📊 Full opportunity report: Why The 24% Rule Challenges The Validity Of AI Sovereign Certification Processes on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

The 24% ownership threshold in France’s SecNumCloud framework questions the ability of current certifications to ensure legal sovereignty. This challenges assumptions about security standards and jurisdictional control in AI cloud services.

The 24% ownership cap in France’s SecNumCloud framework is challenging the validity of existing AI sovereignty certifications, raising questions about whether current standards effectively guarantee legal control over data in cloud services. This development matters because it could reshape how European regulators and organizations assess control and jurisdiction in cloud and AI deployments.

The SecNumCloud qualification, issued by France’s ANSSI, includes a 24% ownership rule that limits foreign control over providers seeking sovereignty status. This rule is arithmetic-based, requiring that individual foreign ownership not exceed 24%, and combined foreign ownership remains below 39%. It is designed to ensure legal sovereignty by preventing foreign influence from surpassing a critical threshold.

While traditional certifications like ISO 27001, SOC 2, and BSI C5 focus on security practices—such as access controls, encryption, and incident response—they do not address ownership or jurisdictional control. The SecNumCloud framework explicitly tests for ownership and control, making it unique among certifications. As of mid-2026, approximately nine providers hold an active SecNumCloud qualification, with several more in progress, including major players like OVHcloud and Scaleway.

This rule has practical implications: U.S.-based hyperscalers cannot qualify directly under SecNumCloud due to ownership restrictions. Instead, they form joint ventures or control structures that keep foreign ownership below the threshold, such as Thales–Google’s S3NS and Capgemini–Orange’s Bleu, where control is shifted to European entities.

At a glance
analysisWhen: developing as of mid-2026
The developmentThe introduction of the 24% ownership rule in France’s SecNumCloud framework is prompting scrutiny of existing AI sovereignty certifications and their capacity to guarantee legal control over data.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Implications for Cloud Sovereignty and Certification Validity

The 24% ownership rule fundamentally challenges the assumption that existing security certifications alone can guarantee legal sovereignty. It emphasizes ownership control as a critical factor, potentially rendering traditional certifications insufficient for sovereignty claims. This shift could influence procurement, compliance, and international cloud strategies, especially for organizations handling sensitive data in Europe.

Providing Assurance to Cloud Computing through ISO 27001 Certification: How Much Cloud is Secured After Implementing Information Security Standards

Providing Assurance to Cloud Computing through ISO 27001 Certification: How Much Cloud is Secured After Implementing Information Security Standards

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

European Sovereignty Frameworks and Control Measures

European regulators have increasingly emphasized legal sovereignty over data, especially following concerns about extraterritorial laws like the CLOUD Act. France’s SecNumCloud, created in 2016 and now on version 3.2, is a government-backed qualification that combines ISO 27001-based security standards with a legal sovereignty test—the 24% ownership cap. This approach is part of a broader trend to ensure European control over cloud infrastructure and data, particularly for sensitive sectors like health, energy, and finance.

Existing certifications like BSI C5 focus on security controls and disclosure of jurisdiction, but do not restrict ownership or control directly. The new rule in SecNumCloud, therefore, introduces a control-based threshold that is unique and more restrictive, effectively challenging the adequacy of current security standards to guarantee sovereignty.

“Achieving ISO 27001 is a 1 on the complexity scale; SecNumCloud is a 10. The ownership rule makes sovereignty a matter of arithmetic, not just security.”

— Scalingo CEO

Amazon

European data sovereignty certification

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Unresolved Questions About Certification Effectiveness

It remains unclear how existing international security certifications will adapt or be interpreted in light of the ownership control requirement. There is also uncertainty about whether other European or global frameworks will incorporate similar control-based thresholds, or if the 24% rule will be challenged legally or practically by foreign companies attempting to qualify.

Shadow AI From Unsanctioned Use to Enterprise Value: Discovery, Risk Management, and Enablement for the AI-Powered Enterprise (The Agentic Enterprise Series)

Shadow AI From Unsanctioned Use to Enterprise Value: Discovery, Risk Management, and Enablement for the AI-Powered Enterprise (The Agentic Enterprise Series)

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Future Developments in European Cloud Sovereignty Rules

Expect ongoing debates among regulators, vendors, and legal experts about the effectiveness of the 24% rule and its implications for international cloud providers. Several providers are working to meet the ownership criteria through joint ventures, and further regulatory guidance is anticipated to clarify the scope of sovereignty measures. Monitoring how these rules influence procurement and compliance strategies will be crucial in the coming months.

[1760558206] [9781760558208]Extreme Ownership: How U.S. Navy SEALs Lead and Win-Paperback

[1760558206] [9781760558208]Extreme Ownership: How U.S. Navy SEALs Lead and Win-Paperback

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

How does the 24% rule impact foreign cloud providers?

Foreign providers must structure ownership or control to keep foreign influence below 24%, often through joint ventures or control arrangements, to qualify under SecNumCloud.

No. Certifications like ISO 27001 or C5 focus on security practices, but the 24% rule explicitly tests for ownership control, which directly influences sovereignty.

Will the 24% rule be adopted outside France?

It is uncertain. While similar control-based thresholds could influence other European frameworks, currently, it is specific to France’s SecNumCloud qualification.

Can U.S. companies still qualify for sovereignty status?

Not directly. U.S.-based providers cannot meet the ownership threshold unless they establish European-controlled entities or joint ventures that satisfy the 24% limit.

What are the implications for AI cloud services?

The rule emphasizes control and ownership, which could affect how AI cloud services are structured and procured within Europe, especially for sensitive or regulated data.

Source: ThorstenMeyerAI.com

This content is for general information only and is not financial, tax or legal advice. Consult a qualified professional for decisions about your money.
You May Also Like

Apple Is Reaching for Chinese Memory. Europe Doesn’t Even Have That Option.

Apple seeks U.S. approval to buy memory chips from China’s CXMT, exposing Europe’s lack of domestic memory manufacturing and leverage in the global supply chain.

Canadian Pacific Kansas City Surges In Global Coverage

Canadian Pacific Kansas City is experiencing a surge in international coverage, with 56 mentions recently recorded by GDELT, highlighting increased global interest.

Grimfaste: Operations for a Fleet

Grimfaste introduces a new control platform for managing large publishing fleets, focusing on operational health and link integrity, built with EU privacy standards.

Technology Operations Signal Monitor: The Future Of Flipper Zero Development

A new technology operations signal monitor is being tested to track developments like Flipper Zero’s future, targeting small software product leads.