The Role Of The 24% Rule In Assessing AI Sovereign Cloud Certifications

📊 Full opportunity report: The Role Of The 24% Rule In Assessing AI Sovereign Cloud Certifications on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

The 24% ownership rule in France’s SecNumCloud framework is a key measure for ensuring legal sovereignty over cloud data. It influences provider control structures and impacts US and non-EU companies operating in Europe. The rule’s implications are still unfolding as providers adapt to meet sovereignty requirements.

The 24% ownership cap in France’s SecNumCloud framework is emerging as a critical measure for ensuring legal sovereignty over cloud services in Europe. This rule, which limits ownership and voting rights held by non-EU entities, directly impacts how providers structure control and compliance. The development reflects a broader shift toward sovereignty-focused cloud regulation in Europe, with significant implications for US and international vendors operating in the region.

SecNumCloud, created by France’s ANSSI, is a qualification scheme that verifies providers’ adherence to strict security and sovereignty criteria. Unlike traditional certifications, it explicitly incorporates a legal sovereignty test based on the 24% ownership rule. This rule stipulates that ownership stakes held by companies outside the European Union must not exceed 24% individually, or 39% collectively, to qualify for the framework.

As of mid-2026, about nine to ten providers have secured an active SecNumCloud qualification, including OVHcloud, 3DS Outscale, and Scaleway. The rule is mandatory for hosting sensitive French public-sector data and is increasingly being pushed for critical infrastructure and vital services under EU directives like NIS2. This effectively forces foreign providers to modify ownership structures or face exclusion from certain government contracts.

US hyperscalers like AWS, Google, and Microsoft are unable to meet the sovereignty criteria in their native form due to their US-based ownership. However, they are creating joint ventures and control arrangements—such as Thales–Google’s S3NS and Capgemini–Orange’s Bleu—to comply with the 24% rule while maintaining operational control. These arrangements exemplify how the rule influences provider control models without outright banning US technology.

At a glance
analysisWhen: developing, as of mid-2026
The developmentThe article examines the significance of the 24% ownership control rule in SecNumCloud and its role in assessing AI and cloud service sovereignty in Europe.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Why the 24% Rule Shapes Cloud Sovereignty in Europe

The 24% ownership rule represents a fundamental shift in how European regulators assess legal sovereignty over cloud data. It moves beyond traditional security certifications, emphasizing ownership control as a decisive factor. For providers, this means restructuring ownership or control models to qualify for government contracts, especially in sensitive sectors like health, energy, and finance. For Europe, it aims to reduce reliance on non-EU companies and ensure data remains under jurisdictional control, aligning with broader sovereignty and digital independence goals. The rule’s impact extends to international vendors, compelling them to innovate control arrangements or face exclusion from critical public sector markets.

Amazon

enterprise cloud security hardware

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

The Evolution of Sovereignty Frameworks in European Cloud Policy

European cloud regulation has historically focused on security standards like ISO 27001, SOC 2, and EUCS, which certify security practices but do not address jurisdictional control. The introduction of SecNumCloud by France’s ANSSI in 2016 marked a shift toward sovereignty testing, with its unique ownership cap as a core criterion. This approach was driven by concerns over foreign influence and extraterritorial laws such as the CLOUD Act. The rule’s development aligns with EU directives like NIS2, emphasizing control over critical infrastructure and data sovereignty. US hyperscalers have responded by establishing control arrangements and joint ventures to meet these criteria, reflecting a strategic adaptation to the evolving regulatory landscape.

“The sovereignty qualification is about more than security; it’s about who ultimately controls the data and the service.”

— Anssi official (anonymous)

Amazon

data sovereignty compliance software

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Unresolved Questions About the 24% Control Limit

It is still unclear how strictly the 24% ownership rule will be enforced across different sectors and whether it will evolve to include other control factors. The impact on US-based cloud giants, which are structurally ineligible for full certification, remains a subject of debate. Additionally, the long-term effectiveness of the rule in ensuring true sovereignty—beyond ownership structure—is still being assessed. The extent to which the rule will influence global cloud market dynamics and provider strategies is also uncertain.

Amazon

secure cloud control panel

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Next Steps for Providers and Regulators in Sovereignty Testing

As of mid-2026, more providers are expected to pursue SecNumCloud qualification, potentially leading to new control arrangements that comply with the 24% rule. Regulators are likely to refine enforcement practices and possibly expand sovereignty criteria to include other control dimensions. US and non-EU providers are expected to continue innovating control structures, such as joint ventures or minority ownership arrangements, to meet the sovereignty standards. Meanwhile, the European Commission and national agencies may develop further guidance on sovereignty and control, shaping the future of cloud regulation in the region.

Amazon

European cloud certification tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

What is the 24% ownership rule in SecNumCloud?

The 24% ownership rule limits the ownership and voting rights held by non-EU companies to 24% individually or 39% collectively, ensuring legal sovereignty over cloud services in France and potentially other EU countries.

How does the 24% rule affect US cloud providers?

US providers cannot meet the ownership cap in their native corporate structures; therefore, they are creating control arrangements or joint ventures that satisfy the rule, allowing them to participate in certain European government contracts while maintaining US jurisdiction.

Is the 24% rule the only sovereignty measure in Europe?

No, it is part of a broader framework that includes legal domicile, data storage requirements, and immunity from non-EU laws. The ownership cap is the key arithmetic test for sovereignty but works alongside other legal and operational controls.

Will the 24% rule be expanded or modified?

It is currently uncertain. Future regulatory developments may refine or expand sovereignty criteria, but as of mid-2026, the 24% ownership limit remains a central control measure.

What does this mean for cloud providers outside Europe?

Providers outside Europe may need to restructure ownership or control models to qualify for government contracts or risk exclusion from critical sectors, influencing global cloud market strategies and investments.

Source: ThorstenMeyerAI.com

You May Also Like

The Trust Shock: What Suspending Fable 5 Means for US AI, Its Rivals, and the World

US government suspends Anthropic’s Fable 5 over national security concerns, raising questions about AI trust, US leadership, and industry stability.

X down for thousands of users globally, Downdetector shows

X, formerly Twitter, is experiencing a widespread outage impacting thousands worldwide, according to Downdetector reports. The cause is still unclear.

The Six Chokepoints: How AI Stopped Being a Utility and Became a Lever

In 2026, control over AI shifted from open utility to concentrated leverage, with key chokepoints in power, compute, data, models, distribution, and capital.

Week Three — Foundation model vs Brownian motion. Kronos on five-minute BTC.

Kronos, a foundation model, was tested against Brownian motion for 5-minute BTC forecasts; results show no significant outperformance.