How The 24% Rule Challenges The Credibility Of AI Sovereignty Certifications

📊 Full opportunity report: How The 24% Rule Challenges The Credibility Of AI Sovereignty Certifications on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

The 24% ownership cap in France’s SecNumCloud framework tests legal sovereignty, challenging the credibility of traditional security certifications. This impacts how providers demonstrate control over data and jurisdiction.

France’s SecNumCloud framework introduces a 24% ownership cap that tests legal sovereignty over cloud services, challenging the credibility of traditional security certifications in demonstrating control over data jurisdiction. This development has significant implications for providers and regulators, especially in the context of AI and sensitive data hosting.

The 24% ownership rule is a key criterion of France’s SecNumCloud qualification, established by ANSSI, France’s national cybersecurity agency. It stipulates that foreign companies must hold no more than 24% of voting rights or capital in a provider to qualify, effectively ensuring EU legal sovereignty.

Unlike typical security certifications such as ISO 27001 or SOC 2, which certify security practices, SecNumCloud’s ownership rule directly tests who controls the provider and under which jurisdiction it operates. This makes it a legal sovereignty test, not merely a security standard.

As of mid-2026, approximately nine to ten providers hold an active SecNumCloud qualification, including OVHcloud, Outscale, and Scaleway, with more in the pipeline. The rule is mandatory for hosting sensitive French public-sector data and is expected to extend to critical infrastructure sectors.

At a glance
reportWhen: developing as of mid-2026
The developmentThe 24% ownership rule in France’s SecNumCloud framework is reshaping perceptions of AI sovereignty certifications and legal control over data.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Implications of the 24% Ownership Cap on Data Control

The 24% ownership rule fundamentally shifts how sovereignty is demonstrated in cloud services. It emphasizes ownership and control over legal jurisdiction, challenging the reliance on traditional security certifications that do not address legal sovereignty.

This development could influence global cloud procurement and regulatory standards, especially as other European countries consider similar legal sovereignty measures. It also complicates the landscape for US-based hyperscalers operating in Europe, as they must adapt control structures to meet sovereignty criteria without losing access to local markets.

Ultimately, this rule raises questions about the credibility and sufficiency of current AI and cloud certifications in ensuring legal control over data, which is critical for sensitive applications like AI training and deployment.

Amazon

ISO 27001 security certification

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Background of Sovereignty and Certification Standards

Traditional security certifications such as ISO 27001, SOC 2, and BSI C5 focus on security practices — access controls, encryption, incident response — without addressing legal jurisdiction. These certifications are widely recognized but do not prevent a provider from being subject to extraterritorial laws like the US CLOUD Act.

France’s SecNumCloud was introduced in 2016 to go beyond security practices by embedding legal sovereignty requirements, including EU data storage, audited key custody, and a ownership cap of 24%. This approach directly tests who owns and controls the provider, not just how it operates.

Meanwhile, in Germany, the BSI C5 scheme certifies control implementation but does not explicitly address jurisdiction or ownership. Both frameworks highlight the growing importance of legal control in cloud security standards.

“SecNumCloud is designed to ensure that providers are not only secure but also under EU jurisdiction, with ownership limits as a core component.”

— Anssi representative

Amazon

cloud sovereignty certification

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Unclear Impact on Global Cloud and AI Strategies

It is still unclear how widely the ownership rule will influence international cloud providers and AI deployment. US hyperscalers are adapting control structures, but the exact legal and operational implications are still evolving. Additionally, the long-term effectiveness of the ownership cap in ensuring EU data sovereignty remains to be seen, especially as providers seek ways to circumvent or comply with the rule.

Further, the potential for legal challenges or policy shifts could alter the framework’s impact, making the future landscape uncertain.

Amazon

cybersecurity compliance tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Next Steps in Sovereignty Certification and Market Adoption

Expect more providers to pursue SecNumCloud certification as the framework becomes mandatory for sensitive data hosting in France and potentially other EU countries. Providers will likely explore control structures to meet the 24% ownership limit, including joint ventures or ownership restructuring.

Regulators and industry bodies may also develop new standards or adaptations based on the sovereignty model, influencing global certification practices. Monitoring how US and other non-EU providers respond will be critical in understanding the future of AI sovereignty and cloud control.

Amazon

data sovereignty monitoring software

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

How does the 24% ownership rule differ from traditional security certifications?

The 24% rule specifically tests who owns and controls the provider, focusing on legal sovereignty, whereas traditional certifications like ISO 27001 mainly assess security practices.

Can a provider with a high percentage of US ownership meet the sovereignty requirements?

Yes, but they must structure ownership so that no individual or combined foreign entity exceeds 24%, often through joint ventures or control arrangements, which complicates compliance.

Will the ownership rule prevent US hyperscalers from operating in Europe?

Not necessarily. US hyperscalers can still operate by restructuring control and ownership, but they must adhere to the 24% cap and demonstrate legal sovereignty compliance.

Does SecNumCloud certification guarantee immunity from US or other extraterritorial laws?

No. While it tests control and jurisdiction, it does not exempt providers from laws like the CLOUD Act. It aims to limit control by foreign laws but cannot eliminate legal exposure entirely.

How might this influence AI deployment and sovereignty?

The framework emphasizes ownership and control over data, which could lead to more localized AI training and deployment within EU-controlled providers, affecting global AI strategies.

Source: ThorstenMeyerAI.com

You May Also Like

Week Three — Foundation model vs Brownian motion. Kronos on five-minute BTC.

Testing Kronos against Brownian motion for 5-minute BTC predictions shows no significant outperformance, challenging assumptions about modern models’ advantages.

Stellantis unveils $70 billion turnaround plan, targets positive cash flow by 2027

Stellantis announced a €60 billion ($69.7B) five-year strategy aiming for positive free cash flow by 2027, with major investments and new vehicle launches.

Forezai · Polybot: When the AI Disagrees With the Odds

Polybot, an open-source AI trading bot, attempts to identify when its probability estimates diverge from prediction market prices, raising questions about AI-driven trading accuracy.

The Nordics: Protect the Worker, Not the Job

Exploring how Nordic countries prioritize worker security over job preservation, enabling smoother transitions amid automation and economic change.