Why The 24% Rule Calls Into Question AI Sovereign Cloud Certification Claims

📊 Full opportunity report: Why The 24% Rule Calls Into Question AI Sovereign Cloud Certification Claims on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

The 24% ownership threshold used in France’s SecNumCloud framework raises doubts about the sovereignty claims of cloud providers. This challenges the assumption that certifications alone guarantee legal immunity from non-EU laws, especially for US-based companies operating in Europe.

European cybersecurity frameworks, notably France’s SecNumCloud, use a 24% ownership threshold to determine legal sovereignty for cloud providers. This criterion is now calling into question the sovereignty claims of some providers, especially US-based hyperscalers attempting to meet EU legal requirements. The development impacts the credibility of certifications that focus solely on security practices but do not address legal jurisdiction.

SecNumCloud, managed by France’s ANSSI, is a government-issued qualification that emphasizes legal sovereignty through ownership control, requiring companies to hold less than 24% of voting rights if they are not based in the EU. This ownership cap is a straightforward, measurable arithmetic test, designed to prevent non-EU control and ensure compliance with EU laws.

Meanwhile, existing certifications like ISO 27001, SOC 2, and BSI C5 focus on security practices—such as encryption, access controls, and incident response—and do not address jurisdictional control. For example, a provider with a US parent can hold multiple security badges but still fall under US jurisdiction due to ownership and legal ties.

Major US hyperscalers, including Amazon, Microsoft, and Google, cannot directly qualify for SecNumCloud because of their ownership structures. Instead, they have established joint ventures or control arrangements—such as Thales–Google’s S3NS or Capgemini–Orange’s Bleu—that meet the 24% ownership rule. These arrangements allow them to claim sovereignty, but critics argue they do not truly eliminate jurisdictional risks.

At a glance
analysisWhen: developing as of mid-2026, ongoing disc…
The developmentThe article examines how the 24% ownership rule questions the sovereignty claims of cloud providers claiming EU certification, with implications for European data security standards.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Implications for European Data Sovereignty and Certification Validity

The 24% ownership rule exposes a fundamental gap in the way cloud sovereignty is certified. While certifications like SecNumCloud provide a government-backed assurance of legal control, they do not guarantee immunity from non-EU laws such as the CLOUD Act. This distinction is critical for organizations handling sensitive data in regulated European industries, as reliance on security certifications alone may give a false sense of legal protection.

As a result, European regulators and enterprises face a complex landscape where ownership control and certification claims must be evaluated together. The controversy over the 24% threshold highlights the ongoing debate about what truly constitutes sovereignty in the cloud era and whether current frameworks adequately address jurisdictional risks.

Amazon

European cloud sovereignty certification

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

European Frameworks and the Limits of Certification

The concept of sovereignty in cloud services has evolved with frameworks like France’s SecNumCloud and Germany’s BSI C5. SecNumCloud, introduced in 2016 and now in version 3.2, is a qualification issued by ANSSI that combines technical standards with legal sovereignty requirements. Its core innovation is the ownership cap, which limits control by non-EU entities to 24% of voting rights.

In contrast, certifications such as BSI C5, introduced in 2016, focus on security controls but explicitly require disclosure of jurisdiction and data location. They do not, however, prevent providers from being subject to non-EU laws, especially if the provider’s parent company is US-based.

The challenge arises because US hyperscalers cannot qualify directly for SecNumCloud due to ownership restrictions. They have instead created controlled joint ventures or subsidiaries—like Thales–Google’s S3NS—that meet the ownership threshold while still being ultimately controlled by foreign entities. This workaround raises questions about the actual sovereignty these arrangements confer.

“While the certification indicates compliance with security standards, it does not guarantee immunity from laws like the CLOUD Act, which can still apply under foreign ownership.”

— A European regulator familiar with SecNumCloud

Shadow AI From Unsanctioned Use to Enterprise Value: Discovery, Risk Management, and Enablement for the AI-Powered Enterprise (The Agentic Enterprise Series)

Shadow AI From Unsanctioned Use to Enterprise Value: Discovery, Risk Management, and Enablement for the AI-Powered Enterprise (The Agentic Enterprise Series)

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Unresolved Questions About Actual Sovereignty and Control

It remains unclear whether the ownership threshold effectively guarantees legal immunity from non-EU laws in practice. Critics argue that controlled joint ventures or minority ownerships do not truly prevent foreign governments from exerting influence or legal pressure, especially in cases where the controlling entity is ultimately foreign-owned.

Additionally, the long-term evolution of these frameworks and whether regulators will tighten ownership limits or introduce new criteria is still uncertain. The practical impact of these arrangements on data sovereignty and compliance remains to be fully tested in legal and operational scenarios.

Amazon

EU data sovereignty certification

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Next Steps for Certification and Sovereignty Standards

Regulators in Europe are expected to review and potentially refine the ownership rules and sovereignty criteria in upcoming revisions of frameworks like SecNumCloud. Enterprises and providers will need to reassess their control structures and legal arrangements to ensure compliance and true sovereignty claims.

Legal challenges and audits are likely to increase as stakeholders scrutinize whether these arrangements genuinely prevent jurisdictional reach by non-EU authorities. Meanwhile, more providers may seek to demonstrate sovereignty through direct control or local ownership to meet evolving regulatory demands.

Amazon

cloud ownership control verification tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

No, certifications like ISO 27001, SOC 2, or C5 primarily verify security practices. They do not ensure immunity from non-EU laws or jurisdictional control.

What is the significance of the 24% ownership rule?

The 24% threshold is a measurable control designed to limit foreign influence, aiming to ensure legal sovereignty under frameworks like SecNumCloud. However, it does not eliminate jurisdictional risks entirely.

Can US hyperscalers qualify for SecNumCloud?

Generally, no. US-based providers cannot meet the ownership restrictions directly but can create controlled joint ventures or subsidiaries that do, though the sovereignty of these arrangements is debated.

Will the ownership threshold change in the future?

European regulators are considering revisions, but specific changes are not yet confirmed. The focus remains on balancing security, sovereignty, and operational flexibility.

What does this mean for organizations handling sensitive data?

Organizations must evaluate not only security certifications but also the ownership and control structures of their cloud providers to ensure compliance with sovereignty requirements.

Source: ThorstenMeyerAI.com

You May Also Like

Different Game, or Already Lost? Reading Mistral’s Sovereignty Bet

Mistral emphasizes European control over AI infrastructure and models. Is this a strategic advantage or a sign Europe is lagging behind US and Chinese giants?

Europe Regulated the Interface and Forgot to Build the Engine

Europe prioritized regulating AI interfaces over developing core AI technology, leaving it behind in the global AI race amid mounting challenges.

The Eye Over the City: How Wide-Area Motion Imagery Works — and Where It Goes Blind

An in-depth look at WAMI technology, its capabilities, limitations, and future directions in city-wide surveillance and security.

The Continual Learning Research Map: Where the Memento Constraint Stands in May 2026

Six months after initial analysis, the research community confirms the Memento Constraint remains a key bottleneck in AI continual learning, with no ready solutions yet.