📊 Full opportunity report: Examining The Reliability Of AI Sovereignty Certifications Through The 24% Rule on ThorstenMeyerAI.com — validation score, market gap, and execution plan.
TL;DR
The article examines the effectiveness of the 24% ownership rule in SecNumCloud, questioning whether certifications truly guarantee legal sovereignty over data. It highlights recent provider adaptations and ongoing debates about certification reliability.
European cybersecurity standards now include a specific ownership threshold—the 24% rule—to determine legal sovereignty over data in AI and cloud services. This criterion, part of France’s SecNumCloud qualification, is gaining attention for its potential to enforce ownership control and limit extraterritorial legal reach, making it a key focus for providers and regulators.
SecNumCloud, issued by France’s ANSSI, incorporates a legal sovereignty test requiring that companies not based in the EU hold less than 24% ownership, either individually or collectively, to qualify. This arithmetic threshold is designed to ensure control over data and prevent foreign legal systems from exerting influence. Currently, about a dozen providers, including OVHcloud and Outscale, hold an active SecNumCloud qualification, with several more in the pipeline.
While traditional certifications such as ISO 27001, SOC 2, and BSI C5 focus on security practices, SecNumCloud emphasizes ownership and jurisdictional immunity. The distinction is critical: a provider can hold multiple security badges but still be subject to foreign laws if ownership exceeds the 24% limit. This rule has prompted US-based hyperscalers to modify control structures, often through joint ventures like Thales–Google’s S3NS or Capgemini–Orange’s Bleu, to meet the threshold without changing their legal identity.
Despite the strictness of the rule, experts note that achieving compliance is highly complex, with Scalingo’s CEO comparing SecNumCloud’s difficulty to a 10 on a 1-to-10 scale, compared to ISO 27001’s 1. The rule’s arithmetic nature makes it verifiable from a company’s ownership cap table, but it does not address other sovereignty concerns such as legal jurisdiction or data access rights.
The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty
ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.
C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.
Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.
The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.
Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.
Implications of the 24% Ownership Rule for Data Sovereignty
The 24% rule represents a fundamental shift in how European regulators assess legal control over cloud and AI services. Its emphasis on ownership structure aims to prevent foreign governments from exerting extraterritorial influence over sensitive data. For providers, this means restructuring ownership and control mechanisms, often through joint ventures, to meet sovereignty criteria. For users, it raises questions about the trustworthiness of certifications and whether they truly guarantee legal immunity.
As the rule becomes more widely adopted, especially for critical sectors such as healthcare, finance, and energy, it could significantly limit the participation of US-based hyperscalers in the European market unless they adapt control structures accordingly. This development could accelerate the emergence of European-controlled cloud ecosystems and influence global standards for data sovereignty.
AI sovereignty certification tools
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Origins and Development of the 24% Control Limit
The 24% ownership threshold is a core component of France’s SecNumCloud qualification, introduced by ANSSI in 2016 and now in version 3.2. It emerged from the need to ensure legal sovereignty over cloud services hosting sensitive data, especially in the context of increasing geopolitical tensions and extraterritorial laws such as the CLOUD Act.
Unlike typical security certifications, SecNumCloud explicitly requires EU domicile, data storage, and audited key custody. The unique feature is its ownership cap, which is expressed as a simple arithmetic check—companies not based in the EU must hold less than 24% ownership to qualify. This rule is designed to be verifiable from corporate ownership structures and is intended to prevent foreign control.
Currently, providers like OVHcloud and Outscale have achieved SecNumCloud status, often restructuring their ownership models to stay below the threshold, especially US firms seeking to access the European market under strict sovereignty criteria.
“Achieving SecNumCloud is like a 10 out of 10 in complexity—far beyond typical security standards.”
— Scalingo CEO
Unanswered Questions About the 24% Rule’s Effectiveness
It remains unclear how effectively the 24% ownership threshold prevents foreign legal influence over data in practice. Critics argue that ownership control does not automatically equate to legal immunity, especially given the complexities of international law and corporate structures. There is also ongoing debate about whether the rule sufficiently addresses other sovereignty issues, such as data access rights, government influence, and jurisdictional enforcement.
Furthermore, the long-term impact of these control restructuring efforts on the competitive landscape and whether they truly guarantee legal immunity remains to be seen. Regulatory bodies have yet to publish comprehensive evaluations of the rule’s real-world effectiveness.
Future of the 24% Control Threshold and Certification Landscape
Regulators and industry stakeholders are expected to continue refining the application of the 24% rule, with more providers attempting to restructure ownership to qualify for SecNumCloud. As of mid-2026, about a dozen providers hold active certifications, and several more are in process. The European Commission and national agencies may also introduce additional controls or complementary standards to address remaining sovereignty concerns.
In parallel, legal debates over jurisdictional immunity, extraterritorial laws, and the true meaning of sovereignty are likely to intensify, influencing future certification criteria and compliance strategies. The ongoing evolution of these standards will shape the European cloud and AI ecosystem for years to come.
Key Questions
Does meeting the 24% ownership rule guarantee legal immunity from foreign laws?
No, the 24% rule primarily addresses ownership control; it does not automatically confer immunity from foreign laws or jurisdictional influence.
Can US-based cloud providers still qualify under SecNumCloud?
Yes, but they must restructure control and ownership to ensure that no more than 24% of ownership is held by foreign entities, often through joint ventures or control arrangements.
Is the 24% rule sufficient to guarantee data sovereignty?
It is a significant control measure, but its sufficiency depends on broader legal and geopolitical factors. Its effectiveness in preventing foreign influence is still under evaluation.
Will the ownership rule impact the presence of US hyperscalers in Europe?
Yes, it may limit their ability to operate natively unless they adapt ownership and control structures to meet the threshold.
Source: ThorstenMeyerAI.com