Assessing AI Sovereignty Certification Quality Through The 24% Rule

📊 Full opportunity report: Assessing AI Sovereignty Certification Quality Through The 24% Rule on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

France’s SecNumCloud certification introduces a unique ownership threshold—24%—to assess legal sovereignty over cloud services. This approach emphasizes control and jurisdiction, impacting providers and European data security standards.

France’s national cybersecurity agency ANSSI has implemented a new sovereignty test for cloud providers, using a simple arithmetic rule: no single foreign owner can hold more than 24% ownership in a service provider. This rule, embedded in the SecNumCloud qualification, directly assesses legal sovereignty, making it a critical factor for providers operating in or targeting the European market.

The SecNumCloud scheme, created in 2016 and now at referential version 3.2, is not a traditional certification but a government-issued qualification. It involves a rigorous audit process and requires providers to meet technical, organizational, operational, and legal criteria, including EU data residency, audited key custody, and immunity from non-EU extraterritorial laws. The core of the sovereignty test is the ownership cap: 24% of voting rights or capital held by non-EU entities. This arithmetic threshold is designed to ensure that control remains within the European jurisdiction, directly addressing concerns over foreign legal influence.

As of mid-2026, about nine to ten providers, such as OVHcloud and Scaleway, have achieved SecNumCloud qualification, with more in progress. The scheme is mandatory for hosting sensitive French public-sector data and is being pushed for broader applications, including critical infrastructure. The ownership rule is considered extremely difficult to meet, with scalingo’s CEO comparing it to a 10 on a complexity scale, versus 1 for ISO 27001.

At a glance
reportWhen: developing; as of mid-2026, several pro…
The developmentFrance’s SecNumCloud certification employs a 24% ownership rule to evaluate legal sovereignty of cloud providers, marking a shift in European AI and data security certification standards.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Implications of the 24% Ownership Cap for Cloud Sovereignty

This ownership threshold represents a novel approach to legal sovereignty in cloud services, emphasizing control over data and legal jurisdiction rather than just security practices. It shifts the focus from technical compliance to ownership structure, potentially influencing procurement decisions and international cloud strategies in Europe. The scheme aims to limit foreign influence, especially from US-based companies, by ensuring that no single non-EU entity can dominate ownership, thus safeguarding European data sovereignty and legal independence.

For vendors, achieving SecNumCloud qualification demonstrates compliance with strict sovereignty criteria, but it does not exempt them from existing jurisdictional laws like the CLOUD Act. The rule’s impact extends beyond certification, shaping how companies structure ownership and control to meet European legal standards.

SOC2 Cloud Compliance Mastery: Master SOC 2 For Cloud Tools | Secure Collaboration Fast | SOC 2 Controls Simplified | Trusted Compliance Blueprint | Fast-Track Cloud Compliance | SOC 2 For SaaS

SOC2 Cloud Compliance Mastery: Master SOC 2 For Cloud Tools | Secure Collaboration Fast | SOC 2 Controls Simplified | Trusted Compliance Blueprint | Fast-Track Cloud Compliance | SOC 2 For SaaS

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

European Sovereignty Frameworks and the 24% Control Rule

European countries have been developing various frameworks to enhance data sovereignty amid concerns over foreign legal influence. France’s SecNumCloud, established in 2016, is unique in explicitly quantifying sovereignty through ownership caps. Other standards, such as Germany’s BSI C5, focus on security controls and legal disclosures but do not impose ownership restrictions. The BSI C5 standard, for example, requires providers to disclose jurisdiction and legal obligations but does not limit ownership percentages. The introduction of the 24% rule marks a new paradigm—moving from disclosure and control measures to a tangible ownership threshold that can be objectively checked from a cap table.

US hyperscalers, unable to meet the ownership restrictions directly, have adapted by creating joint ventures or controlled subsidiaries where operational control is separated, like Thales–Google’s S3NS or Capgemini–Orange’s Bleu. These arrangements exemplify how the rule influences corporate structuring to maintain compliance while operating within the US-originated infrastructure.

“The 24% ownership rule is a straightforward arithmetic test that effectively measures legal sovereignty, making it a powerful tool for European cloud control.”

— Thorsten Meyer, AI security expert

Amazon

data sovereignty certification products

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Remaining Questions About the 24% Sovereignty Test

It is still unclear how widely the ownership rule will be adopted outside France, or how it will influence international cloud procurement policies. The long-term effectiveness of the 24% cap in preventing foreign influence, especially through complex ownership structures, remains to be seen. Additionally, the impact on US-based hyperscalers and their European joint ventures is evolving, with some providers creating controlled subsidiaries to bypass direct ownership limits. The legal and operational implications of these arrangements are still being evaluated, and the full scope of the scheme’s influence on the cloud market is yet to be determined.

The Cybersecurity Body of Knowledge (Security, Audit and Leadership Series)

The Cybersecurity Body of Knowledge (Security, Audit and Leadership Series)

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Next Steps for European Cloud Sovereignty Certification

Additional providers are expected to pursue SecNumCloud qualification, especially as France extends its sovereignty requirements to critical infrastructure and vital sectors. The scheme may serve as a blueprint for other European countries developing similar control measures. Monitoring how providers adapt their ownership structures and how regulators enforce the 24% rule will be crucial. Furthermore, discussions about expanding or refining the rule to address emerging ownership complexities are likely in the coming months, shaping the future landscape of European cloud sovereignty.

I Survived Residency Black Cat Residency Graduation Doctors T-Shirt

I Survived Residency Black Cat Residency Graduation Doctors T-Shirt

Cat design. I Survived Residency. Funny Black Cat Residency graduation gift for doctors and Medical student or Medical…

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

How does the 24% ownership rule differ from other security certifications?

Unlike standards like ISO 27001 or SOC 2, which assess security practices, the 24% rule directly measures legal sovereignty by limiting foreign ownership. It is a quantitative control that can be checked from ownership records, not just a security or procedural assessment.

Can US cloud providers meet the SecNumCloud requirements?

US providers can attempt to meet the requirements by structuring ownership through joint ventures or controlled subsidiaries where no single non-EU owner exceeds 24%. However, fully complying with the sovereignty test remains challenging due to the ownership restrictions.

No. While the qualification demonstrates compliance with sovereignty criteria, it does not exempt providers from jurisdictional laws like the CLOUD Act. It primarily addresses control and ownership within the EU context.

Is the ownership rule likely to be adopted outside France?

It is uncertain. While other European countries are exploring sovereignty measures, the 24% ownership cap is specific to France’s legal framework. Its adoption elsewhere would depend on national policy decisions and market responses.

Source: ThorstenMeyerAI.com

You May Also Like

GDPR Testing Checklist: Avoid Million‑Euro Fines

Optimize your GDPR compliance with our testing checklist to prevent costly fines—discover essential steps to safeguard your data practices today.

Contractor onboarding checklist for small construction firms

A new onboarding checklist for small construction firms is being tested to streamline subcontractor onboarding, aiming to reduce admin gaps and speed up project mobilization.

How to Store Customer-Like Test Data Safely (Without Killing Realism)

Protect customer-like test data with advanced techniques to ensure security without sacrificing realism—discover how to keep your data safe and effective.

Glasspane: When Transparency Itself Becomes the Product

Glasspane introduces role-aware dashboards and AI-driven insights, making infrastructure transparency accessible and actionable for all stakeholders.