📊 Full opportunity report: Breaking Down The 24% Rule In Relation To AI Sovereign Cloud Certification on ThorstenMeyerAI.com — validation score, market gap, and execution plan.
TL;DR
The 24% ownership rule is a key criterion in France’s SecNumCloud certification, determining legal sovereignty over cloud services. It impacts provider eligibility and European data control, especially for foreign-owned firms.
The 24% ownership control rule is a critical component of France’s SecNumCloud certification, which requires cloud providers to limit foreign ownership to ensure legal sovereignty over data. This rule directly impacts which companies qualify for the certification and how they operate within the European Union.
SecNumCloud, created by France’s ANSSI in 2016, is a qualification that certifies providers meet strict security and sovereignty standards, including EU legal domicile, EU-only data storage, and audited key custody. The ownership cap stipulates that companies holding more than 24% of voting rights or ownership interests in a provider cannot control the service, ensuring European legal control.
This ownership rule is arithmetic-based, making it a unique and rigorous test of ownership and control. Providers such as OVHcloud, Outscale, and Scaleway have achieved SecNumCloud status, which is mandatory for hosting sensitive French public-sector data and increasingly relevant for critical infrastructure providers under EU regulations.
Because US-based hyperscalers like AWS are subject to laws like the CLOUD Act, they cannot directly qualify for SecNumCloud unless they modify control structures—such as through joint ventures where control is held by European entities. For example, Thales and Google formed S3NS, with Thales holding operational control, to navigate this rule.
The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty
ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.
C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.
Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.
The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.
Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.
Implications of the 24% Ownership Cap for European Data Sovereignty
The 24% ownership rule fundamentally enforces European sovereignty over data by limiting foreign control of certified cloud providers. This measure aims to prevent non-EU law from compelling access to data stored within the EU, addressing concerns over legal jurisdiction and foreign government influence.
For European governments and organizations handling sensitive data, compliance with SecNumCloud and its ownership restrictions provides assurance that the provider is under European legal control. However, it also complicates partnerships with US firms, which must restructure ownership or control to meet the threshold, potentially affecting market dynamics and cloud adoption strategies.
This rule is expected to influence procurement decisions, cloud market competition, and the development of European sovereignty frameworks for cloud services, shaping the landscape through at least 2027 and beyond.
European cloud sovereignty certification guide
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Legal and Certification Frameworks Shaping Cloud Sovereignty
SecNumCloud is a government-backed qualification issued by ANSSI, France’s cybersecurity agency, based on over 360 criteria across technical, organizational, operational, and legal themes. Unlike typical certifications such as ISO 27001, SecNumCloud explicitly incorporates legal sovereignty requirements, including data residency, jurisdiction, and ownership controls.
The ownership cap is unique among cloud certifications, serving as a practical arithmetic test of control. It is designed to prevent foreign control, especially by US companies subject to laws like the CLOUD Act, from dominating cloud services that host sensitive or critical data within the EU.
While standards like BSI C5 focus on security controls and transparency, they do not address sovereignty directly. The key difference is that SecNumCloud’s ownership rule ensures actual control remains within the EU, making it a crucial criterion for compliance and market access in France and potentially across Europe.
“The 24% ownership rule is an arithmetic test of control, not a security standard. It directly addresses sovereignty by limiting foreign ownership to ensure legal control.”
— Thorsten Meyer
Outstanding Questions About the 24% Ownership Rule’s Application
It remains unclear how strictly the ownership control will be enforced across different providers and whether future amendments will modify the thresholds or control definitions. Additionally, the impact on US-based companies attempting to qualify through joint ventures or control restructuring is still evolving, with legal and operational strategies being tested.
Further clarification is needed on how the rule will be applied to multinational corporations and whether new legal frameworks or bilateral agreements could influence the ownership limits or control assessments.
Next Steps for Providers and Policymakers on Data Sovereignty
Providers seeking SecNumCloud certification will continue to adapt their ownership and control structures, with several already in the pipeline to meet the 24% threshold. Regulatory agencies are expected to clarify enforcement and compliance procedures over the coming months.
European policymakers may also consider whether to expand or refine sovereignty criteria, potentially influencing broader cloud regulation and the development of European-controlled cloud infrastructure. Additionally, US companies are exploring joint ventures and control arrangements to navigate these restrictions, shaping the competitive landscape.
Key Questions
What is the 24% ownership rule in SecNumCloud?
The 24% ownership rule limits the voting rights or ownership interests a non-EU company can hold in a cloud provider to ensure European control and sovereignty over data, preventing foreign governments from compelling access.
Why is the ownership cap significant for cloud providers?
It is a practical, arithmetic test of control that directly addresses legal sovereignty. Providers must structure ownership to stay below 24% to qualify for certification, especially if they are foreign-owned.
Does the 24% rule mean US companies cannot operate in France?
US companies can operate if they restructure ownership or control to meet the 24% threshold, often through joint ventures with European entities that hold control.
How does SecNumCloud differ from other security standards?
Unlike standards like ISO 27001 or BSI C5, SecNumCloud explicitly incorporates sovereignty and control criteria, including the ownership cap, making it unique in addressing legal jurisdiction.
What are the implications for European data sovereignty?
The rule aims to prevent non-EU control over cloud services hosting sensitive data, strengthening European sovereignty and reducing foreign influence over critical infrastructure.
Source: ThorstenMeyerAI.com