📊 Full opportunity report: Evaluating AI Sovereignty Certifications In Light Of The 24% Rule on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

This article examines the emerging landscape of AI sovereignty certifications, highlighting France’s SecNumCloud and the unique 24% ownership rule. It explores how these frameworks impact data control, legal jurisdiction, and provider compliance in Europe.

France’s national cybersecurity agency, ANSSI, has implemented the SecNumCloud certification, which includes a unique ownership control rule — the 24% threshold — to ensure legal sovereignty over cloud services hosting sensitive data. This development signals a shift toward formalized sovereignty testing in European AI and cloud services, with significant implications for providers and clients concerned about jurisdictional risks.

SecNumCloud, created by ANSSI, is not a traditional certification but a government-issued qualification that verifies a provider’s compliance with strict legal sovereignty criteria, including EU domicile, data storage, and immunity from non-EU extraterritorial law. The key feature is the 24% ownership rule, which limits individual foreign control to 24%, or combined control to 39%, to prevent non-EU influence over critical data infrastructure.

As of mid-2026, approximately nine providers hold active SecNumCloud qualifications, including OVHcloud and Scaleway, with a dozen more in the pipeline. The certification is mandatory for hosting sensitive French public-sector data and is being promoted for vital European sectors under NIS2 regulations.

In contrast, other frameworks like BSI C5 and EUCS focus on operational security practices and do not address legal sovereignty directly. BSI C5, for example, requires disclosure of jurisdiction and data location but does not prevent control by non-EU entities. AWS’s European Sovereign Cloud, certified with a C5 report, remains subject to US law despite its physical separation within the EU.

At a glance
analysisWhen: ongoing, with key certifications issued…
The developmentThe development centers on the evaluation of AI sovereignty certifications, particularly France’s SecNumCloud and the 24% ownership rule, as part of efforts to ensure legal sovereignty over data.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Impact of Sovereignty Rules on Cloud and AI Providers

The 24% ownership rule and SecNumCloud’s sovereignty criteria introduce a new dimension to cloud service selection, emphasizing legal control and ownership structure over mere security practices. This shift affects how providers structure their ownership and control models to meet European legal requirements, potentially limiting US-based providers’ ability to offer fully sovereign services without restructuring.

For European clients, these certifications aim to reduce jurisdictional risks, especially in sensitive sectors like health, energy, and finance. However, the complexity and strictness of the rules could limit market competition and influence global cloud strategies, with US hyperscalers adapting through joint ventures or control arrangements.

Amazon

AI sovereignty certification compliance tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Background of European Sovereignty and Certification Frameworks

European countries have long sought to assert legal sovereignty over data, especially in regulated industries. France’s SecNumCloud, introduced in 2016 and now on version 3.2, is part of this effort, combining technical, organizational, and legal requirements. It is distinct from operational security standards like ISO 27001 or BSI C5, which focus on security controls rather than jurisdictional control.

The 24% ownership rule was introduced as a practical measure to prevent non-EU entities from exerting significant influence over critical cloud services, reflecting concerns over foreign control and legal exposure. This rule is unique and arithmetic-based, making it a clear, checkable criterion for sovereignty.

Meanwhile, US hyperscalers like AWS and Microsoft have developed European-specific offerings, such as AWS’s European Sovereign Cloud, which while physically isolated, still remain under US jurisdiction, illustrating the ongoing tension between operational separation and legal sovereignty.

“SecNumCloud is a government qualification, not just a private certification, which commits the French state to the security and sovereignty of the service.”

— Anssi representative

Amazon

European cloud service provider security certifications

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Unresolved Questions About Certification Adoption and Impact

It remains unclear how widely the 24% ownership rule will influence global cloud provider strategies beyond France, especially as US companies seek ways to comply through joint ventures or control arrangements. The long-term impact on market competition and provider offerings is still developing, and the full legal implications of sovereignty certifications are yet to be tested in courts.

Additionally, the extent to which these frameworks will be adopted across other European countries and sectors, or whether new rules will emerge, remains uncertain.

Burning Suite - Burn and Copy Software - CD/DVD/Blu-ray - Data, Music, Video - the all-in-one solution for Win 11, 10

Burning Suite – Burn and Copy Software – CD/DVD/Blu-ray – Data, Music, Video – the all-in-one solution for Win 11, 10

Data Loss Prevention – Avoid losing important files by securely backing up your data on CDs, DVDs, or…

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Future Developments in European Cloud Sovereignty Policies

Expect further adoption of SecNumCloud and similar sovereignty frameworks across Europe, especially among public-sector and critical infrastructure providers. Regulatory agencies may refine or expand ownership rules, and US hyperscalers will likely adapt their control structures accordingly.

Legal challenges or clarifications regarding jurisdiction and sovereignty are anticipated, which could influence certification standards and provider compliance strategies. Monitoring the evolution of these policies over the next year will be essential for understanding their full impact.

Amazon

cloud security certification for sensitive data

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

What is the main purpose of the 24% ownership rule?

The 24% ownership rule is designed to limit foreign control over cloud providers hosting sensitive European data, ensuring legal sovereignty and reducing jurisdictional risks.

How does SecNumCloud differ from other security certifications?

Unlike operational security standards like ISO 27001 or BSI C5, SecNumCloud explicitly tests legal sovereignty through ownership control, domicile, and immunity from non-EU law.

Are US cloud providers compliant with SecNumCloud?

Most US providers are not currently eligible for SecNumCloud certification due to ownership and control restrictions, but they may participate via joint ventures or control arrangements that meet the 24% rule.

Will these sovereignty certifications become mandatory across Europe?

They are already mandatory for certain sectors like French public data and are likely to expand in scope, especially under regulations like NIS2, but full European-wide adoption remains to be seen.

What are the potential risks for providers not complying?

Non-compliance could result in losing access to sensitive government contracts, restrictions on hosting critical data, and increased legal and operational risks.

Source: ThorstenMeyerAI.com

This content is for general information only and is not financial, tax or legal advice. Consult a qualified professional for decisions about your money.
You May Also Like

Employee handbook change digest for small employers

Small employers are testing a new workflow for updating employee handbooks, aiming to simplify compliance amid policy changes.

A woman scammed by her accountant could owe the IRS nearly $330,000 after the Supreme Court refused to take her case

A woman scammed by her accountant faces nearly $330,000 owed to the IRS after the Supreme Court declined to hear her case. Details remain uncertain.

How YouTube TV and DirecTV Stream subscribers can get a payout from Disney’s $50M antitrust settlement

Subscribers of YouTube TV and DirecTV Stream can now claim part of Disney’s $50 million settlement from an antitrust lawsuit, with details on how to do so.

Distributor Agreements: Key Clauses You Should Be Aware Of

Great knowledge of key clauses in distributor agreements can safeguard your business—continue reading to learn what you must know.