📊 Full opportunity report: Why The 24% Rule Calls Into Question AI Sovereign Cloud Certification Claims on ThorstenMeyerAI.com — validation score, market gap, and execution plan.
TL;DR
The 24% ownership threshold used in France’s SecNumCloud framework raises doubts about the sovereignty claims of cloud providers. This challenges the assumption that certifications alone guarantee legal immunity from non-EU laws, especially for US-based companies operating in Europe.
European cybersecurity frameworks, notably France’s SecNumCloud, use a 24% ownership threshold to determine legal sovereignty for cloud providers. This criterion is now calling into question the sovereignty claims of some providers, especially US-based hyperscalers attempting to meet EU legal requirements. The development impacts the credibility of certifications that focus solely on security practices but do not address legal jurisdiction.
SecNumCloud, managed by France’s ANSSI, is a government-issued qualification that emphasizes legal sovereignty through ownership control, requiring companies to hold less than 24% of voting rights if they are not based in the EU. This ownership cap is a straightforward, measurable arithmetic test, designed to prevent non-EU control and ensure compliance with EU laws.
Meanwhile, existing certifications like ISO 27001, SOC 2, and BSI C5 focus on security practices—such as encryption, access controls, and incident response—and do not address jurisdictional control. For example, a provider with a US parent can hold multiple security badges but still fall under US jurisdiction due to ownership and legal ties.
Major US hyperscalers, including Amazon, Microsoft, and Google, cannot directly qualify for SecNumCloud because of their ownership structures. Instead, they have established joint ventures or control arrangements—such as Thales–Google’s S3NS or Capgemini–Orange’s Bleu—that meet the 24% ownership rule. These arrangements allow them to claim sovereignty, but critics argue they do not truly eliminate jurisdictional risks.
The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty
ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.
C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.
Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.
The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.
Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.
Implications for European Data Sovereignty and Certification Validity
The 24% ownership rule exposes a fundamental gap in the way cloud sovereignty is certified. While certifications like SecNumCloud provide a government-backed assurance of legal control, they do not guarantee immunity from non-EU laws such as the CLOUD Act. This distinction is critical for organizations handling sensitive data in regulated European industries, as reliance on security certifications alone may give a false sense of legal protection.
As a result, European regulators and enterprises face a complex landscape where ownership control and certification claims must be evaluated together. The controversy over the 24% threshold highlights the ongoing debate about what truly constitutes sovereignty in the cloud era and whether current frameworks adequately address jurisdictional risks.
European cloud sovereignty certification
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
European Frameworks and the Limits of Certification
The concept of sovereignty in cloud services has evolved with frameworks like France’s SecNumCloud and Germany’s BSI C5. SecNumCloud, introduced in 2016 and now in version 3.2, is a qualification issued by ANSSI that combines technical standards with legal sovereignty requirements. Its core innovation is the ownership cap, which limits control by non-EU entities to 24% of voting rights.
In contrast, certifications such as BSI C5, introduced in 2016, focus on security controls but explicitly require disclosure of jurisdiction and data location. They do not, however, prevent providers from being subject to non-EU laws, especially if the provider’s parent company is US-based.
The challenge arises because US hyperscalers cannot qualify directly for SecNumCloud due to ownership restrictions. They have instead created controlled joint ventures or subsidiaries—like Thales–Google’s S3NS—that meet the ownership threshold while still being ultimately controlled by foreign entities. This workaround raises questions about the actual sovereignty these arrangements confer.
“While the certification indicates compliance with security standards, it does not guarantee immunity from laws like the CLOUD Act, which can still apply under foreign ownership.”
— A European regulator familiar with SecNumCloud

Shadow AI From Unsanctioned Use to Enterprise Value: Discovery, Risk Management, and Enablement for the AI-Powered Enterprise (The Agentic Enterprise Series)
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Unresolved Questions About Actual Sovereignty and Control
It remains unclear whether the ownership threshold effectively guarantees legal immunity from non-EU laws in practice. Critics argue that controlled joint ventures or minority ownerships do not truly prevent foreign governments from exerting influence or legal pressure, especially in cases where the controlling entity is ultimately foreign-owned.
Additionally, the long-term evolution of these frameworks and whether regulators will tighten ownership limits or introduce new criteria is still uncertain. The practical impact of these arrangements on data sovereignty and compliance remains to be fully tested in legal and operational scenarios.
EU data sovereignty certification
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Next Steps for Certification and Sovereignty Standards
Regulators in Europe are expected to review and potentially refine the ownership rules and sovereignty criteria in upcoming revisions of frameworks like SecNumCloud. Enterprises and providers will need to reassess their control structures and legal arrangements to ensure compliance and true sovereignty claims.
Legal challenges and audits are likely to increase as stakeholders scrutinize whether these arrangements genuinely prevent jurisdictional reach by non-EU authorities. Meanwhile, more providers may seek to demonstrate sovereignty through direct control or local ownership to meet evolving regulatory demands.
cloud ownership control verification tools
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
Does a security certification guarantee legal sovereignty?
No, certifications like ISO 27001, SOC 2, or C5 primarily verify security practices. They do not ensure immunity from non-EU laws or jurisdictional control.
What is the significance of the 24% ownership rule?
The 24% threshold is a measurable control designed to limit foreign influence, aiming to ensure legal sovereignty under frameworks like SecNumCloud. However, it does not eliminate jurisdictional risks entirely.
Can US hyperscalers qualify for SecNumCloud?
Generally, no. US-based providers cannot meet the ownership restrictions directly but can create controlled joint ventures or subsidiaries that do, though the sovereignty of these arrangements is debated.
Will the ownership threshold change in the future?
European regulators are considering revisions, but specific changes are not yet confirmed. The focus remains on balancing security, sovereignty, and operational flexibility.
What does this mean for organizations handling sensitive data?
Organizations must evaluate not only security certifications but also the ownership and control structures of their cloud providers to ensure compliance with sovereignty requirements.
Source: ThorstenMeyerAI.com