📊 Full opportunity report: Is AI Sovereignty Really Tested In Certifications? The 24% Rule Gives Clarity on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

The French SecNumCloud scheme introduces a 24% ownership limit to verify legal sovereignty over cloud providers. This rule offers a clear standard for data control, distinguishing practice-based security from legal jurisdiction. The framework’s implications are significant for European AI and cloud services seeking sovereignty assurances.

European cybersecurity authorities have formalized a 24% ownership control rule within the SecNumCloud framework, explicitly testing legal sovereignty over cloud services. This development clarifies how sovereignty is measured, with the ownership cap serving as a tangible threshold for compliance. The rule is a key step in defining European data sovereignty and impacts providers seeking to operate under EU jurisdiction.

SecNumCloud, issued by France’s ANSSI, requires providers to demonstrate EU legal domicile, data storage within the EU, and immunity from non-EU extraterritorial laws. The ownership cap—no more than 24% of voting rights held by non-EU entities—serves as a measurable test of sovereignty. This arithmetic threshold is unique, directly linking ownership structure to legal control, and is considered a robust indicator of sovereignty.

As of mid-2026, around nine providers have obtained or are in the process of obtaining SecNumCloud qualification, including OVHcloud, Outscale, and Scaleway. The framework is mandatory for hosting sensitive French public-sector data and is expected to expand to vital sectors across Europe. The ownership rule is designed to prevent foreign legal influence, ensuring that control remains within EU jurisdiction.

At a glance
reportWhen: developing, as of mid-2026
The developmentThe SecNumCloud framework now includes a precise ownership control rule—24%—to test legal sovereignty of cloud providers operating in Europe.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Implications of the 24% Ownership Control in European Cloud Sovereignty

The 24% ownership rule provides a clear, quantifiable measure for sovereignty, moving beyond vague jurisdictional claims. For European AI and cloud providers, it sets a benchmark for legal control, influencing procurement, partnerships, and compliance strategies. For users, it offers increased confidence that their data is under European legal authority. The rule also signals a shift toward practical sovereignty testing rather than reliance solely on security controls, which are often insufficient for legal sovereignty.

This development matters because it directly addresses the challenge of foreign influence—particularly from US-based firms—by establishing a measurable ownership threshold. It aims to foster a more sovereign European cloud ecosystem, reducing dependency on foreign legal jurisdictions and strengthening data protection and control.

Amazon

European cloud sovereignty certification

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

European Frameworks and the Distinction Between Practice and Sovereignty

European and German cloud security standards, like ISO 27001 and BSI C5, primarily certify security practices—such as encryption, access controls, and incident response—without addressing legal jurisdiction. In contrast, SecNumCloud explicitly incorporates legal sovereignty through requirements like data residency, EU domicile, and the ownership control rule. The latter is a response to concerns over extraterritorial laws like the CLOUD Act, which can compel US providers to access data regardless of security certifications.

Existing certifications demonstrate security practice but do not guarantee legal immunity. The ownership cap in SecNumCloud fills this gap by offering a quantitative test for sovereignty, making it a significant evolution in European cloud regulation.

“The 24% ownership cap is the only arithmetic test for sovereignty, directly linking control to legal influence, and it’s a game-changer for European cloud security.”

— Thorsten Meyer

Data Transformation for the AI Era: Building the Intelligence Fabric of the Enterprise. The 6x6 Blueprint for Data Sovereignty and Trusted Analytics. ... series for enterprise transformation)

Data Transformation for the AI Era: Building the Intelligence Fabric of the Enterprise. The 6×6 Blueprint for Data Sovereignty and Trusted Analytics. … series for enterprise transformation)

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Remaining Questions About Implementation and Global Impact

It is still unclear how strictly providers will adhere to the ownership cap as a compliance threshold, and how enforcement will be managed across different sectors. The long-term impact on non-EU providers, especially US tech giants, remains uncertain, as they may seek to modify ownership structures or pursue exemptions. Additionally, the broader acceptance of this arithmetic sovereignty test outside France and the EU has yet to be seen, raising questions about international compatibility.

Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance (Theory in Practice)

Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance (Theory in Practice)

Used Book in Good Condition

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Next Steps for European Cloud Sovereignty Testing

Providers are expected to complete their SecNumCloud certifications or adjust ownership structures to meet the 24% threshold by late 2026. Regulatory agencies will likely increase oversight, with audits and compliance checks becoming more rigorous. The framework could serve as a blueprint for similar sovereignty tests in other sectors or regions, potentially leading to broader adoption of quantitative sovereignty standards. Watch for legal challenges or adaptations by foreign-controlled providers seeking exemptions or modifications.

Amazon

ownership control verification tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

What exactly does the 24% ownership rule test?

The rule measures whether non-EU entities hold more than 24% of voting rights in a provider, serving as a quantitative indicator of legal sovereignty and control within the EU.

Does holding a certification mean a provider is sovereign?

No. Certifications like SecNumCloud verify security practices and compliance with specific controls, but the ownership cap directly tests legal sovereignty. Both are necessary but not sufficient alone.

Will this rule affect US-based cloud providers?

Yes, providers with significant US ownership or control may need to restructure ownership or seek exemptions to meet the 24% threshold if they want to operate under SecNumCloud standards in Europe.

Is this ownership rule unique to France or Europe?

While currently specific to France’s SecNumCloud, the concept of quantifiable sovereignty testing could influence broader European or international standards, though adoption outside France remains uncertain.

What are the implications for AI providers operating in Europe?

AI providers that rely on cloud infrastructure must ensure their data control and ownership structures meet the 24% cap if they want to qualify for sovereignty certifications, impacting how they structure partnerships and data governance.

Source: ThorstenMeyerAI.com

You May Also Like

Researcher turns wi-fi smart lightbulb into a Banned Book Library — open source project makes digital books available via a server and open Wi-Fi access point hacked into an ESP32-powered bulb

A security researcher has reprogrammed a Wi-Fi smart lightbulb to host a library of banned books, creating a stealthy, open-source digital dead drop.

Augmented reality coming into focus

Emerging advancements in augmented reality technology signal a shift toward broader mainstream adoption, with confirmed industry investments and ongoing innovation.

Watch SpaceX launch 15,000-pound SiriusXM satellite to orbit tonight

SpaceX is scheduled to launch a 15,000-pound SiriusXM satellite into orbit tonight, marking a significant milestone for satellite broadcasting.

California moves to exempt Linux from its age-verification law after backlash

California proposes an amendment to exempt most open-source Linux distributions from its upcoming age-verification law, following backlash from privacy advocates and developers.