📊 Full opportunity report: Breaking Down The 24% Rule In Relation To AI Sovereign Cloud Certification on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

The 24% ownership rule is a key criterion in France’s SecNumCloud certification, determining legal sovereignty over cloud services. It impacts provider eligibility and European data control, especially for foreign-owned firms.

The 24% ownership control rule is a critical component of France’s SecNumCloud certification, which requires cloud providers to limit foreign ownership to ensure legal sovereignty over data. This rule directly impacts which companies qualify for the certification and how they operate within the European Union.

SecNumCloud, created by France’s ANSSI in 2016, is a qualification that certifies providers meet strict security and sovereignty standards, including EU legal domicile, EU-only data storage, and audited key custody. The ownership cap stipulates that companies holding more than 24% of voting rights or ownership interests in a provider cannot control the service, ensuring European legal control.

This ownership rule is arithmetic-based, making it a unique and rigorous test of ownership and control. Providers such as OVHcloud, Outscale, and Scaleway have achieved SecNumCloud status, which is mandatory for hosting sensitive French public-sector data and increasingly relevant for critical infrastructure providers under EU regulations.

Because US-based hyperscalers like AWS are subject to laws like the CLOUD Act, they cannot directly qualify for SecNumCloud unless they modify control structures—such as through joint ventures where control is held by European entities. For example, Thales and Google formed S3NS, with Thales holding operational control, to navigate this rule.

At a glance
reportWhen: developing as of mid-2026
The developmentThe 24% ownership control rule is now central to SecNumCloud certification, affecting European cloud providers and foreign companies operating in France.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Implications of the 24% Ownership Cap for European Data Sovereignty

The 24% ownership rule fundamentally enforces European sovereignty over data by limiting foreign control of certified cloud providers. This measure aims to prevent non-EU law from compelling access to data stored within the EU, addressing concerns over legal jurisdiction and foreign government influence.

For European governments and organizations handling sensitive data, compliance with SecNumCloud and its ownership restrictions provides assurance that the provider is under European legal control. However, it also complicates partnerships with US firms, which must restructure ownership or control to meet the threshold, potentially affecting market dynamics and cloud adoption strategies.

This rule is expected to influence procurement decisions, cloud market competition, and the development of European sovereignty frameworks for cloud services, shaping the landscape through at least 2027 and beyond.

Amazon

European cloud sovereignty certification guide

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Legal and Certification Frameworks Shaping Cloud Sovereignty

SecNumCloud is a government-backed qualification issued by ANSSI, France’s cybersecurity agency, based on over 360 criteria across technical, organizational, operational, and legal themes. Unlike typical certifications such as ISO 27001, SecNumCloud explicitly incorporates legal sovereignty requirements, including data residency, jurisdiction, and ownership controls.

The ownership cap is unique among cloud certifications, serving as a practical arithmetic test of control. It is designed to prevent foreign control, especially by US companies subject to laws like the CLOUD Act, from dominating cloud services that host sensitive or critical data within the EU.

While standards like BSI C5 focus on security controls and transparency, they do not address sovereignty directly. The key difference is that SecNumCloud’s ownership rule ensures actual control remains within the EU, making it a crucial criterion for compliance and market access in France and potentially across Europe.

“The 24% ownership rule is an arithmetic test of control, not a security standard. It directly addresses sovereignty by limiting foreign ownership to ensure legal control.”

— Thorsten Meyer

Outstanding Questions About the 24% Ownership Rule’s Application

It remains unclear how strictly the ownership control will be enforced across different providers and whether future amendments will modify the thresholds or control definitions. Additionally, the impact on US-based companies attempting to qualify through joint ventures or control restructuring is still evolving, with legal and operational strategies being tested.

Further clarification is needed on how the rule will be applied to multinational corporations and whether new legal frameworks or bilateral agreements could influence the ownership limits or control assessments.

Next Steps for Providers and Policymakers on Data Sovereignty

Providers seeking SecNumCloud certification will continue to adapt their ownership and control structures, with several already in the pipeline to meet the 24% threshold. Regulatory agencies are expected to clarify enforcement and compliance procedures over the coming months.

European policymakers may also consider whether to expand or refine sovereignty criteria, potentially influencing broader cloud regulation and the development of European-controlled cloud infrastructure. Additionally, US companies are exploring joint ventures and control arrangements to navigate these restrictions, shaping the competitive landscape.

Key Questions

What is the 24% ownership rule in SecNumCloud?

The 24% ownership rule limits the voting rights or ownership interests a non-EU company can hold in a cloud provider to ensure European control and sovereignty over data, preventing foreign governments from compelling access.

Why is the ownership cap significant for cloud providers?

It is a practical, arithmetic test of control that directly addresses legal sovereignty. Providers must structure ownership to stay below 24% to qualify for certification, especially if they are foreign-owned.

Does the 24% rule mean US companies cannot operate in France?

US companies can operate if they restructure ownership or control to meet the 24% threshold, often through joint ventures with European entities that hold control.

How does SecNumCloud differ from other security standards?

Unlike standards like ISO 27001 or BSI C5, SecNumCloud explicitly incorporates sovereignty and control criteria, including the ownership cap, making it unique in addressing legal jurisdiction.

What are the implications for European data sovereignty?

The rule aims to prevent non-EU control over cloud services hosting sensitive data, strengthening European sovereignty and reducing foreign influence over critical infrastructure.

Source: ThorstenMeyerAI.com

You May Also Like

Forezai · TradingAgents: A Trading Firm Made of Agents

Forezai introduces TradingAgents, an open-source framework mimicking a trading desk with specialized AI agents debating and vetting market decisions.

The Top Reasons To Keep An Eye On AI Operations Like Claude Fable

Exploring the importance of monitoring AI tools like Claude Fable for operational decision-making amid rapid policy and capability shifts.

Mobilisiert, Nicht Ausgegeben: Was Von Europas €200-Milliarden-KI-Offensive üBrig Bleibt

Die EU kündigt eine KI-Investitionsoffensive an, doch die tatsächlichen Mittel sind viel geringer und langsamer als die Schlagzeile vermuten. Was bleibt unklar?

Rente Mit 63

The German government has announced plans to phase out the ‘Rente mit 63’ early retirement scheme, affecting future retirees and pension policy.