The 24% Rule: A Critical Look At AI Cloud Sovereignty Certification Accuracy

📊 Full opportunity report: The 24% Rule: A Critical Look At AI Cloud Sovereignty Certification Accuracy on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

The 24% ownership rule in France’s SecNumCloud framework measures legal sovereignty over cloud providers. While it offers a unique ownership test, its accuracy and practical enforcement are under scrutiny. This impacts how European data sovereignty is assessed and enforced.

The 24% ownership cap in France’s SecNumCloud framework is gaining attention as a key measure of legal sovereignty for cloud providers. This rule, which limits foreign ownership to 24%, is the only publicly available arithmetic test of ownership control in European cloud sovereignty certification. Experts say it offers a more direct measure of jurisdictional independence than traditional security controls, but questions remain about its accuracy and practical enforcement.

SecNumCloud, created by France’s ANSSI, is a government-issued qualification that assesses a cloud provider’s compliance with strict legal and operational standards, including EU data domicile and audited key custody. Unlike typical certifications, it explicitly tests ownership control through a simple arithmetic rule: foreign ownership must not exceed 24% individually or 39% collectively. This rule aims to guarantee legal sovereignty over data and infrastructure, especially for providers hosting sensitive French and European public-sector data.

As of mid-2026, roughly nine to ten providers hold an active SecNumCloud qualification, including OVHcloud, Outscale, and Scaleway. The rule’s strictness makes achieving compliance significantly more complex than standard ISO or security controls, with Scalingo CEO comparing its difficulty as a level 10 versus ISO 27001’s level 1. The framework’s focus on ownership caps makes it a unique and potentially more accurate measure of sovereignty.

At a glance
analysisWhen: developing as of mid-2026
The developmentThe article examines the 24% ownership cap in France’s SecNumCloud framework, analyzing its role in assessing legal sovereignty and the accuracy of AI cloud sovereignty certification.
Crypto market snapshot
Fear & Greed Index
28/100 — Fear
Bitcoin BTC$64,683▲ 1.2%
Ethereum ETH$1,868▲ 1.3%
Tether USDT$0.9993▼ 0.0%
BNB BNB$568.47▲ 0.1%
USDC USDC$0.9999▼ 0.0%
XRP XRP$1.1▲ 0.9%
Solana SOL$75.96▲ 1.4%
TRON TRX$0.3254▲ 1.1%
Live data · CoinGecko · alternative.me (24h change)
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Implications of the 24% Ownership Cap in Cloud Sovereignty

The 24% ownership rule redefines how European cloud sovereignty is assessed, emphasizing legal control over infrastructure rather than solely technical security. This has major implications for foreign tech giants operating in Europe, as they must adjust ownership structures to comply, potentially affecting market dynamics and international data access. The rule’s arithmetic simplicity offers a clear, checkable benchmark, but its accuracy and enforcement are still debated, raising questions about its effectiveness in ensuring sovereignty. Ultimately, this could influence regulatory standards and market competitiveness across Europe and beyond.

Amazon

cloud sovereignty certification tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Origins and Purpose of the 24% Sovereignty Test

The SecNumCloud framework was introduced by France’s ANSSI in 2016, evolving to version 3.2 with over 360 criteria across technical, operational, and legal domains. Its unique feature is the ownership control test, which limits foreign ownership to 24% for individual entities and 39% collectively, ensuring legal sovereignty over cloud infrastructure hosted in the EU. Unlike traditional certifications that focus on security practices, SecNumCloud explicitly addresses jurisdictional independence. This approach responds to concerns over extraterritorial laws like the CLOUD Act, aiming to guarantee EU control over sensitive data and infrastructure.

As of 2026, the regulation is mandatory for hosting sensitive French public-sector data and increasingly relevant for Operators of Vital Importance and Operators of Essential Services. The rule’s arithmetic nature provides a straightforward, checkable measure of sovereignty, making it a distinctive feature in the landscape of cloud certifications.

“If the complexity of achieving ISO 27001 is a 1, SecNumCloud is a 10.”

— Scalingo CEO

Amazon

AI cloud security compliance software

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Limitations and Challenges of the 24% Ownership Measure

While the ownership cap provides a clear arithmetic test, questions remain about its accuracy in reflecting actual jurisdictional control. Critics argue that ownership percentage alone may not account for control mechanisms like voting rights, contractual arrangements, or indirect influence. Additionally, the potential for structural workaround—such as changing control via subsidiaries—raises concerns about the rule’s enforceability. The framework’s reliance on publicly available cap tables makes verification possible but not foolproof, especially in complex corporate structures.

Furthermore, the rule does not address other sovereignty issues like legal jurisdiction in cases of non-EU parent companies. As such, the measure is a partial solution that may need supplementation by other legal or technical safeguards, whose effectiveness remains under debate.

Amazon

data sovereignty certification guide

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Upcoming Developments in European Cloud Sovereignty Standards

As of mid-2026, more providers are pursuing SecNumCloud certification to meet French and European regulations, with several in the pipeline. The European Commission is expected to review the effectiveness of the ownership control rule and consider its adoption or adaptation across other member states. Additionally, legal and technical experts anticipate ongoing discussions about complementary measures—such as enhanced transparency, control mechanisms, and international cooperation—to strengthen sovereignty standards. The industry will closely watch how enforcement evolves, especially regarding foreign ownership structures and control verification.

Meanwhile, the debate over whether ownership percentage is sufficient or whether more nuanced control tests are needed will continue, shaping future European legislation and certification schemes.

Amazon

cloud ownership verification tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

What exactly does the 24% ownership rule test?

The 24% ownership rule measures foreign ownership in a cloud provider, ensuring it does not exceed 24% for individual entities or 39% collectively, as a way to guarantee legal sovereignty.

No. SecNumCloud certifies security practices and compliance, but ownership control is only one aspect. The ownership cap is a key measure, but other legal factors also influence sovereignty.

Can foreign companies still operate in Europe without meeting the 24% rule?

Yes, foreign companies can operate but must limit ownership or structure control to stay under the 24% threshold if they want to qualify for SecNumCloud or meet European sovereignty standards.

How reliable is the ownership percentage as a sovereignty indicator?

While the arithmetic rule is clear, critics argue it may not fully capture control mechanisms like voting rights or indirect influence, making it a partial measure rather than a comprehensive sovereignty test.

What happens if a provider exceeds the ownership limit?

They would not qualify for SecNumCloud certification and may face restrictions under French law for hosting sensitive data, but existing providers may still operate without meeting the cap as long as they do not seek certification.

Source: ThorstenMeyerAI.com

Nothing in this article is financial or investment advice. Cryptocurrency and precious-metal investments carry significant risk — do your own research and consider a licensed advisor.
You May Also Like

The calendar technicality. Why Elon Musk’s lawsuit against Sam Altman and OpenAI lost on timing, not on substance.

A California jury dismissed Elon Musk’s lawsuit against OpenAI on procedural grounds, leaving key legal questions about the nonprofit’s restructuring unresolved.

The rails. Why European agentic commerce is co-defined by two converging regimes.

European agentic commerce is being shaped by two converging laws—PSD3/PSR and the AI Act—creating a complex, statutory infrastructure that differs from the US model.

Data retention cleanup assistant for small law firms

A new data retention cleanup assistant for small law firms is set to be tested, aiming to streamline old matter file reviews and improve operational efficiency.

Estate And Inheritance Facilitator Marketplace

A new marketplace aims to streamline estate settlement by matching executors with vetted facilitators, starting with a guided workflow test.