📊 Full opportunity report: Why The 24% Rule Matters For AI Sovereignty Certification Validity on ThorstenMeyerAI.com — validation score, market gap, and execution plan.
TL;DR
The 24% ownership rule in France’s SecNumCloud framework is a critical measure for ensuring legal sovereignty over data and AI services. It emphasizes ownership control over traditional security certifications, shaping European AI sovereignty efforts.
The 24% ownership rule in France’s SecNumCloud framework is now a decisive factor for legal sovereignty in cloud and AI services. This criterion, established by the French cybersecurity agency ANSSI, enforces a strict ownership cap to ensure data control remains within European jurisdiction. The rule is shaping how providers structure their control and ownership to meet sovereignty requirements, impacting major cloud vendors and AI providers operating in Europe.
SecNumCloud, created by France’s ANSSI in 2016, is a qualification that tests not only security practices but also ownership sovereignty. The key measure is that companies with control over services must have less than 24% of their capital or voting rights held by non-EU entities individually, or 39% collectively. This arithmetic ownership cap ensures that European control is maintained, limiting foreign influence over critical data infrastructure.
As of mid-2026, about ten providers have obtained SecNumCloud qualification, including OVHcloud, Outscale, and Scaleway. Major US-based providers, such as Amazon Web Services, remain ineligible for SecNumCloud in its native form due to their ownership structures, but have adapted through joint ventures and control arrangements that comply with the 24% rule. Notably, AWS’s European Sovereign Cloud operates entirely within the EU but remains subject to US law.
The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty
ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.
C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.
Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.
The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.
Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.
Implications of the 24% Ownership Cap for European Cloud and AI
The 24% ownership rule fundamentally shifts how European data sovereignty is enforced. Unlike traditional security certifications that focus on technical controls, this arithmetic limit directly influences ownership structures and control rights. It aims to prevent foreign governments from exerting legal influence over critical data services, especially in sensitive sectors like health, energy, and finance. This measure is likely to shape the competitive landscape of cloud providers in Europe, favoring those with local ownership and control, and could lead to increased reliance on European or compliant providers for AI and cloud infrastructure.
For AI developers and users, the rule underscores the importance of ownership transparency and legal sovereignty. It also signals a move toward regulatory-driven data control rather than solely technical security standards, affecting how AI models are trained, hosted, and governed within Europe.
European data sovereignty cloud certification
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
European Sovereignty Frameworks and the Role of Ownership Limits
The SecNumCloud framework is part of broader European efforts to establish digital sovereignty amid geopolitical tensions. Unlike other certifications such as ISO 27001 or BSI C5, which verify security practices, SecNumCloud’s ownership control requirement introduces a legal sovereignty test based on arithmetic ownership caps. This approach responds to concerns about foreign influence and extraterritorial laws, like the US CLOUD Act, which can compel data access regardless of technical safeguards.
While US hyperscalers like AWS and Microsoft have achieved various security attestations, their ownership structures often exceed the 24% threshold, prompting them to establish joint ventures or control arrangements that comply with the rule. This development reflects a strategic shift in how international cloud providers adapt to European sovereignty demands, emphasizing control and ownership over mere security compliance.
“The 24% ownership rule is a game-changer because it shifts the focus from technical security to legal sovereignty, fundamentally altering how providers structure control.”
— Thorsten Meyer, AI security expert

Data Transformation for the AI Era: Building the Intelligence Fabric of the Enterprise. The 6×6 Blueprint for Data Sovereignty and Trusted Analytics. … series for enterprise transformation)
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Unclear Aspects of the 24% Control Mechanism
It remains unclear how enforcement of the ownership cap will evolve, especially with complex joint ventures and control arrangements involving multiple entities. The precise legal and operational implications for providers that exceed or approach the threshold are still being tested in practice. Additionally, the extent to which this rule will influence market dynamics and provider strategies beyond France is still emerging, as other European countries consider adopting similar sovereignty measures.

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide: Become an expert and get Google Cloud certified with this practitioner’s guide
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Next Steps in European AI and Cloud Sovereignty Regulation
Expect ongoing adoption and refinement of the ownership rule as more providers seek SecNumCloud qualification. Regulatory bodies are likely to clarify enforcement mechanisms, including audits and control assessments. Additionally, the development of European-led AI sovereignty initiatives may integrate ownership controls into broader frameworks regulating AI development and deployment. The push for more providers to meet the 24% threshold will influence market competition and could accelerate the emergence of more European-controlled cloud services.
![[By Jocko Willink ] Extreme Ownership: How U.S. Navy SEALs Lead and Win (Hardcover)【2018】by Jocko Willink (Author) (Hardcover)](https://m.media-amazon.com/images/I/41ggaLUnBUL._SL500_.jpg)
[By Jocko Willink ] Extreme Ownership: How U.S. Navy SEALs Lead and Win (Hardcover)【2018】by Jocko Willink (Author) (Hardcover)
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
Why is the 24% ownership cap considered more important than traditional security certifications?
The 24% ownership cap directly addresses legal sovereignty by controlling who ultimately owns and controls the service, reducing foreign influence regardless of security measures.
Can US-based cloud providers meet the sovereignty requirements under the 24% rule?
Most US providers cannot meet the ownership cap directly due to their structure but can create control arrangements or joint ventures that comply with the 24% limit, as seen with AWS’s European Sovereign Cloud.
How does the ownership rule impact AI development in Europe?
It emphasizes local ownership and control, encouraging European AI providers and collaborations that adhere to sovereignty standards, potentially shaping the AI ecosystem’s structure.
Will the 24% rule be adopted outside France?
It is uncertain; while other European countries are considering similar measures, the specific arithmetic control approach is currently unique to France’s SecNumCloud framework.
Source: ThorstenMeyerAI.com