The Reality Behind AI Sovereignty Certifications And The 24% Rule

📊 Full opportunity report: The Reality Behind AI Sovereignty Certifications And The 24% Rule on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

European security frameworks like SecNumCloud include a unique ownership cap of 24%, testing legal sovereignty rather than security practices. This impacts cloud providers’ ability to operate within EU jurisdiction and influences AI data governance.

European cybersecurity frameworks are now emphasizing legal sovereignty, with the 24% ownership cap at the core of the SecNumCloud qualification. This rule directly tests who controls cloud providers and whether they are subject to non-EU laws, impacting the deployment of AI and sensitive data within Europe.

The SecNumCloud scheme, managed by France’s ANSSI, is a government-backed qualification that incorporates over 360 criteria across technical, organizational, operational, and legal domains. Unlike typical security certifications such as ISO 27001 or SOC 2, SecNumCloud explicitly tests ownership and control, with a specific focus on legal sovereignty.

A key component is the ownership rule: companies holding more than 24% of voting rights or influence by non-EU entities are ineligible. This arithmetic check is designed to prevent foreign control, ensuring compliance with EU sovereignty requirements. As of mid-2026, about ten providers have obtained or are in the process of obtaining SecNumCloud, including OVHcloud and Scaleway, with many more expected to follow.

While certifications like C5 from Germany and EUCS focus on security controls, they do not address sovereignty or jurisdiction directly. For example, a provider with a US parent company might hold a C5 attestation but still be subject to US laws like the CLOUD Act. In contrast, SecNumCloud’s ownership rule aims to eliminate this residual legal risk by restricting foreign influence.

At a glance
analysisWhen: developing as of mid-2026
The developmentThe article examines the significance of the 24% ownership rule in European sovereignty certifications and clarifies the difference between security practices and legal control for cloud providers.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Implications of the 24% Ownership Limit for Cloud Control

This ownership cap fundamentally changes how cloud providers are evaluated for sovereignty in Europe. It shifts the focus from just security practices to who ultimately owns and controls the infrastructure, directly impacting AI deployment, data sovereignty, and compliance. For European governments and businesses, this means increased assurance that their data remains under EU jurisdiction, reducing risks from foreign legal intervention.

However, it also complicates the landscape, as major US tech firms cannot easily meet the ownership threshold without restructuring control. This has led to creative joint ventures where control is shifted to European or non-US entities, such as Thales–Google S3NS or Capgemini–Orange Bleu, which operate within the ownership limits but still involve US technology.

Overall, the rule is a step toward more sovereign cloud services in Europe, but it also raises questions about the practical enforceability and the future of US-based providers in the European market.

Amazon

European cloud sovereignty certification

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

European Frameworks Emphasize Control and Jurisdiction

The European Union and member states have increasingly prioritized legal sovereignty in cloud and AI regulations. While standards like ISO 27001 and SOC 2 certify security practices, they do not address control or jurisdiction. The SecNumCloud scheme, introduced by France’s ANSSI in 2016, is unique in that it explicitly tests for ownership and legal immunity.

Earlier efforts focused on technical security, but recent legislation, such as the EU’s NIS2 directive, emphasizes control over critical infrastructure. The 24% rule is a novel approach, using a simple arithmetic check to enforce sovereignty, and is seen as a model for future regulation across Europe.

Major US cloud providers like AWS and Microsoft have responded by creating joint ventures with European firms, ensuring control remains within EU limits, and thus qualifying for SecNumCloud. This approach reflects a broader shift toward sovereignty-driven cloud procurement.

“SecNumCloud is designed to guarantee that control and sovereignty are maintained within the EU, with the ownership rule being a key element.”

— ANSSI spokesperson

One Job, Not Three: How AI Collapsed Data Governance, Data Strategy, and Data Quality Into a Single Discipline

One Job, Not Three: How AI Collapsed Data Governance, Data Strategy, and Data Quality Into a Single Discipline

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Unresolved Questions About Enforcement and Compliance

It remains unclear how strictly the ownership rule will be enforced as more providers seek certification. The practicalities of measuring ownership from cap tables can be complex, especially in joint ventures involving multiple entities. Additionally, the long-term impact on US-based cloud providers and their ability to operate within EU sovereignty frameworks is still evolving.

Questions also persist about how these rules will adapt to future developments in AI and data regulation, and whether the ownership cap will be complemented by other sovereignty measures.

CISM Exam Prep 2026: The Complete Management Guide: Master Information Security Governance, AI Risk Integrity, and Modern Compliance Frameworks for the 2026 Practice

CISM Exam Prep 2026: The Complete Management Guide: Master Information Security Governance, AI Risk Integrity, and Modern Compliance Frameworks for the 2026 Practice

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Next Steps for Cloud Providers and Regulators

Expect increased adoption of joint ventures and control restructuring by US cloud giants to meet the 24% ownership threshold. Regulatory bodies are likely to refine enforcement mechanisms and clarify compliance requirements, especially as more providers seek SecNumCloud certification.

European policymakers may extend sovereignty tests to other sectors, and the debate over jurisdiction versus security will intensify. The evolution of these frameworks will shape the future landscape of cloud and AI deployment within Europe.

Cloud FinOps: Collaborative, Real-Time Cloud Value Decision Making

Cloud FinOps: Collaborative, Real-Time Cloud Value Decision Making

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

What exactly is the 24% ownership rule?

The 24% ownership rule is a legal sovereignty test used in the SecNumCloud qualification, which restricts foreign control by limiting non-EU ownership or voting rights in cloud providers to less than 24% individually or 39% collectively.

How does this rule affect US cloud providers operating in Europe?

US providers must restructure control, often through joint ventures or subsidiaries, to stay within the ownership limits and qualify for sovereignty certifications like SecNumCloud. They remain subject to US law but can demonstrate compliance with EU sovereignty criteria.

No. Certifications like ISO 27001 or C5 focus on security practices but do not address jurisdiction or control. SecNumCloud’s ownership rule directly tests legal sovereignty, which is not covered by traditional security standards.

Will the 24% rule prevent foreign influence entirely?

It significantly limits foreign control but does not eliminate influence through complex ownership structures or legal arrangements. Enforcement and compliance will be critical to its effectiveness.

Source: ThorstenMeyerAI.com

You May Also Like

The United Kingdom: The Pragmatist’s Hedge

Analyzing the UK’s post-Brexit strategy of moderate welfare, flexible labor, and light AI regulation, and its implications for future policy.

Apple Is Reaching for Chinese Memory. Europe Doesn’t Even Have That Option.

Apple is lobbying to buy memory chips from China’s CXMT, highlighting Europe’s lack of options in memory manufacturing and exposing its dependency issues.

VigilSAR Benchmark: There Is No Best Model

The VigilSAR Benchmark shows that there is no universally best AI model, as rankings vary based on deployment context and user needs.

Sovereignty Is A Pipe, Not A Passport

Mistral’s sovereignty claim hinges on data hosting, but reliance on US infrastructure complicates legal jurisdiction and true data sovereignty.