📊 Full opportunity report: The Role Of The 24% Rule In Assessing AI Sovereign Cloud Certifications on ThorstenMeyerAI.com — validation score, market gap, and execution plan.
TL;DR
The 24% ownership rule in France’s SecNumCloud framework is a key measure for ensuring legal sovereignty over cloud data. It influences provider control structures and impacts US and non-EU companies operating in Europe. The rule’s implications are still unfolding as providers adapt to meet sovereignty requirements.
The 24% ownership cap in France’s SecNumCloud framework is emerging as a critical measure for ensuring legal sovereignty over cloud services in Europe. This rule, which limits ownership and voting rights held by non-EU entities, directly impacts how providers structure control and compliance. The development reflects a broader shift toward sovereignty-focused cloud regulation in Europe, with significant implications for US and international vendors operating in the region.
SecNumCloud, created by France’s ANSSI, is a qualification scheme that verifies providers’ adherence to strict security and sovereignty criteria. Unlike traditional certifications, it explicitly incorporates a legal sovereignty test based on the 24% ownership rule. This rule stipulates that ownership stakes held by companies outside the European Union must not exceed 24% individually, or 39% collectively, to qualify for the framework.
As of mid-2026, about nine to ten providers have secured an active SecNumCloud qualification, including OVHcloud, 3DS Outscale, and Scaleway. The rule is mandatory for hosting sensitive French public-sector data and is increasingly being pushed for critical infrastructure and vital services under EU directives like NIS2. This effectively forces foreign providers to modify ownership structures or face exclusion from certain government contracts.
US hyperscalers like AWS, Google, and Microsoft are unable to meet the sovereignty criteria in their native form due to their US-based ownership. However, they are creating joint ventures and control arrangements—such as Thales–Google’s S3NS and Capgemini–Orange’s Bleu—to comply with the 24% rule while maintaining operational control. These arrangements exemplify how the rule influences provider control models without outright banning US technology.
The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty
ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.
C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.
Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.
The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.
Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.
Why the 24% Rule Shapes Cloud Sovereignty in Europe
The 24% ownership rule represents a fundamental shift in how European regulators assess legal sovereignty over cloud data. It moves beyond traditional security certifications, emphasizing ownership control as a decisive factor. For providers, this means restructuring ownership or control models to qualify for government contracts, especially in sensitive sectors like health, energy, and finance. For Europe, it aims to reduce reliance on non-EU companies and ensure data remains under jurisdictional control, aligning with broader sovereignty and digital independence goals. The rule’s impact extends to international vendors, compelling them to innovate control arrangements or face exclusion from critical public sector markets.
enterprise cloud security hardware
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
The Evolution of Sovereignty Frameworks in European Cloud Policy
European cloud regulation has historically focused on security standards like ISO 27001, SOC 2, and EUCS, which certify security practices but do not address jurisdictional control. The introduction of SecNumCloud by France’s ANSSI in 2016 marked a shift toward sovereignty testing, with its unique ownership cap as a core criterion. This approach was driven by concerns over foreign influence and extraterritorial laws such as the CLOUD Act. The rule’s development aligns with EU directives like NIS2, emphasizing control over critical infrastructure and data sovereignty. US hyperscalers have responded by establishing control arrangements and joint ventures to meet these criteria, reflecting a strategic adaptation to the evolving regulatory landscape.
“The sovereignty qualification is about more than security; it’s about who ultimately controls the data and the service.”
— Anssi official (anonymous)
data sovereignty compliance software
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Unresolved Questions About the 24% Control Limit
It is still unclear how strictly the 24% ownership rule will be enforced across different sectors and whether it will evolve to include other control factors. The impact on US-based cloud giants, which are structurally ineligible for full certification, remains a subject of debate. Additionally, the long-term effectiveness of the rule in ensuring true sovereignty—beyond ownership structure—is still being assessed. The extent to which the rule will influence global cloud market dynamics and provider strategies is also uncertain.
secure cloud control panel
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Next Steps for Providers and Regulators in Sovereignty Testing
As of mid-2026, more providers are expected to pursue SecNumCloud qualification, potentially leading to new control arrangements that comply with the 24% rule. Regulators are likely to refine enforcement practices and possibly expand sovereignty criteria to include other control dimensions. US and non-EU providers are expected to continue innovating control structures, such as joint ventures or minority ownership arrangements, to meet the sovereignty standards. Meanwhile, the European Commission and national agencies may develop further guidance on sovereignty and control, shaping the future of cloud regulation in the region.
European cloud certification tools
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
What is the 24% ownership rule in SecNumCloud?
The 24% ownership rule limits the ownership and voting rights held by non-EU companies to 24% individually or 39% collectively, ensuring legal sovereignty over cloud services in France and potentially other EU countries.
How does the 24% rule affect US cloud providers?
US providers cannot meet the ownership cap in their native corporate structures; therefore, they are creating control arrangements or joint ventures that satisfy the rule, allowing them to participate in certain European government contracts while maintaining US jurisdiction.
Is the 24% rule the only sovereignty measure in Europe?
No, it is part of a broader framework that includes legal domicile, data storage requirements, and immunity from non-EU laws. The ownership cap is the key arithmetic test for sovereignty but works alongside other legal and operational controls.
Will the 24% rule be expanded or modified?
It is currently uncertain. Future regulatory developments may refine or expand sovereignty criteria, but as of mid-2026, the 24% ownership limit remains a central control measure.
What does this mean for cloud providers outside Europe?
Providers outside Europe may need to restructure ownership or control models to qualify for government contracts or risk exclusion from critical sectors, influencing global cloud market strategies and investments.
Source: ThorstenMeyerAI.com