📊 Full opportunity report: Examining The 24% Rule: Are AI Sovereignty Certifications Meaningful? on ThorstenMeyerAI.com — validation score, market gap, and execution plan.
TL;DR
The 24% ownership cap is a key criterion in France’s SecNumCloud framework, testing foreign control over providers. Its practical implications and effectiveness are still being evaluated, with few providers currently certified.
The 24% ownership rule in France’s SecNumCloud framework is a unique legal sovereignty requirement that tests control over cloud providers by restricting foreign ownership to less than 24%. This rule is central to the certification’s purpose of ensuring European legal sovereignty over sensitive data, and it is now a key criterion for providers seeking to operate within French and European public sectors.
SecNumCloud, created by France’s ANSSI in 2016, is a qualification rather than a traditional certification. It assesses providers based on 360 criteria across technical, organizational, operational, and legal domains, with a focus on legal sovereignty. The ownership cap—less than 24% foreign control—is the only explicit arithmetic test, designed to prevent non-EU entities from exerting control over providers hosting sensitive data.
As of mid-2026, approximately nine to ten providers have obtained an active SecNumCloud qualification, including OVHcloud, Outscale, and Scaleway. The certification is mandatory for hosting French public-sector data and is being pushed for critical infrastructure and essential services, impacting sectors like health, energy, finance, and transportation.
Other frameworks like BSI C5 and EUCS focus on security controls and operational practices but do not explicitly address sovereignty or control, making the 24% rule distinct in its approach to legal ownership and jurisdiction.
The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty
ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.
C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.
Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.
The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.
Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.
Implications of the 24% Ownership Cap for European Data Control
The 24% ownership rule represents a novel approach to ensuring European sovereignty over cloud and AI services. By quantifying control through ownership percentages, it aims to prevent foreign governments and non-EU entities from exerting influence over critical data infrastructure. This has significant implications for US-based hyperscalers and other non-EU providers, who must adjust ownership structures to qualify.
While the rule enhances legal sovereignty, experts note it does not automatically guarantee security or compliance with other standards. Its effectiveness in preventing extraterritorial legal reach depends on implementation and enforcement.
ISO 27001 cybersecurity certification
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Legal and Technical Foundations of the 24% Control Rule
SecNumCloud is a government-backed qualification that builds on ISO 27001 but adds specific legal sovereignty requirements, including EU data residency, audited key custody, and immunity from non-EU law. The ownership cap—less than 24% foreign control—is a distinctive feature designed to safeguard European legal jurisdiction.
Other frameworks like BSI C5 focus on security controls and disclosure of jurisdiction but do not impose ownership limits. AWS’s European Sovereign Cloud, for example, maintains compliance with C5 but remains subject to US law, illustrating the distinction between security certifications and sovereignty controls.
The rule’s arithmetic nature makes it a strict control that is difficult to achieve, with providers like OVHcloud and Outscale actively pursuing certification amid complex ownership restructuring.
“The 24% rule is the most straightforward test of ownership control, expressed as an arithmetic cap, and it is the only sovereignty measure in SecNumCloud.”
— Thorsten Meyer
European cloud sovereignty certification
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Unresolved Questions About the 24% Control Limit’s Effectiveness
It is still unclear how effectively the 24% ownership cap will prevent non-EU control in practice, especially as providers restructure ownership to qualify. The long-term impact on foreign investment and control remains uncertain, and enforcement mechanisms are still being tested.
Additionally, the extent to which the rule will influence global cloud market dynamics and whether it will serve as a model for other jurisdictions are still developing issues.
cloud security compliance tools
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Next Steps for Certification Adoption and Policy Development
More providers are expected to pursue SecNumCloud certification as it becomes mandatory for certain sectors. The French government and ANSSI are likely to refine implementation guidelines and enforcement practices. International providers may further adapt ownership structures to meet the 24% rule, and discussions about its broader influence on European data sovereignty are ongoing.
Observers will monitor the certification’s impact on market competition, foreign investment, and the evolution of sovereignty standards in cloud and AI services.
data sovereignty compliance software
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
What is the purpose of the 24% ownership rule in SecNumCloud?
The rule aims to prevent non-EU control over providers hosting sensitive European data, thereby safeguarding European legal sovereignty.
How many providers currently hold SecNumCloud certification?
As of mid-2026, about nine to ten providers, including OVHcloud and Outscale, have obtained the qualification.
Does the 24% rule guarantee security or compliance?
No, it specifically tests ownership control; security compliance is assessed separately through other frameworks like ISO 27001 or C5.
Can US-based companies qualify for SecNumCloud?
They can only qualify if they restructure ownership to ensure foreign control remains below 24%, as US companies are generally ineligible due to jurisdictional restrictions.
Source: ThorstenMeyerAI.com