitive public-sector data, which is mandated under France’s Cloud au Centre doctrine.
Foreign cloud providers, particularly US-based hyperscalers, cannot meet the ownership threshold directly, leading to innovative workarounds. These include joint ventures like S3NS (Thales–Google) and Bleu (Capgemini and Orange), where control is shifted to European entities to maintain sovereignty qualification, despite the parent companies’ foreign ownership.
The 24% rule: why most „sovereign cloud“ certifications don’t test sovereignty
ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.
C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.
Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.
The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification „is not suited for addressing sovereignty concerns.“ National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.
Microsoft showed the gap better than any critic: May 2025 — encryption makes access „technically impossible.“ One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is „sovereign“ — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.
Implications of the 24% Ownership Cap for AI and Cloud Control
The 24% rule is a powerful control test that moves beyond traditional security certifications, emphasizing ownership and legal jurisdiction. It exposes the limitations of existing certifications like ISO 27001 or BSI C5, which focus on security practices but do not address sovereignty issues. This rule could shape European cloud procurement and influence global strategies, especially as regulators prioritize sovereignty and control over security alone.
For AI and cloud providers, this means that security certifications alone are insufficient to demonstrate sovereignty. Control over data and legal jurisdiction are now central, affecting how international companies structure their European operations. The rule also incentivizes joint ventures and control arrangements that can circumvent direct foreign ownership limits, raising questions about the true independence of some providers claiming sovereignty.
EU data sovereignty certification tools
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
European Sovereignty Frameworks and the 24% Ownership Rule
Since 2016, France’s SecNumCloud has set a high bar for sovereignty, requiring legal domicile, data localization, and immunity from non-EU laws. Its unique ownership threshold is a response to the global dominance of US hyperscalers, which cannot meet the sovereignty criteria directly due to their foreign ownership structures. This has led to innovative control arrangements, such as joint ventures, to meet the 24% limit and qualify for sovereignty status.
Other frameworks, like Germany’s BSI C5, focus on security controls and transparency, including jurisdiction disclosures, but do not impose ownership caps. The key difference is that SecNumCloud explicitly tests for ownership and control, making it a more comprehensive measure of sovereignty. As of mid-2026, the scheme is still emerging, with a handful of providers qualifying and others in development.
US providers, unable to meet the ownership cap directly, are adopting joint ventures and control arrangements to navigate the rule, exemplified by the S3NS and Bleu projects. These efforts highlight the evolving landscape of sovereignty certification and the importance of control over data and legal jurisdiction in Europe.
„SecNumCloud is a government-backed qualification that ensures providers meet strict legal and sovereignty requirements, including ownership controls.“
— ANSSI spokesperson
![DeskFX Free Audio Effects & Audio Enhancer Software [PC Download]](https://m.media-amazon.com/images/I/41fXbDohyuS._SL500_.jpg)
DeskFX Free Audio Effects & Audio Enhancer Software [PC Download]
Transform audio playing via your speakers and headphones
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Unresolved Questions About Sovereignty and Control Workarounds
It is still unclear how widely the control workaround strategies, such as joint ventures and control arrangements, will be accepted by regulators and whether they will be considered equivalent to direct ownership under future rules. The long-term effectiveness of the 24% rule in preventing foreign dominance remains to be seen, especially as providers innovate new control structures.
Additionally, the impact of the rule on the overall cloud market and whether it will significantly restrict foreign providers‘ ability to operate within the EU are still developing issues. Regulatory interpretations and enforcement practices are evolving, and more clarity is expected in the coming months.
ownership verification tools for cloud providers
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Next Steps for Certification and Sovereignty Enforcement
Moving forward, more cloud providers are expected to seek SecNumCloud qualification by adjusting ownership structures or forming European-controlled joint ventures. Regulatory bodies may also refine rules to address control arrangements explicitly, clarifying whether these will be accepted as sovereignty compliance.
Further developments in the European regulatory landscape could include stricter enforcement of ownership caps or new standards that explicitly address control and legal jurisdiction. The ongoing evolution of these frameworks will shape the future of AI and cloud sovereignty in Europe.
European cloud security certification products
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
Why does the 24% ownership rule matter for AI sovereignty?
The 24% ownership rule directly tests who controls a cloud provider, which is essential for ensuring data sovereignty and legal jurisdiction within Europe. It moves beyond security practices to address control and sovereignty concerns that are critical for sensitive AI data and applications.
Can foreign companies still operate in Europe under this rule?
Yes, but they must structure their control arrangements carefully, often through joint ventures or control shifts, to stay within the ownership limits and qualify for sovereignty certification. Direct ownership by non-EU entities exceeding 24% disqualifies providers from SecNumCloud qualification.
Does certification guarantee immunity from non-EU laws?
No, certifications like SecNumCloud demonstrate compliance with sovereignty criteria but do not eliminate legal exposure to laws like the CLOUD Act. They are a control measure, not a legal shield.
Will the 24% rule prevent US hyperscalers from operating in Europe?
Not entirely. US hyperscalers are adapting through joint ventures and control arrangements to meet the ownership cap, but their overall presence may still be limited by other legal and market factors.
What is the significance of joint ventures like S3NS and Bleu?
These ventures demonstrate how foreign providers are circumventing ownership limits by transferring control to European entities, allowing them to qualify for sovereignty certification despite their foreign ownership structures.
Source: ThorstenMeyerAI.com