Evaluating AI Sovereignty Certifications: Lessons From The 24% Rule

📊 Full opportunity report: Evaluating AI Sovereignty Certifications: Lessons From The 24% Rule on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

The SecNumCloud framework introduces a unique ownership cap—24%—to assess legal sovereignty over cloud and AI services. This rule emphasizes control and jurisdiction, impacting providers’ compliance strategies and market positioning.

France’s national cybersecurity agency, ANSSI, has implemented a new sovereignty test within its SecNumCloud qualification, requiring providers to ensure that foreign ownership does not exceed 24%. This rule aims to guarantee legal control over data and services hosted within the European Union, marking a significant shift in how sovereignty is measured in cloud and AI certifications.

SecNumCloud is a government-issued qualification that builds on ISO 27001 but introduces a novel ownership cap—24%—to assess control over cloud providers. Unlike traditional security certifications like ISO 27001 or BSI C5, which verify operational practices, SecNumCloud explicitly tests ownership and jurisdiction. Providers must demonstrate that no single foreign entity holds more than 24% of voting rights, a checkable, arithmetic measure derived from the company’s cap table. As of mid-2026, about ten providers, including OVHcloud and Outscale, hold an active SecNumCloud qualification, with more in the pipeline. This certification is mandatory for hosting sensitive French public-sector data and is being promoted for critical infrastructure across the EU.

Additionally, the certification requires compliance with EU data storage, audited key custody, and immunity from non-EU extraterritorial laws. The 24% ownership rule is considered extremely challenging to meet, especially for US-based providers, who often have significant foreign ownership. To circumvent this, US hyperscalers like AWS have established joint ventures with European companies—such as Thales and Capgemini—that hold operational control, thus complying with the ownership cap while maintaining US legal ties.

At a glance
analysisWhen: developing as of mid-2026
The developmentFrance’s SecNumCloud certification enforces a 24% ownership rule to ensure legal sovereignty over cloud and AI services, challenging traditional security certifications.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Implications of the 24% Ownership Cap for Cloud Providers

The 24% ownership rule embedded in SecNumCloud represents a fundamental shift in how sovereignty is measured—moving beyond traditional security controls to focus on ownership and control. For European public sector and critical infrastructure, this rule aims to prevent foreign legal reach, particularly from non-EU jurisdictions like the US. It creates a high barrier for providers, especially US-based firms, who must restructure ownership or establish joint ventures to meet the requirement. This development could reshape the competitive landscape, favoring European providers and forcing US giants to adapt their control structures if they wish to access the EU market.

Moreover, the emphasis on legal sovereignty over security practices underscores a broader trend: certifications are increasingly used as legal tools to enforce jurisdictional control, not just operational security. This could influence how companies approach compliance and how regulators define sovereignty in digital services.

Amazon

European cloud sovereignty certification guide

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Background on European Sovereignty Certifications

European regulators have long emphasized data sovereignty and control, but traditional certifications like ISO 27001, SOC 2, and BSI C5 focus on operational security practices without addressing jurisdictional control. The introduction of SecNumCloud in 2016 by ANSSI marked a shift toward integrating legal sovereignty into certification schemes. The key innovation was the ownership cap—a clear, arithmetic measure that directly tests control over the provider’s ownership structure. This approach responds to concerns about foreign influence and extraterritorial laws, especially in the context of US cloud providers operating within the EU.

As of 2026, the adoption of SecNumCloud is expanding, driven by legal requirements for sensitive data and critical infrastructure. The framework’s design also influences other European standards and could serve as a model for future sovereignty assessments, especially in AI and emerging technologies.

“The 24% ownership rule is a game-changer because it quantifies control in a way that’s checkable and enforceable, unlike traditional security certifications.”

— Thorsten Meyer, AI compliance expert

Amazon

secure cloud storage with EU data compliance

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Remaining Questions About the 24% Sovereignty Rule

It is still unclear how strictly regulators will enforce the ownership cap across different types of providers and whether exceptions or transitional arrangements will be made for existing US-based cloud giants. The long-term impact on US providers’ ability to operate within the EU depends on how strictly joint ventures and control structures are scrutinized. Additionally, the precise legal implications for providers that fall just above the threshold remain to be clarified, as well as how the rule will evolve with market and geopolitical shifts.

Amazon

AI and cloud provider ownership verification tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Next Steps for Providers and Regulators in EU Cloud Sovereignty

Providers aiming for SecNumCloud certification will need to review their ownership structures and consider restructuring or establishing joint ventures to meet the 24% ownership limit. US firms, in particular, may accelerate the formation of European-controlled entities or joint ventures to comply. Meanwhile, regulators are expected to refine enforcement practices and possibly extend the sovereignty test to other sectors and technologies, including AI. The upcoming years will reveal how this framework influences market dynamics and international cloud service strategies within Europe.

Amazon

cybersecurity certification for cloud providers

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

What is the significance of the 24% ownership rule in SecNumCloud?

The 24% ownership rule is a quantitative measure designed to ensure legal sovereignty by limiting foreign ownership, thereby reducing external legal influence over cloud services hosted within the EU.

How does SecNumCloud differ from traditional security certifications?

Unlike certifications like ISO 27001 or BSI C5, which verify operational security practices, SecNumCloud explicitly tests ownership and jurisdictional control through a measurable, arithmetic ownership cap.

Can US cloud providers meet the SecNumCloud requirements?

Yes, but they often need to establish joint ventures or restructure ownership so that no single foreign entity exceeds 24% ownership, as seen with AWS’s European Sovereign Cloud and other partnerships.

Will the 24% rule impact US companies’ ability to operate in Europe?

Potentially, yes. US firms may need to adapt their ownership and control structures to comply, which could influence their market strategies and operational models within the EU.

Is the ownership cap likely to be adopted outside France?

While currently specific to France’s SecNumCloud, the concept of quantifiable sovereignty measures could influence broader European or international standards in the future.

Source: ThorstenMeyerAI.com

You May Also Like

The Roblox Cheat That Broke Vercel.

A Roblox auto-farm script downloaded by an employee led to a major breach at Vercel, exposing customer credentials across multiple cloud providers.

The Defender’s Window Is Closing Faster Than Anyone Is Counting

Recent developments in AI cybersecurity reveal offensive capabilities surpassing defensive measures, raising urgent policy and security concerns.

Pentagon AI Goes Explicit: The Frontier Labs Move Inside the Classified Stack

The Pentagon has announced agreements with major AI firms to embed advanced AI models into top-secret networks, marking a shift toward AI-first military operations.

VigilSAR: The Object That Isn’t Transmitting

VigilSAR identifies radar-detected vessels with no transponder signals, enhancing maritime awareness in all weather conditions. Key capabilities demonstrated using Sentinel-1 data.