How The 24% Rule Exposes The Illusions In AI Sovereignty Certification Claims

📊 Full opportunity report: How The 24% Rule Exposes The Illusions In AI Sovereignty Certification Claims on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

The 24% ownership cap in France’s SecNumCloud framework reveals that sovereignty certifications focus on control, not legal immunity. This challenges claims of true AI sovereignty based solely on certifications.

The 24% ownership threshold in France’s SecNumCloud framework has emerged as a critical measure that reveals the limitations of sovereignty certifications for cloud and AI providers. While many vendors display a variety of security badges, only this ownership rule directly tests whether a provider can be compelled by foreign law, making it a unique and revealing standard. This development matters because it shifts focus from security practices to control and jurisdiction, impacting how organizations assess sovereignty claims.

SecNumCloud, created by France’s ANSSI, is not a traditional certification but a government-issued qualification that includes a specific ownership control rule. The rule states that foreign companies holding more than 24% ownership or voting rights cannot meet the sovereignty standard, which requires EU control and immunity from non-EU extraterritorial laws. As of mid-2026, about a dozen providers, including OVHcloud and Outscale, have achieved or are pursuing this qualification, which is mandatory for hosting sensitive French public-sector data.

This ownership rule is arithmetic-based and easy to verify, making it a practical tool for assessing sovereignty. It effectively disqualifies US-based hyperscalers like AWS, Microsoft, and Google from meeting the threshold unless control is transferred or ownership is restructured. Vendors like Thales and Capgemini have created joint ventures with US firms to meet the 24% limit, illustrating how the rule influences control structures. However, the rule does not eliminate legal risks associated with jurisdiction; it merely tests ownership control explicitly.

At a glance
analysisWhen: developing; as of mid-2026, several pro…
The developmentThe article examines how the 24% ownership rule in France’s SecNumCloud framework exposes limitations in sovereignty certification claims for AI and cloud providers.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Implications of the 24% Ownership Cap for AI and Cloud Sovereignty

The 24% rule exposes a fundamental flaw in claims of sovereignty based solely on security certifications. While certifications like SecNumCloud and C5 demonstrate security practices, they do not address legal jurisdiction or extraterritorial laws. The ownership control standard directly tests whether a provider can be subject to foreign legal orders, making it a more definitive measure of sovereignty. This shift could influence procurement decisions, especially for sensitive data in regulated industries, and challenge the narrative that security badges alone suffice for sovereignty claims.

Amazon

European cloud sovereignty certification

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Background of Sovereignty Certification Frameworks and the 24% Control Rule

Traditionally, security certifications such as ISO 27001, SOC 2, and BSI C5 focus on operational security controls, verifying that providers run their systems securely and competently. However, they do not address legal jurisdiction or sovereignty directly. France’s SecNumCloud, introduced in 2016 and now in version 3.2, adds a unique element: a control based on ownership and legal sovereignty, specifically a 24% ownership threshold for foreign entities. This rule is part of a broader effort to ensure providers hosting sensitive data are subject to EU law and immunity from non-EU extraterritorial laws.

Other frameworks, like BSI C5, include jurisdiction disclosures but do not impose control limits. The key difference is that SecNumCloud’s ownership cap is arithmetic and checkable, making it a practical test of sovereignty that complements security standards. The framework has become mandatory for French public-sector data and is being pushed into critical infrastructure sectors.

“The 24% ownership rule is a straightforward arithmetic test that reveals whether a provider can truly claim sovereignty or is still under foreign control.”

— Thorsten Meyer, AI security expert

Amazon

ownership control verification tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Remaining Uncertainties About Sovereignty Certification Effectiveness

It remains unclear how widely the 24% ownership rule will influence global cloud procurement beyond France and whether other jurisdictions will adopt similar standards. Additionally, while the rule effectively tests ownership, it does not address other sovereignty concerns such as legal enforcement, data access, or compliance with extraterritorial laws. The long-term impact on US hyperscalers and their ability to meet sovereignty claims through restructuring is still evolving, and the practical enforceability of these ownership limits in complex corporate structures remains to be seen.

Burning Suite - Burn and Copy Software - CD/DVD/Blu-ray - Data, Music, Video - the all-in-one solution for Win 11, 10

Burning Suite – Burn and Copy Software – CD/DVD/Blu-ray – Data, Music, Video – the all-in-one solution for Win 11, 10

Data Loss Prevention – Avoid losing important files by securely backing up your data on CDs, DVDs, or…

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Future Developments in Sovereignty Certification and Control Structures

As of mid-2026, more providers are expected to achieve SecNumCloud qualification, and the focus will likely shift toward how ownership structures are adjusted to meet the 24% threshold. Regulatory bodies in France and the EU may expand or refine sovereignty standards, potentially influencing other jurisdictions. Additionally, legal and corporate strategies from US-based providers to circumvent ownership limits will be closely watched, alongside discussions on whether control or jurisdiction should be the primary criterion for sovereignty claims.

Hero’s Pride Professional Security Guard Badge - Black & Silver Enameled Finish - 2.25" x 3.125" with Secure 5-Piece Pin Catch

Hero’s Pride Professional Security Guard Badge – Black & Silver Enameled Finish – 2.25" x 3.125" with Secure 5-Piece Pin Catch

SECURITY GUARD BADGE: This metal uniform badge is expertly made to be visible to complement other uniform accessories,…

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

What does the 24% ownership rule mean for US cloud providers?

The rule limits foreign ownership to 24%, meaning US providers must restructure ownership or control to meet the sovereignty standard, which could involve joint ventures or other control arrangements.

Does holding a security certification guarantee sovereignty?

No. Certifications like SecNumCloud or C5 demonstrate security practices but do not address legal jurisdiction or immunity from foreign laws. The 24% rule specifically tests ownership control, a different aspect of sovereignty.

Can a provider meet the sovereignty standard without changing ownership?

Typically no. The ownership control threshold is explicit; exceeding 24% ownership by foreign entities disqualifies a provider from meeting the sovereignty standard unless control is restructured.

Will other countries adopt similar sovereignty control measures?

It is uncertain. France’s approach is unique, but the concept of control-based sovereignty testing may influence other jurisdictions, especially in Europe, in the coming years.

While the 24% rule enhances sovereignty assurances, it does not eliminate legal risks related to jurisdiction or extraterritorial laws. Organizations must consider both security certifications and control standards when assessing providers.

Source: ThorstenMeyerAI.com

This content is for general information only and is not financial, tax or legal advice. Consult a qualified professional for decisions about your money.
You May Also Like

StubHub, CEO Hit With ‘Deceptive Practices’ Class Action Over Mass Scalping

A class action alleges StubHub and its CEO engaged in deceptive practices related to mass ticket scalping, raising legal and ethical concerns.

Bally’s, Planet Fitness, and Choice Hotels Shares Are Falling, What You Need To Know

Shares of Bally’s, Planet Fitness, and Choice Hotels declined sharply as oil prices surged, raising inflation fears and impacting consumer spending outlooks.

The Orchestration Layer Arrives: What Anthropic’s Finance Agents Mean for Bloomberg, FactSet, and Wall Street

Anthropic releases ten financial agent templates and Claude’s orchestration layer, enabling integration with major data providers, challenging Bloomberg’s UI dominance.

The mandate. Why the US conversational- finance surface does not translate to Europe.

The US launches permissionless personal-finance surfaces; Europe’s mandates reshape the market architecture, creating distinct regulatory and operational environments.