📊 Full opportunity report: How The 24% Rule Exposes The Illusions In AI Sovereignty Certification Claims on ThorstenMeyerAI.com — validation score, market gap, and execution plan.
TL;DR
The 24% ownership cap in France’s SecNumCloud framework reveals that sovereignty certifications focus on control, not legal immunity. This challenges claims of true AI sovereignty based solely on certifications.
The 24% ownership threshold in France’s SecNumCloud framework has emerged as a critical measure that reveals the limitations of sovereignty certifications for cloud and AI providers. While many vendors display a variety of security badges, only this ownership rule directly tests whether a provider can be compelled by foreign law, making it a unique and revealing standard. This development matters because it shifts focus from security practices to control and jurisdiction, impacting how organizations assess sovereignty claims.
SecNumCloud, created by France’s ANSSI, is not a traditional certification but a government-issued qualification that includes a specific ownership control rule. The rule states that foreign companies holding more than 24% ownership or voting rights cannot meet the sovereignty standard, which requires EU control and immunity from non-EU extraterritorial laws. As of mid-2026, about a dozen providers, including OVHcloud and Outscale, have achieved or are pursuing this qualification, which is mandatory for hosting sensitive French public-sector data.
This ownership rule is arithmetic-based and easy to verify, making it a practical tool for assessing sovereignty. It effectively disqualifies US-based hyperscalers like AWS, Microsoft, and Google from meeting the threshold unless control is transferred or ownership is restructured. Vendors like Thales and Capgemini have created joint ventures with US firms to meet the 24% limit, illustrating how the rule influences control structures. However, the rule does not eliminate legal risks associated with jurisdiction; it merely tests ownership control explicitly.
The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty
ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.
C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.
Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.
The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.
Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.
Implications of the 24% Ownership Cap for AI and Cloud Sovereignty
The 24% rule exposes a fundamental flaw in claims of sovereignty based solely on security certifications. While certifications like SecNumCloud and C5 demonstrate security practices, they do not address legal jurisdiction or extraterritorial laws. The ownership control standard directly tests whether a provider can be subject to foreign legal orders, making it a more definitive measure of sovereignty. This shift could influence procurement decisions, especially for sensitive data in regulated industries, and challenge the narrative that security badges alone suffice for sovereignty claims.
European cloud sovereignty certification
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background of Sovereignty Certification Frameworks and the 24% Control Rule
Traditionally, security certifications such as ISO 27001, SOC 2, and BSI C5 focus on operational security controls, verifying that providers run their systems securely and competently. However, they do not address legal jurisdiction or sovereignty directly. France’s SecNumCloud, introduced in 2016 and now in version 3.2, adds a unique element: a control based on ownership and legal sovereignty, specifically a 24% ownership threshold for foreign entities. This rule is part of a broader effort to ensure providers hosting sensitive data are subject to EU law and immunity from non-EU extraterritorial laws.
Other frameworks, like BSI C5, include jurisdiction disclosures but do not impose control limits. The key difference is that SecNumCloud’s ownership cap is arithmetic and checkable, making it a practical test of sovereignty that complements security standards. The framework has become mandatory for French public-sector data and is being pushed into critical infrastructure sectors.
“The 24% ownership rule is a straightforward arithmetic test that reveals whether a provider can truly claim sovereignty or is still under foreign control.”
— Thorsten Meyer, AI security expert
ownership control verification tools
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Remaining Uncertainties About Sovereignty Certification Effectiveness
It remains unclear how widely the 24% ownership rule will influence global cloud procurement beyond France and whether other jurisdictions will adopt similar standards. Additionally, while the rule effectively tests ownership, it does not address other sovereignty concerns such as legal enforcement, data access, or compliance with extraterritorial laws. The long-term impact on US hyperscalers and their ability to meet sovereignty claims through restructuring is still evolving, and the practical enforceability of these ownership limits in complex corporate structures remains to be seen.

Burning Suite – Burn and Copy Software – CD/DVD/Blu-ray – Data, Music, Video – the all-in-one solution for Win 11, 10
Data Loss Prevention – Avoid losing important files by securely backing up your data on CDs, DVDs, or…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Future Developments in Sovereignty Certification and Control Structures
As of mid-2026, more providers are expected to achieve SecNumCloud qualification, and the focus will likely shift toward how ownership structures are adjusted to meet the 24% threshold. Regulatory bodies in France and the EU may expand or refine sovereignty standards, potentially influencing other jurisdictions. Additionally, legal and corporate strategies from US-based providers to circumvent ownership limits will be closely watched, alongside discussions on whether control or jurisdiction should be the primary criterion for sovereignty claims.

Hero’s Pride Professional Security Guard Badge – Black & Silver Enameled Finish – 2.25" x 3.125" with Secure 5-Piece Pin Catch
SECURITY GUARD BADGE: This metal uniform badge is expertly made to be visible to complement other uniform accessories,…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
What does the 24% ownership rule mean for US cloud providers?
The rule limits foreign ownership to 24%, meaning US providers must restructure ownership or control to meet the sovereignty standard, which could involve joint ventures or other control arrangements.
Does holding a security certification guarantee sovereignty?
No. Certifications like SecNumCloud or C5 demonstrate security practices but do not address legal jurisdiction or immunity from foreign laws. The 24% rule specifically tests ownership control, a different aspect of sovereignty.
Can a provider meet the sovereignty standard without changing ownership?
Typically no. The ownership control threshold is explicit; exceeding 24% ownership by foreign entities disqualifies a provider from meeting the sovereignty standard unless control is restructured.
Will other countries adopt similar sovereignty control measures?
It is uncertain. France’s approach is unique, but the concept of control-based sovereignty testing may influence other jurisdictions, especially in Europe, in the coming years.
What are the implications for data security and legal risk?
While the 24% rule enhances sovereignty assurances, it does not eliminate legal risks related to jurisdiction or extraterritorial laws. Organizations must consider both security certifications and control standards when assessing providers.
Source: ThorstenMeyerAI.com