📊 Full opportunity report: AI Sovereignty Certification Challenges: Insights From The 24% Rule on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

The 24% ownership cap in France’s SecNumCloud framework is a key test for AI sovereignty, challenging US-based providers and shaping future European cloud standards. The rule’s implications are still unfolding.

France’s national cybersecurity agency, ANSSI, has implemented a new sovereignty criterion in its SecNumCloud certification: a 24% ownership cap for non-EU companies. This rule directly tests whether foreign governments can exert legal influence over cloud providers, marking a significant shift in European AI and cloud sovereignty efforts. The development matters because it could reshape how international tech firms operate in regulated European markets and influence global standards.

SecNumCloud, created by ANSSI in 2016 and now at version 3.2, is a qualification rather than a certification. It requires providers to meet strict legal and operational criteria, including EU data storage, audited key custody, and immunity from non-EU extraterritorial laws. The 24% ownership rule is a straightforward, arithmetic test: no individual or group of non-EU companies can hold more than 24% of voting rights in a provider. This rule aims to guarantee legal sovereignty by limiting foreign control.

As of mid-2026, around ten providers hold an active SecNumCloud qualification, including OVHcloud and Scaleway, with more in the pipeline. The rule is mandatory for French public sector data hosting and is being extended to operators of vital importance and essential services under EU directives. US hyperscalers like AWS cannot directly qualify because of their ownership structures, prompting them to create joint ventures with European control, such as Thales–Google S3NS and Capgemini–Orange Bleu, to comply with the ownership cap.

At a glance
reportWhen: developing, as of mid-2026
The developmentFrance’s SecNumCloud framework enforces a 24% ownership limit to ensure legal sovereignty over cloud and AI providers, posing certification challenges for international companies.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Legal Sovereignty and International Cloud Operations

The 24% ownership rule signifies a fundamental shift toward ensuring European legal sovereignty over cloud and AI infrastructure. It challenges US and other non-EU providers by limiting foreign control, potentially restricting their ability to operate fully within the European market without local partnerships. This development could lead to increased reliance on European-controlled providers and influence global standards for data sovereignty and AI governance.

Amazon

European cloud sovereignty certification

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

European Certification Frameworks and Sovereignty Measures

Security certifications like ISO 27001, SOC 2, and BSI C5 primarily assess operational security practices but do not address legal jurisdiction or sovereignty. In contrast, France’s SecNumCloud adds a legal dimension, explicitly requiring EU domicile, EU-only data storage, and immunity from non-EU laws, with the ownership cap being a key component. This approach reflects broader European efforts to assert legal control over data and AI infrastructure amid increasing geopolitical tensions and extraterritorial laws like the US CLOUD Act.

US hyperscalers have responded by forming joint ventures with European firms, aiming to meet the ownership restrictions while maintaining their service offerings. For example, Thales and Google’s S3NS, and Capgemini and Orange’s Bleu, are structured to comply with the 24% rule, illustrating the practical impact of the framework on international cloud strategies.

“The 24% ownership rule is a simple arithmetic test, but its implications are profound — it directly challenges US-based providers’ ability to control and operate within France’s sovereignty framework.”

— Thorsten Meyer, AI compliance expert

Data Transformation for the AI Era: Building the Intelligence Fabric of the Enterprise. The 6x6 Blueprint for Data Sovereignty and Trusted Analytics. ... series for enterprise transformation)

Data Transformation for the AI Era: Building the Intelligence Fabric of the Enterprise. The 6×6 Blueprint for Data Sovereignty and Trusted Analytics. … series for enterprise transformation)

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Unresolved Questions About Implementation and Global Impact

It remains unclear how widespread the adoption of joint ventures will become among US and European providers, and whether other countries will adopt similar sovereignty measures. The long-term effectiveness of the 24% rule in preventing foreign influence is also uncertain, especially as providers innovate around ownership structures. Additionally, the impact on multinational cloud strategies and the potential for regulatory arbitrage are still developing.

Amazon

cloud ownership structure analysis software

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Future Developments in European Cloud Sovereignty Standards

Expect further clarification from ANSSI and European regulators on the application of the 24% rule, including potential updates to the framework. More providers are likely to seek SecNumCloud qualification through European-controlled joint ventures. Additionally, legal and geopolitical debates around sovereignty and extraterritorial laws will shape future policy, possibly leading to new standards or revisions in existing frameworks.

PLUS Japan, Peek-Proof Security Folder Camouflage A4 Clear, 5 Pieces Pack

PLUS Japan, Peek-Proof Security Folder Camouflage A4 Clear, 5 Pieces Pack

Protect your confidential documents from prying eyes

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

What is the significance of the 24% ownership rule in SecNumCloud?

The 24% rule is a straightforward arithmetic test designed to ensure European legal sovereignty by preventing foreign control over cloud providers, especially US-based companies.

Can US tech giants qualify directly under SecNumCloud?

No, US-based providers cannot meet the ownership restrictions directly. Instead, they form joint ventures with European control to comply with the 24% ownership cap.

Does certification guarantee immunity from non-EU laws?

No, certifications like SecNumCloud attest to operational security and legal control but do not eliminate the applicability of laws like the CLOUD Act. The ownership rule aims to limit foreign influence, not legal jurisdiction entirely.

How does this affect international cloud providers operating in Europe?

Providers must restructure ownership or form European-controlled joint ventures to meet sovereignty requirements, potentially impacting their operational models and strategic decisions.

Will other European countries adopt similar sovereignty rules?

It is possible, as the focus on legal sovereignty grows within the EU, but specific frameworks and thresholds may vary depending on national policies and legal considerations.

Source: ThorstenMeyerAI.com

You May Also Like

Loan covenant calendar for bootstrapped companies

A new workflow tool for small companies to manage loan obligations is in testing, focusing on extracting and tracking covenant requirements.

The Trust Shock: What Suspending Fable 5 Means for US AI, Its Rivals, and the World

The abrupt suspension of Anthropic’s Fable 5 highlights US government risks, affecting AI confidence, rivals, and global industry dynamics.

The clause. How a contractual definition of AGI met the capital built on top of it.

An analysis of how the original AGI clause in the Microsoft–OpenAI contract was renegotiated, shifting from a doomsday trigger to an administrative milestone.

Three Days at the Frontier: Washington Suspends Fable 5 and Mythos 5

The US government has suspended access to Anthropic’s Fable 5 and Mythos 5 models over a contested jailbreak, marking a significant geopolitical move in AI regulation.