📊 Full opportunity report: Examining The 24% Rule: Are AI Sovereignty Certifications Meaningful? on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

The 24% ownership cap is a key criterion in France’s SecNumCloud framework, testing foreign control over providers. Its practical implications and effectiveness are still being evaluated, with few providers currently certified.

The 24% ownership rule in France’s SecNumCloud framework is a unique legal sovereignty requirement that tests control over cloud providers by restricting foreign ownership to less than 24%. This rule is central to the certification’s purpose of ensuring European legal sovereignty over sensitive data, and it is now a key criterion for providers seeking to operate within French and European public sectors.

SecNumCloud, created by France’s ANSSI in 2016, is a qualification rather than a traditional certification. It assesses providers based on 360 criteria across technical, organizational, operational, and legal domains, with a focus on legal sovereignty. The ownership cap—less than 24% foreign control—is the only explicit arithmetic test, designed to prevent non-EU entities from exerting control over providers hosting sensitive data.

As of mid-2026, approximately nine to ten providers have obtained an active SecNumCloud qualification, including OVHcloud, Outscale, and Scaleway. The certification is mandatory for hosting French public-sector data and is being pushed for critical infrastructure and essential services, impacting sectors like health, energy, finance, and transportation.

Other frameworks like BSI C5 and EUCS focus on security controls and operational practices but do not explicitly address sovereignty or control, making the 24% rule distinct in its approach to legal ownership and jurisdiction.

At a glance
analysisWhen: developing; as of mid-2026, some provid…
The developmentThe article examines the significance and current status of the 24% ownership rule in European AI sovereignty certifications, particularly SecNumCloud.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Implications of the 24% Ownership Cap for European Data Control

The 24% ownership rule represents a novel approach to ensuring European sovereignty over cloud and AI services. By quantifying control through ownership percentages, it aims to prevent foreign governments and non-EU entities from exerting influence over critical data infrastructure. This has significant implications for US-based hyperscalers and other non-EU providers, who must adjust ownership structures to qualify.

While the rule enhances legal sovereignty, experts note it does not automatically guarantee security or compliance with other standards. Its effectiveness in preventing extraterritorial legal reach depends on implementation and enforcement.

Amazon

ISO 27001 cybersecurity certification

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Legal and Technical Foundations of the 24% Control Rule

SecNumCloud is a government-backed qualification that builds on ISO 27001 but adds specific legal sovereignty requirements, including EU data residency, audited key custody, and immunity from non-EU law. The ownership cap—less than 24% foreign control—is a distinctive feature designed to safeguard European legal jurisdiction.

Other frameworks like BSI C5 focus on security controls and disclosure of jurisdiction but do not impose ownership limits. AWS’s European Sovereign Cloud, for example, maintains compliance with C5 but remains subject to US law, illustrating the distinction between security certifications and sovereignty controls.

The rule’s arithmetic nature makes it a strict control that is difficult to achieve, with providers like OVHcloud and Outscale actively pursuing certification amid complex ownership restructuring.

“The 24% rule is the most straightforward test of ownership control, expressed as an arithmetic cap, and it is the only sovereignty measure in SecNumCloud.”

— Thorsten Meyer

Amazon

European cloud sovereignty certification

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Unresolved Questions About the 24% Control Limit’s Effectiveness

It is still unclear how effectively the 24% ownership cap will prevent non-EU control in practice, especially as providers restructure ownership to qualify. The long-term impact on foreign investment and control remains uncertain, and enforcement mechanisms are still being tested.

Additionally, the extent to which the rule will influence global cloud market dynamics and whether it will serve as a model for other jurisdictions are still developing issues.

Amazon

cloud security compliance tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Next Steps for Certification Adoption and Policy Development

More providers are expected to pursue SecNumCloud certification as it becomes mandatory for certain sectors. The French government and ANSSI are likely to refine implementation guidelines and enforcement practices. International providers may further adapt ownership structures to meet the 24% rule, and discussions about its broader influence on European data sovereignty are ongoing.

Observers will monitor the certification’s impact on market competition, foreign investment, and the evolution of sovereignty standards in cloud and AI services.

Amazon

data sovereignty compliance software

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

What is the purpose of the 24% ownership rule in SecNumCloud?

The rule aims to prevent non-EU control over providers hosting sensitive European data, thereby safeguarding European legal sovereignty.

How many providers currently hold SecNumCloud certification?

As of mid-2026, about nine to ten providers, including OVHcloud and Outscale, have obtained the qualification.

Does the 24% rule guarantee security or compliance?

No, it specifically tests ownership control; security compliance is assessed separately through other frameworks like ISO 27001 or C5.

Can US-based companies qualify for SecNumCloud?

They can only qualify if they restructure ownership to ensure foreign control remains below 24%, as US companies are generally ineligible due to jurisdictional restrictions.

Source: ThorstenMeyerAI.com

This content is for general information only and is not financial, tax or legal advice. Consult a qualified professional for decisions about your money.
You May Also Like

The External Archive Drive Decision That Helps With Long-Term Retention

Great external archive drives ensure long-term retention, but choosing the right one depends on factors you may not have considered yet.

The Storage Setup Smart Offices Choose Before Disaster Strikes

Just as disasters threaten, discovering the optimal storage setup can be the key to safeguarding your office’s future resilience.

The Postage Meter Decision That Matters More for Busy Offices Than Expected

Choosing the right postage meter can significantly impact your busy office’s efficiency and costs—discover what factors truly matter to make the best decision.

Why Investors Ask for Process Transparency Even in Small Raises

Transparency in small raises builds investor trust and integrity, but understanding how to implement it effectively can make all the difference.