📊 Full opportunity report: Why The 24% Rule Matters For AI Sovereignty Certification Validity on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

The 24% ownership rule in France’s SecNumCloud framework is a critical measure for ensuring legal sovereignty over data and AI services. It emphasizes ownership control over traditional security certifications, shaping European AI sovereignty efforts.

The 24% ownership rule in France’s SecNumCloud framework is now a decisive factor for legal sovereignty in cloud and AI services. This criterion, established by the French cybersecurity agency ANSSI, enforces a strict ownership cap to ensure data control remains within European jurisdiction. The rule is shaping how providers structure their control and ownership to meet sovereignty requirements, impacting major cloud vendors and AI providers operating in Europe.

SecNumCloud, created by France’s ANSSI in 2016, is a qualification that tests not only security practices but also ownership sovereignty. The key measure is that companies with control over services must have less than 24% of their capital or voting rights held by non-EU entities individually, or 39% collectively. This arithmetic ownership cap ensures that European control is maintained, limiting foreign influence over critical data infrastructure.

As of mid-2026, about ten providers have obtained SecNumCloud qualification, including OVHcloud, Outscale, and Scaleway. Major US-based providers, such as Amazon Web Services, remain ineligible for SecNumCloud in its native form due to their ownership structures, but have adapted through joint ventures and control arrangements that comply with the 24% rule. Notably, AWS’s European Sovereign Cloud operates entirely within the EU but remains subject to US law.

At a glance
reportWhen: developing, as of mid-2026
The developmentThe 24% ownership cap in SecNumCloud is now a central criterion for legal sovereignty, affecting cloud providers and AI services operating within Europe.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Implications of the 24% Ownership Cap for European Cloud and AI

The 24% ownership rule fundamentally shifts how European data sovereignty is enforced. Unlike traditional security certifications that focus on technical controls, this arithmetic limit directly influences ownership structures and control rights. It aims to prevent foreign governments from exerting legal influence over critical data services, especially in sensitive sectors like health, energy, and finance. This measure is likely to shape the competitive landscape of cloud providers in Europe, favoring those with local ownership and control, and could lead to increased reliance on European or compliant providers for AI and cloud infrastructure.

For AI developers and users, the rule underscores the importance of ownership transparency and legal sovereignty. It also signals a move toward regulatory-driven data control rather than solely technical security standards, affecting how AI models are trained, hosted, and governed within Europe.

Amazon

European data sovereignty cloud certification

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

European Sovereignty Frameworks and the Role of Ownership Limits

The SecNumCloud framework is part of broader European efforts to establish digital sovereignty amid geopolitical tensions. Unlike other certifications such as ISO 27001 or BSI C5, which verify security practices, SecNumCloud’s ownership control requirement introduces a legal sovereignty test based on arithmetic ownership caps. This approach responds to concerns about foreign influence and extraterritorial laws, like the US CLOUD Act, which can compel data access regardless of technical safeguards.

While US hyperscalers like AWS and Microsoft have achieved various security attestations, their ownership structures often exceed the 24% threshold, prompting them to establish joint ventures or control arrangements that comply with the rule. This development reflects a strategic shift in how international cloud providers adapt to European sovereignty demands, emphasizing control and ownership over mere security compliance.

“The 24% ownership rule is a game-changer because it shifts the focus from technical security to legal sovereignty, fundamentally altering how providers structure control.”

— Thorsten Meyer, AI security expert

Data Transformation for the AI Era: Building the Intelligence Fabric of the Enterprise. The 6x6 Blueprint for Data Sovereignty and Trusted Analytics. ... series for enterprise transformation)

Data Transformation for the AI Era: Building the Intelligence Fabric of the Enterprise. The 6×6 Blueprint for Data Sovereignty and Trusted Analytics. … series for enterprise transformation)

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Unclear Aspects of the 24% Control Mechanism

It remains unclear how enforcement of the ownership cap will evolve, especially with complex joint ventures and control arrangements involving multiple entities. The precise legal and operational implications for providers that exceed or approach the threshold are still being tested in practice. Additionally, the extent to which this rule will influence market dynamics and provider strategies beyond France is still emerging, as other European countries consider adopting similar sovereignty measures.

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide: Become an expert and get Google Cloud certified with this practitioner’s guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide: Become an expert and get Google Cloud certified with this practitioner’s guide

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Next Steps in European AI and Cloud Sovereignty Regulation

Expect ongoing adoption and refinement of the ownership rule as more providers seek SecNumCloud qualification. Regulatory bodies are likely to clarify enforcement mechanisms, including audits and control assessments. Additionally, the development of European-led AI sovereignty initiatives may integrate ownership controls into broader frameworks regulating AI development and deployment. The push for more providers to meet the 24% threshold will influence market competition and could accelerate the emergence of more European-controlled cloud services.

[By Jocko Willink ] Extreme Ownership: How U.S. Navy SEALs Lead and Win (Hardcover)【2018】by Jocko Willink (Author) (Hardcover)

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

Why is the 24% ownership cap considered more important than traditional security certifications?

The 24% ownership cap directly addresses legal sovereignty by controlling who ultimately owns and controls the service, reducing foreign influence regardless of security measures.

Can US-based cloud providers meet the sovereignty requirements under the 24% rule?

Most US providers cannot meet the ownership cap directly due to their structure but can create control arrangements or joint ventures that comply with the 24% limit, as seen with AWS’s European Sovereign Cloud.

How does the ownership rule impact AI development in Europe?

It emphasizes local ownership and control, encouraging European AI providers and collaborations that adhere to sovereignty standards, potentially shaping the AI ecosystem’s structure.

Will the 24% rule be adopted outside France?

It is uncertain; while other European countries are considering similar measures, the specific arithmetic control approach is currently unique to France’s SecNumCloud framework.

Source: ThorstenMeyerAI.com

You May Also Like

A Frontier AI Model Just Went Dark for 18 Days. The Kill-Switch Is Real Now.

An advanced AI model was globally disabled for 18 days by US government order, marking a new era of AI control and raising questions about future releases.

China’s ethnic law with global reach draws backlash, from Japan to Europe

China’s new law promoting ethnic unity, with extraterritorial claims, faces criticism from Japan, Europe, and UN bodies, raising concerns over minority rights.

South Korea unveils $1tn chip and AI investment plan

South Korea unveils a $1 trillion plan to boost chip manufacturing and AI infrastructure, aiming to compete globally amid rising demand and shortages.

Australia doubles the maximum penalty for its social media ban

Australia increases maximum penalty for social media law violations to $68 million, strengthening enforcement and compliance measures.