📊 Full opportunity report: Are AI Sovereignty Certifications Genuine? Insights From The 24% Rule on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

The article examines the authenticity of AI sovereignty certifications, highlighting France’s SecNumCloud rule that uses a 24% ownership cap to determine legal sovereignty. This standard emphasizes ownership control over traditional security measures, impacting European data governance.

France’s SecNumCloud certification introduces a unique ownership control test for cloud providers, using a 24% ownership cap to determine legal sovereignty. This framework is the first to directly address governmental access concerns, making it a key development in European data regulation and cloud security.

SecNumCloud, managed by France’s ANSSI, is not a typical certification but a qualification that verifies legal sovereignty. It requires providers to meet strict criteria, including EU data residency and audited key custody. The defining feature is the ownership threshold: companies with foreign ownership exceeding 24% are ineligible, effectively limiting foreign control.

As of mid-2026, about ten providers, such as OVHcloud and Outscale, hold active SecNumCloud qualifications, with more in the pipeline. The framework is mandatory for hosting sensitive French public-sector data and is being pushed toward critical infrastructure providers across Europe.

In contrast, other certifications like ISO 27001, SOC 2, and BSI C5 focus on security practices but do not address legal jurisdiction. For example, a provider can hold multiple security badges yet still be subject to foreign laws like the CLOUD Act, which can compel data access regardless of certifications.

At a glance
analysisWhen: developing in mid-2026 with active prov…
The developmentThe development centers on the introduction and application of France’s SecNumCloud sovereignty rule, which tests legal control through a 24% ownership threshold, raising questions about certification legitimacy.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Implications of the 24% Ownership Cap in European Cloud Security

The 24% ownership rule in SecNumCloud signifies a shift towards legal sovereignty as a core criterion for cloud trustworthiness in Europe. It emphasizes ownership control over traditional security controls, directly impacting foreign cloud providers operating in France and Europe.

This approach could influence other national frameworks, potentially leading to a broader European standard that prioritizes ownership and jurisdiction. It also raises questions about the feasibility for global providers to meet such ownership thresholds, shaping the future landscape of cloud sovereignty.

Free Fling File Transfer Software for Windows [PC Download]

Free Fling File Transfer Software for Windows [PC Download]

  • User-Friendly FTP Interface: Intuitive FTP client interface
  • Reliable Site Management: Easy and dependable FTP site maintenance
  • Automated File Transfers: FTP automation and synchronization

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Origins and Evolution of the Sovereignty Testing Framework

France’s SecNumCloud was launched in 2016 by ANSSI, evolving into a rigorous qualification with over 360 criteria across technical, operational, and legal themes. Unlike typical certifications, it directly tests legal sovereignty through ownership controls, starting with the referential version 3.2.

The 24% ownership rule is a key feature introduced to limit foreign control and ensure EU legal jurisdiction. This rule is unique and represents a novel approach, contrasting with other standards that focus solely on security practices.

Major providers like OVHcloud and Outscale have obtained the qualification, with US-based hyperscalers unable to qualify in their native form, prompting them to create joint ventures with controlled ownership.

“The 24% ownership threshold is the most direct test of sovereignty, transforming ownership into a measurable security criterion.”

— Thorsten Meyer, cybersecurity expert

Unresolved Questions About the Practical Impact of the 24% Rule

It remains unclear how widely the ownership threshold will be adopted beyond France and whether other European countries will implement similar sovereignty tests. The long-term effectiveness of the 24% rule in preventing foreign influence is also still under discussion.

Additionally, the impact on US-based hyperscalers and their European joint ventures is evolving, with questions about how many will meet the ownership criteria and what legal challenges may arise.

Next Steps for Adoption and European Cloud Sovereignty Standards

In the coming months, more providers are expected to seek SecNumCloud qualification, especially as the framework becomes mandatory for French public data. European regulators may also consider expanding similar sovereignty tests, potentially leading to a unified European standard.

Legal and commercial negotiations around ownership structures will likely intensify, with some providers establishing joint ventures to meet the 24% limit. The debate over sovereignty versus security practice certification will continue to shape policy discussions.

Key Questions

What is the main purpose of the 24% ownership rule in SecNumCloud?

The 24% ownership rule aims to ensure legal sovereignty by limiting foreign control over cloud providers hosting sensitive data in France and Europe.

How does SecNumCloud differ from other security certifications?

Unlike certifications such as ISO 27001 or SOC 2, SecNumCloud is a qualification that tests legal sovereignty through ownership controls, not just security practices.

Can foreign companies still operate in Europe under SecNumCloud?

Yes, but they must limit foreign ownership to 24% or less, often by creating joint ventures with controlled ownership structures.

Will other European countries adopt similar sovereignty tests?

This is currently uncertain. France’s approach is pioneering, but broader European adoption depends on policy developments and legal harmonization efforts.

What challenges do providers face in meeting the 24% ownership threshold?

Providers must carefully structure ownership and control arrangements, often involving complex legal and corporate strategies to comply with the strict limit.

Source: ThorstenMeyerAI.com

You May Also Like

Reclaim Control: Own Your AI Model Instead Of Renting With Mistral Forge

Mistral’s Forge enables organizations to build and operate proprietary AI models, shifting control away from API-based solutions. Details and implications explained.

Cybersecurity in 2025: Biggest Threats and Company Responses

Cybersecurity in 2025 presents escalating AI vulnerabilities and supply chain risks, compelling companies to adapt quickly—discover the essential strategies to stay protected.

Readiness: Before You Fund The Answer

A new diagnostic tool offers companies a 20-minute assessment to determine if their AI investments are ready, helping avoid costly failures.

The Future of Social Media 2026: Will We Be in the Metaverse?

Absolutely, by 2026 social media will be fully integrated into the metaverse, transforming online interactions into immersive experiences; discover how this will reshape your digital world.