📊 Full opportunity report: Why The 24% Rule Is A Wake-Up Call For AI Sovereign Cloud Certification Practices on ThorstenMeyerAI.com — validation score, market gap, and execution plan.
TL;DR
The 24% ownership cap in France’s SecNumCloud framework is challenging US-based cloud providers and highlighting the importance of sovereignty in European AI and cloud services. This development emphasizes ownership control as a key factor in certification and legal jurisdiction.
France’s national cybersecurity agency, ANSSI, has implemented a new sovereignty requirement in its SecNumCloud qualification that limits foreign ownership to 24% for cloud providers hosting sensitive data within the EU. This rule is forcing US-based cloud providers to restructure ownership to comply, marking a significant shift in European cloud sovereignty policy. This development matters because it directly impacts how foreign companies can operate in the European cloud market and highlights ownership control as a critical factor in sovereignty certification.
SecNumCloud, created by ANSSI in 2016, is a government-backed qualification that assesses cloud providers on technical, operational, and legal criteria, including sovereignty. Unlike typical certifications, it explicitly tests ownership control through a numerical cap—foreign ownership must not exceed 24% individually or 39% collectively. This requirement is designed to ensure that the provider is under European control and immune from non-EU extraterritorial laws, such as the US CLOUD Act.
As of mid-2026, approximately nine providers have obtained SecNumCloud qualification, including OVHcloud and Scaleway, with more in the pipeline. Major US hyperscalers like Amazon remain ineligible unless they restructure ownership, which US providers have attempted by creating joint ventures or control arrangements, such as Thales–Google’s S3NS and Capgemini–Orange’s Bleu project. These arrangements permit US companies to meet the sovereignty criteria by transferring operational control to European entities, effectively working around the ownership cap.
The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty
ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.
C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.
Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.
The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.
Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.
Implications for Cloud Providers and European Data Sovereignty
This development underscores a shift towards legal sovereignty as a core component of European cloud regulation. The 24% ownership rule makes clear that physical and operational separation alone are insufficient; control and ownership are now central. For foreign providers, especially US-based firms, this means significant restructuring or partnership strategies to meet sovereignty standards. It also signals a broader move by European regulators to prioritize control over data and infrastructure, potentially reshaping the competitive landscape and influencing future certification frameworks.
European cloud sovereignty certification guide
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
European Sovereignty and Certification Landscape
Historically, European cloud regulation has focused on security controls, with frameworks like ISO 27001, SOC 2, and BSI C5 certifying best practices in security and operational controls. SecNumCloud, however, introduces a legal sovereignty dimension, requiring providers to demonstrate control through ownership caps, domicile, and legal compliance. The rule emerged amid growing concerns over US and other non-EU companies’ influence over data and infrastructure, especially after revelations of extraterritorial laws like the CLOUD Act. As of 2026, the framework is becoming a de facto requirement for hosting sensitive public-sector data in France and potentially beyond, influencing procurement and operational decisions across Europe.
“The 24% ownership rule is a game-changer because it makes ownership control the litmus test for sovereignty, not just security practices.”
— Thorsten Meyer, AI compliance expert
cloud ownership control verification tools
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Unresolved Challenges and Future Regulatory Developments
It remains unclear how US providers will fully adapt ownership structures to meet the 24% cap without significant restructuring or joint ventures. The long-term impact on market competition and whether other European countries will adopt similar rules are still developing. Additionally, legal and operational complexities of implementing these ownership controls, especially for multinational corporations, are ongoing issues.

DoD RMF ISSO/ISSM Field Guide: Implementation, Documentation & Control Compliance Reference for DoD Security Professionals (DoD RMF Field Manual Series)
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Next Steps for Cloud Providers and Regulatory Adoption
US and other non-EU cloud providers are expected to continue restructuring ownership arrangements or forming European-controlled joint ventures to qualify under the new rule. Regulatory agencies in France and possibly other EU countries may expand or tighten sovereignty criteria, further influencing market dynamics. The industry will also watch how certification authorities and auditors adapt to verify ownership controls accurately and efficiently.

Burning Suite – Burn and Copy Software – CD/DVD/Blu-ray – Data, Music, Video – the all-in-one solution for Win 11, 10
Data Loss Prevention – Avoid losing important files by securely backing up your data on CDs, DVDs, or…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
What is the 24% ownership rule in SecNumCloud?
The 24% ownership rule limits foreign ownership to 24% for providers hosting sensitive data within the EU, ensuring effective European control and sovereignty.
Why does ownership control matter for sovereignty certification?
Ownership control determines who ultimately controls the provider and whether it is subject to non-EU laws, which is crucial for data sovereignty and legal immunity.
How are US cloud providers responding to this rule?
Many US providers are restructuring ownership or creating joint ventures with European entities to meet the ownership cap and qualify under SecNumCloud.
Does certification guarantee immunity from non-EU laws?
No, certifications like SecNumCloud demonstrate control and compliance but do not automatically exempt providers from laws like the CLOUD Act.
Will other European countries adopt similar sovereignty rules?
It is still uncertain, but the trend suggests increased emphasis on sovereignty and ownership control across the EU, which could lead to broader adoption.
Source: ThorstenMeyerAI.com