AI Sovereignty Certification Standards Under Question: The 24% Rule Explains Why

📊 Full opportunity report: AI Sovereignty Certification Standards Under Question: The 24% Rule Explains Why on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

European cybersecurity standards like SecNumCloud enforce a 24% ownership limit to prevent foreign government control over cloud providers. This raises questions about sovereignty and compliance for US-based companies operating in Europe. The debate over certification meaning and legal jurisdiction is intensifying as more providers seek compliance.

European cybersecurity authority ANSSI’s SecNumCloud framework enforces a 24% ownership cap on non-EU investors to ensure legal sovereignty over cloud providers handling sensitive data. This rule is causing significant debate among industry stakeholders about the true meaning of sovereignty and the limits of existing certifications.

SecNumCloud, created by France’s ANSSI, is not a traditional certification but a government-issued qualification that requires providers to demonstrate ownership control within the EU, including a 24% ownership limit. This control measure is unique and arithmetic-based, making it a strict test of sovereignty, unlike security-focused standards like ISO 27001 or C5.

As of mid-2026, approximately nine to ten providers, including OVHcloud and Scaleway, have obtained active SecNumCloud qualifications, with more in the pipeline. The regulation is mandatory for hosting sensitive French public-sector data and is expanding to other critical sectors under EU directives like NIS2. US hyperscalers, unable to meet the ownership restrictions directly, are creating control structures through joint ventures, such as Thales-Google’s S3NS and Capgemini-Orange’s Bleu, to comply with the rule.

At a glance
reportWhen: developing, with current certifications…
The developmentEuropean cybersecurity framework SecNumCloud’s 24% ownership rule is prompting scrutiny of US cloud providers’ sovereignty claims, challenging existing certification standards.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Implications of the 24% Control Limit for Cloud Providers

The 24% ownership cap fundamentally challenges the ownership and control claims of US-based cloud giants operating in Europe. It emphasizes the importance of legal sovereignty over security practices, potentially reshaping how providers structure their ownership and control mechanisms to meet European regulatory demands. This could influence global cloud strategies and data governance policies.

Modular Compliance

Modular Compliance

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

European Frameworks and the Sovereignty Control Test

European security standards like ISO 27001, SOC 2, and BSI C5 primarily certify security practices but do not address jurisdictional control. In contrast, France’s SecNumCloud explicitly tests control through a quantitative ownership limit, making it unique. The framework reflects a broader EU push to ensure legal sovereignty over data, especially in sensitive sectors, amidst ongoing concerns about foreign government influence and extraterritorial law enforcement.

US cloud providers, such as AWS, remain subject to US laws like the CLOUD Act, which complicates compliance with sovereignty standards. To navigate this, they are establishing control structures via joint ventures that meet the 24% rule, but these arrangements raise questions about their authenticity and effectiveness.

“Achieving ISO 27001 is a 1 on the complexity scale, but SecNumCloud is a 10—it’s brutally hard and requires precise control over ownership and legal domicile.”

— Scalingo CEO

Amazon

cloud sovereignty certification tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Remaining Questions About Sovereignty Compliance

It is still unclear how many US providers will successfully restructure control arrangements to meet the 24% ownership cap long-term. The effectiveness of joint ventures in truly maintaining sovereignty, versus merely creating compliance structures, remains an open question. Additionally, the broader impact of these standards on global cloud market dynamics and legal interpretations is still evolving.

Amazon

ownership control verification tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Future Developments in European Cloud Sovereignty Rules

In the coming months, more providers are expected to seek SecNumCloud certification or establish control structures to comply with the 24% rule. Regulatory agencies are likely to expand the scope of the framework, potentially applying similar sovereignty tests to other critical sectors. Industry stakeholders will closely monitor legal challenges and the practical effectiveness of control arrangements in maintaining sovereignty claims.

Amazon

EU cloud provider compliance kits

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

What is the 24% ownership rule in SecNumCloud?

The 24% rule limits individual foreign ownership to 24% and collective ownership to 39%, serving as an arithmetic test of legal sovereignty over cloud providers handling sensitive data in Europe.

Why is the 24% rule considered more effective than traditional security certifications?

Because it directly measures ownership control and legal sovereignty, rather than just security practices, making it a more definitive test of jurisdictional independence.

How are US cloud providers attempting to comply with the sovereignty standards?

They are creating joint ventures and control structures that meet the ownership caps, such as Thales-Google’s S3NS and Capgemini-Orange’s Bleu, to bypass direct ownership restrictions.

Does holding a SecNumCloud qualification mean a provider is immune from US law?

No. SecNumCloud primarily tests control within the EU; providers like AWS remain subject to US laws like the CLOUD Act, regardless of certification.

What are the implications for global cloud providers operating in Europe?

They must adapt ownership and control structures to meet sovereignty standards, potentially affecting their corporate structures and data governance policies across regions.

Source: ThorstenMeyerAI.com

You May Also Like

AI 2040 And The Cult Of Intelligence

Experts warn that the concept of AI reaching human-level intelligence by 2040 is fueling a growing ‘cult of intelligence’ that risks overestimating AI’s capabilities.

The 2028 Model Lab Endgame: How Six Becomes Two, Three, or Twelve

A scenario forecast by Thorsten Meyer predicts that by 2028, the Western AI frontier labs could consolidate into two, three, or twelve dominant entities, shaping AI’s future.

AI Music Startups: Suno’s $2 Billion Valuation and Copyright Challenges

Growing AI music startups like Suno hit $2 billion valuations amid copyright disputes, leaving you wondering how legal battles will shape the future.

Évian and the Fallout: What Europe Actually Wants From Amodei, Hassabis, and Altman

Europe pushes for access, sovereignty, and safety in AI, demanding guarantees from Amodei, Hassabis, and Alt after US export controls.