Why The 24% Rule Is A Wake-Up Call For AI Sovereign Cloud Certification Practices

📊 Full opportunity report: Why The 24% Rule Is A Wake-Up Call For AI Sovereign Cloud Certification Practices on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

The 24% ownership cap in France’s SecNumCloud framework is challenging US-based cloud providers and highlighting the importance of sovereignty in European AI and cloud services. This development emphasizes ownership control as a key factor in certification and legal jurisdiction.

France’s national cybersecurity agency, ANSSI, has implemented a new sovereignty requirement in its SecNumCloud qualification that limits foreign ownership to 24% for cloud providers hosting sensitive data within the EU. This rule is forcing US-based cloud providers to restructure ownership to comply, marking a significant shift in European cloud sovereignty policy. This development matters because it directly impacts how foreign companies can operate in the European cloud market and highlights ownership control as a critical factor in sovereignty certification.

SecNumCloud, created by ANSSI in 2016, is a government-backed qualification that assesses cloud providers on technical, operational, and legal criteria, including sovereignty. Unlike typical certifications, it explicitly tests ownership control through a numerical cap—foreign ownership must not exceed 24% individually or 39% collectively. This requirement is designed to ensure that the provider is under European control and immune from non-EU extraterritorial laws, such as the US CLOUD Act.

As of mid-2026, approximately nine providers have obtained SecNumCloud qualification, including OVHcloud and Scaleway, with more in the pipeline. Major US hyperscalers like Amazon remain ineligible unless they restructure ownership, which US providers have attempted by creating joint ventures or control arrangements, such as Thales–Google’s S3NS and Capgemini–Orange’s Bleu project. These arrangements permit US companies to meet the sovereignty criteria by transferring operational control to European entities, effectively working around the ownership cap.

At a glance
reportWhen: developing as of mid-2026
The developmentThe 24% ownership rule in France’s SecNumCloud framework is forcing US cloud providers to reconsider control structures to meet sovereignty requirements.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Implications for Cloud Providers and European Data Sovereignty

This development underscores a shift towards legal sovereignty as a core component of European cloud regulation. The 24% ownership rule makes clear that physical and operational separation alone are insufficient; control and ownership are now central. For foreign providers, especially US-based firms, this means significant restructuring or partnership strategies to meet sovereignty standards. It also signals a broader move by European regulators to prioritize control over data and infrastructure, potentially reshaping the competitive landscape and influencing future certification frameworks.

Amazon

European cloud sovereignty certification guide

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

European Sovereignty and Certification Landscape

Historically, European cloud regulation has focused on security controls, with frameworks like ISO 27001, SOC 2, and BSI C5 certifying best practices in security and operational controls. SecNumCloud, however, introduces a legal sovereignty dimension, requiring providers to demonstrate control through ownership caps, domicile, and legal compliance. The rule emerged amid growing concerns over US and other non-EU companies’ influence over data and infrastructure, especially after revelations of extraterritorial laws like the CLOUD Act. As of 2026, the framework is becoming a de facto requirement for hosting sensitive public-sector data in France and potentially beyond, influencing procurement and operational decisions across Europe.

“The 24% ownership rule is a game-changer because it makes ownership control the litmus test for sovereignty, not just security practices.”

— Thorsten Meyer, AI compliance expert

Amazon

cloud ownership control verification tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Unresolved Challenges and Future Regulatory Developments

It remains unclear how US providers will fully adapt ownership structures to meet the 24% cap without significant restructuring or joint ventures. The long-term impact on market competition and whether other European countries will adopt similar rules are still developing. Additionally, legal and operational complexities of implementing these ownership controls, especially for multinational corporations, are ongoing issues.

DoD RMF ISSO/ISSM Field Guide: Implementation, Documentation & Control Compliance Reference for DoD Security Professionals (DoD RMF Field Manual Series)

DoD RMF ISSO/ISSM Field Guide: Implementation, Documentation & Control Compliance Reference for DoD Security Professionals (DoD RMF Field Manual Series)

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Next Steps for Cloud Providers and Regulatory Adoption

US and other non-EU cloud providers are expected to continue restructuring ownership arrangements or forming European-controlled joint ventures to qualify under the new rule. Regulatory agencies in France and possibly other EU countries may expand or tighten sovereignty criteria, further influencing market dynamics. The industry will also watch how certification authorities and auditors adapt to verify ownership controls accurately and efficiently.

Burning Suite - Burn and Copy Software - CD/DVD/Blu-ray - Data, Music, Video - the all-in-one solution for Win 11, 10

Burning Suite – Burn and Copy Software – CD/DVD/Blu-ray – Data, Music, Video – the all-in-one solution for Win 11, 10

Data Loss Prevention – Avoid losing important files by securely backing up your data on CDs, DVDs, or…

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

What is the 24% ownership rule in SecNumCloud?

The 24% ownership rule limits foreign ownership to 24% for providers hosting sensitive data within the EU, ensuring effective European control and sovereignty.

Why does ownership control matter for sovereignty certification?

Ownership control determines who ultimately controls the provider and whether it is subject to non-EU laws, which is crucial for data sovereignty and legal immunity.

How are US cloud providers responding to this rule?

Many US providers are restructuring ownership or creating joint ventures with European entities to meet the ownership cap and qualify under SecNumCloud.

Does certification guarantee immunity from non-EU laws?

No, certifications like SecNumCloud demonstrate control and compliance but do not automatically exempt providers from laws like the CLOUD Act.

Will other European countries adopt similar sovereignty rules?

It is still uncertain, but the trend suggests increased emphasis on sovereignty and ownership control across the EU, which could lead to broader adoption.

Source: ThorstenMeyerAI.com

This content is for general information only and is not financial, tax or legal advice. Consult a qualified professional for decisions about your money.
You May Also Like

Sovereignty Is a Pipe, Not a Passport

Analysis of how data sovereignty depends on legal jurisdiction of providers, not server location, highlighting limitations of European AI sovereignty claims.

Hikvision Erhält Branchenweit Erste EUCC-Zertifizierung Für Netzwerkkameras

Hikvision has received the first industry-wide EUCC certification for its network cameras, marking a significant compliance milestone in the EU.

FGR To Launch PureGRAPH® CEM Into China

FGR announces plans to introduce its PureGRAPH® CEM product into the Chinese market, expanding its global reach in advanced cement additives.

Kill-Switch-Proof: How to Build So Washington Can’t Take Your AI Stack Down

Learn the strategies to make your AI stack resilient against government shutdowns and export restrictions, ensuring operational control.