📊 Full opportunity report: Examining The Reliability Of AI Sovereignty Certifications Through The 24% Rule on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

The article examines the effectiveness of the 24% ownership rule in SecNumCloud, questioning whether certifications truly guarantee legal sovereignty over data. It highlights recent provider adaptations and ongoing debates about certification reliability.

European cybersecurity standards now include a specific ownership threshold—the 24% rule—to determine legal sovereignty over data in AI and cloud services. This criterion, part of France’s SecNumCloud qualification, is gaining attention for its potential to enforce ownership control and limit extraterritorial legal reach, making it a key focus for providers and regulators.

SecNumCloud, issued by France’s ANSSI, incorporates a legal sovereignty test requiring that companies not based in the EU hold less than 24% ownership, either individually or collectively, to qualify. This arithmetic threshold is designed to ensure control over data and prevent foreign legal systems from exerting influence. Currently, about a dozen providers, including OVHcloud and Outscale, hold an active SecNumCloud qualification, with several more in the pipeline.

While traditional certifications such as ISO 27001, SOC 2, and BSI C5 focus on security practices, SecNumCloud emphasizes ownership and jurisdictional immunity. The distinction is critical: a provider can hold multiple security badges but still be subject to foreign laws if ownership exceeds the 24% limit. This rule has prompted US-based hyperscalers to modify control structures, often through joint ventures like Thales–Google’s S3NS or Capgemini–Orange’s Bleu, to meet the threshold without changing their legal identity.

Despite the strictness of the rule, experts note that achieving compliance is highly complex, with Scalingo’s CEO comparing SecNumCloud’s difficulty to a 10 on a 1-to-10 scale, compared to ISO 27001’s 1. The rule’s arithmetic nature makes it verifiable from a company’s ownership cap table, but it does not address other sovereignty concerns such as legal jurisdiction or data access rights.

At a glance
analysisWhen: developing as of mid-2026, with ongoing…
The developmentThe development centers on the adoption and scrutiny of the 24% ownership rule within European AI sovereignty certifications, especially SecNumCloud, and its impact on data control and jurisdictional security.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Implications of the 24% Ownership Rule for Data Sovereignty

The 24% rule represents a fundamental shift in how European regulators assess legal control over cloud and AI services. Its emphasis on ownership structure aims to prevent foreign governments from exerting extraterritorial influence over sensitive data. For providers, this means restructuring ownership and control mechanisms, often through joint ventures, to meet sovereignty criteria. For users, it raises questions about the trustworthiness of certifications and whether they truly guarantee legal immunity.

As the rule becomes more widely adopted, especially for critical sectors such as healthcare, finance, and energy, it could significantly limit the participation of US-based hyperscalers in the European market unless they adapt control structures accordingly. This development could accelerate the emergence of European-controlled cloud ecosystems and influence global standards for data sovereignty.

Amazon

AI sovereignty certification tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Origins and Development of the 24% Control Limit

The 24% ownership threshold is a core component of France’s SecNumCloud qualification, introduced by ANSSI in 2016 and now in version 3.2. It emerged from the need to ensure legal sovereignty over cloud services hosting sensitive data, especially in the context of increasing geopolitical tensions and extraterritorial laws such as the CLOUD Act.

Unlike typical security certifications, SecNumCloud explicitly requires EU domicile, data storage, and audited key custody. The unique feature is its ownership cap, which is expressed as a simple arithmetic check—companies not based in the EU must hold less than 24% ownership to qualify. This rule is designed to be verifiable from corporate ownership structures and is intended to prevent foreign control.

Currently, providers like OVHcloud and Outscale have achieved SecNumCloud status, often restructuring their ownership models to stay below the threshold, especially US firms seeking to access the European market under strict sovereignty criteria.

“Achieving SecNumCloud is like a 10 out of 10 in complexity—far beyond typical security standards.”

— Scalingo CEO

Unanswered Questions About the 24% Rule’s Effectiveness

It remains unclear how effectively the 24% ownership threshold prevents foreign legal influence over data in practice. Critics argue that ownership control does not automatically equate to legal immunity, especially given the complexities of international law and corporate structures. There is also ongoing debate about whether the rule sufficiently addresses other sovereignty issues, such as data access rights, government influence, and jurisdictional enforcement.

Furthermore, the long-term impact of these control restructuring efforts on the competitive landscape and whether they truly guarantee legal immunity remains to be seen. Regulatory bodies have yet to publish comprehensive evaluations of the rule’s real-world effectiveness.

Future of the 24% Control Threshold and Certification Landscape

Regulators and industry stakeholders are expected to continue refining the application of the 24% rule, with more providers attempting to restructure ownership to qualify for SecNumCloud. As of mid-2026, about a dozen providers hold active certifications, and several more are in process. The European Commission and national agencies may also introduce additional controls or complementary standards to address remaining sovereignty concerns.

In parallel, legal debates over jurisdictional immunity, extraterritorial laws, and the true meaning of sovereignty are likely to intensify, influencing future certification criteria and compliance strategies. The ongoing evolution of these standards will shape the European cloud and AI ecosystem for years to come.

Key Questions

No, the 24% rule primarily addresses ownership control; it does not automatically confer immunity from foreign laws or jurisdictional influence.

Can US-based cloud providers still qualify under SecNumCloud?

Yes, but they must restructure control and ownership to ensure that no more than 24% of ownership is held by foreign entities, often through joint ventures or control arrangements.

Is the 24% rule sufficient to guarantee data sovereignty?

It is a significant control measure, but its sufficiency depends on broader legal and geopolitical factors. Its effectiveness in preventing foreign influence is still under evaluation.

Will the ownership rule impact the presence of US hyperscalers in Europe?

Yes, it may limit their ability to operate natively unless they adapt ownership and control structures to meet the threshold.

Source: ThorstenMeyerAI.com

You May Also Like

Prepare For 2026 With These Top AI Tools

Discover key AI tools and platforms set to define 2026, including software suites, automation, machine learning, and hardware essentials.

SD Cards and CFexpress: The Speed Ratings That Actually Matter

Informed choices about SD cards and CFexpress depend on understanding their speed ratings, but there’s more to consider for optimal performance.

The Safari MCP Server For Web Developers

Apple introduces Safari MCP server aimed at web developers for improved testing and deployment, with details still emerging on its full capabilities.

AI‑Generated Music: Creative Collaboration or Threat?

Lurking within AI-generated music lies a debate over its role as creative partner or potential threat, leaving us questioning the future of artistry.