📊 Full opportunity report: Critical Perspectives On AI Sovereignty Testing: The 24% Rule Uncovered on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

France’s SecNumCloud framework introduces a unique sovereignty test based on a 24% ownership cap, challenging US and non-EU providers. This development raises questions about legal jurisdiction and data control in European cloud services.

France’s national cybersecurity agency, ANSSI, has introduced a new sovereignty requirement in its SecNumCloud qualification, establishing a 24% ownership cap for non-EU-controlled companies. This rule is designed to ensure legal sovereignty over cloud services hosting sensitive French and European data, directly impacting international providers and their operational structures.

The SecNumCloud qualification, created in 2016 and now at version 3.2, is a government-backed qualification that mandates compliance with strict legal sovereignty standards, including EU data storage, audited key custody, and immunity from non-EU extraterritorial law. The most notable aspect is the ownership cap, which limits individual non-EU control to 24% and collective control to 39%, checked via a cap table.

As of mid-2026, approximately nine providers hold an active SecNumCloud qualification, including OVHcloud, Outscale, and Scaleway. Major US hyperscalers, such as Amazon Web Services, cannot directly qualify unless they restructure ownership controls. Instead, US companies have formed joint ventures with European firms, like Thales-Google and Capgemini-Orange, to circumvent the rule by transferring operational control while maintaining US ownership.

While certifications like BSI C5 and EUCS focus on security controls and legal disclosures, SecNumCloud explicitly enforces legal sovereignty through ownership limits, making it a unique and more restrictive framework. The rule’s arithmetic nature makes compliance transparent and checkable, but also highly complex to achieve.

At a glance
reportWhen: announced mid-2026, ongoing implementat…
The developmentFrance’s ANSSI has implemented a sovereignty test in its SecNumCloud certification, limiting ownership by non-EU entities to 24%, affecting global cloud and AI providers operating in Europe.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Implications of the 24% Ownership Cap for Cloud Providers

This sovereignty rule fundamentally shifts how cloud and AI providers operate within Europe. It emphasizes legal control and ownership structure, potentially excluding major US firms unless they adapt their corporate arrangements. For European public-sector and critical infrastructure data, compliance with SecNumCloud is now mandatory, shaping the future landscape of cloud sovereignty and data governance in Europe.

The rule also raises broader questions about jurisdiction, legal immunity, and the effectiveness of certifications in ensuring sovereignty. As more providers seek to meet these standards, the 24% rule could become a benchmark for sovereignty testing beyond France, influencing European and global cloud policies.

Amazon

European cloud sovereignty compliance tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Background of European Sovereignty Frameworks and the 24% Rule

Since 2016, European countries have developed various cybersecurity standards and certifications, such as Germany’s BSI C5 and France’s SecNumCloud, to address data sovereignty concerns amid increasing geopolitical tensions. SecNumCloud, created by ANSSI, is distinct in its explicit legal sovereignty requirements, including the ownership cap introduced in 2026. This rule complements existing standards but stands out because it is arithmetic and directly tied to legal control, rather than just technical security controls.

Historically, US cloud providers like AWS, Azure, and Google Cloud have operated within European markets but remain subject to US jurisdiction laws, such as the CLOUD Act. To comply with SecNumCloud, these companies have formed joint ventures or restructured control, exemplified by Thales-Google S3NS and Capgemini-Orange Bleu, which transfer operational control to European entities while maintaining US ownership below the 24% threshold.

The development of this rule is part of a broader European push for data sovereignty, especially in sensitive sectors like health, energy, and finance, where legal control over data is crucial.

“SecNumCloud’s ownership limit ensures that control remains within the EU legal framework, safeguarding data from extraterritorial laws.”

— ANSSI spokesperson

Amazon

cybersecurity audit software for cloud providers

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Unresolved Questions About Implementation and Industry Impact

It remains unclear how strictly the 24% ownership rule will be enforced across different providers and whether there will be exceptions or transitional arrangements. The long-term impact on US cloud giants and their European operations is still developing, with some companies restructuring ownership or control to comply.

Additionally, the broader implications for data access, legal jurisdiction, and international cloud governance are still being debated among policymakers, industry players, and legal experts. The effectiveness of the rule in preventing extraterritorial legal reach remains to be seen.

Amazon

ownership structure analysis software

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Next Steps for Cloud Providers and Regulatory Oversight

Moving forward, more providers are expected to seek SecNumCloud qualification by restructuring ownership or control arrangements. Regulatory agencies will likely increase scrutiny of ownership structures and compliance reports. Industry groups and legal experts will continue analyzing the rule’s implications for sovereignty, data access, and international law.

In the coming months, ANSSI may clarify enforcement procedures and potential exceptions, while European policymakers consider extending similar sovereignty tests to other sectors and standards. The evolution of these controls will shape the future of cloud sovereignty in Europe.

Amazon

cloud security certification tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

What is the 24% ownership rule in SecNumCloud?

The 24% ownership rule limits the individual ownership stake of non-EU-controlled companies to 24%, aiming to ensure legal sovereignty over cloud services hosting sensitive European data.

How does the rule affect US cloud providers?

US providers cannot qualify directly unless they restructure ownership or control, often forming joint ventures with European firms to stay below the 24% threshold and comply with sovereignty requirements.

Is the 24% rule legally binding?

Yes, it is part of the SecNumCloud qualification issued by ANSSI, which is a government-backed standard that mandates compliance for hosting sensitive French and European data.

Does the rule prevent US law from applying?

No, the ownership cap aims to limit control within EU jurisdiction, but US laws like the CLOUD Act can still apply if US companies retain significant control or ownership.

What happens if a provider exceeds the ownership limit?

They risk losing SecNumCloud qualification, which is mandatory for hosting certain sensitive data in France, and may face restrictions or penalties under national and European regulations.

Source: ThorstenMeyerAI.com

You May Also Like

Converting Your VW Bus to Electric: Legal Requirements and Registration Issues

Understanding the legal requirements for converting your VW Bus to electric is crucial to ensure compliance and avoid penalties.

Europe Regulated the Interface and Forgot to Build the Engine

Europe regulated its online consent interfaces but failed to invest in the underlying AI technology, risking future competitiveness and innovation.

Carbon Disclosure and Reporting: New Compliance Requirements for Transit Agencies

By understanding new compliance requirements, transit agencies can improve transparency and sustainability—discover how to meet these evolving standards effectively.

Federal vendor registration renewal assistant

A new federal vendor registration renewal assistant is being tested to help small businesses manage renewal tasks and stay compliant for government contracts.