Are AI Sovereignty Certifications Reliable? The 24% Rule Provides Clues

📊 Full opportunity report: Are AI Sovereignty Certifications Reliable? The 24% Rule Provides Clues on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

The 24% ownership rule in France’s SecNumCloud framework offers a tangible measure of legal sovereignty for cloud providers. While certifications like SecNumCloud and C5 attest to security practices, they do not guarantee immunity from jurisdictional laws. The reliability of these certifications in ensuring sovereignty remains a key question.

French cybersecurity authorities have implemented a unique sovereignty test for cloud providers: the 24% ownership rule. This rule is part of the SecNumCloud qualification, which verifies not only security practices but also legal control over data, making it a critical benchmark for European data sovereignty.

SecNumCloud, managed by France’s ANSSI, is a government-issued qualification that combines rigorous security requirements with legal sovereignty measures. Unlike typical certifications, it explicitly tests ownership and control by limiting foreign ownership to 24% per entity and 39% collectively. This arithmetic-based rule is designed to prevent foreign governments from exerting control over data hosted within the EU.

As of mid-2026, around nine to ten providers, including OVHcloud, Outscale, and Scaleway, hold an active SecNumCloud qualification. The framework is mandatory for hosting sensitive French public-sector data and is being extended to critical infrastructure sectors, such as energy and finance, under France’s Cloud au Centre doctrine.

In contrast, certifications like BSI C5, while demonstrating security controls, do not address jurisdictional sovereignty directly. C5 requires disclosure of jurisdiction but does not impose immunity from foreign laws, meaning providers with US parent companies still face residual CLOUD Act risks.

US hyperscalers like AWS, Microsoft, and Google have adapted by creating separate, EU-based entities with controlled ownership structures to meet the 24% rule, such as Thales-Google S3NS and Capgemini-Orange Bleu ventures. These arrangements aim to comply with sovereignty requirements without relinquishing control.

At a glance
analysisWhen: developing, as of mid-2026
The developmentThe article examines the effectiveness of AI sovereignty certifications, especially the 24% ownership rule, in certifying legal control over data and infrastructure.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Implications of the 24% Ownership Rule for European Cloud Sovereignty

The 24% ownership threshold provides a clear, arithmetic measure of legal sovereignty, making it a practical tool for assessing control over data and infrastructure within the EU. This approach shifts the focus from security controls alone to ownership and jurisdiction, which are critical for compliance with European data laws and for safeguarding against foreign legal interference.

For organizations operating in regulated sectors, these certifications influence procurement decisions, as they impact data sovereignty and legal risk. The rule’s strictness underscores the challenge US-based providers face in meeting European sovereignty standards without restructuring ownership or control mechanisms.

Amazon

AI sovereignty certification tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

European Frameworks and the Shift Toward Legal Sovereignty Testing

Traditional security certifications like ISO 27001, SOC 2, and BSI C5 mainly attest to security practices and operational controls. They do not address jurisdictional sovereignty directly. In contrast, France’s SecNumCloud, created in 2016 and now in version 3.2, introduces a legal sovereignty dimension by requiring EU domicile, EU-only data storage, and a maximum foreign ownership threshold of 24% per entity.

The framework is part of a broader European effort to establish independent, sovereign cloud infrastructure, especially for sensitive public data. The requirement for government-backed qualifications, issued after rigorous audits, aims to prevent foreign legal influence over data stored within the EU.

While US hyperscalers have sought to adapt through joint ventures and controlled ownership structures, the sovereignty test remains a significant hurdle, highlighting the tension between operational security standards and legal jurisdiction.

“The 24% ownership rule is the only practical, arithmetic test of sovereignty in the European cloud landscape, offering a tangible measure of control over foreign influence.”

— Thorsten Meyer

Security Architecture for Hybrid Cloud: A Practical Method for Designing Security Using Zero Trust Principles

Security Architecture for Hybrid Cloud: A Practical Method for Designing Security Using Zero Trust Principles

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Remaining Questions About Certification Reliability and Enforcement

While the 24% rule offers a concrete measure of ownership control, it remains unclear how effectively it prevents foreign governments from exerting influence, especially through complex ownership structures or indirect control. The long-term enforcement and compliance monitoring of these rules are still evolving, and the impact on US hyperscalers adapting their structures is not fully known.

Additionally, the broader acceptance of these sovereignty measures outside France and Europe, and their influence on global cloud procurement practices, are still developing areas of debate and policy evolution.

Amazon

data sovereignty compliance solutions

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Future Developments in European Cloud Sovereignty Standards

Expect further refinement of the ownership and sovereignty criteria, potentially expanding beyond the current 24% cap. As more providers seek SecNumCloud qualification, the framework’s influence will grow, possibly leading to broader adoption across Europe.

Regulatory bodies may also introduce additional measures to enforce compliance and transparency, including stricter audits and international cooperation to monitor ownership structures. The ongoing evolution of US hyperscaler strategies, such as joint ventures and local entities, will be closely watched to assess their effectiveness in meeting sovereignty standards.

Amazon

European cloud sovereignty certification

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

What is the significance of the 24% ownership rule?

The 24% ownership rule is a tangible, arithmetic measure of legal sovereignty, preventing foreign governments from exerting control over EU-hosted data by limiting individual foreign ownership stakes.

Does certification guarantee immunity from foreign laws?

No. Certifications like SecNumCloud and C5 demonstrate security controls and disclose jurisdiction, but they do not eliminate legal risks such as the CLOUD Act or other extraterritorial laws.

Can US hyperscalers meet European sovereignty standards?

Yes, US providers can comply by restructuring ownership and control through joint ventures or EU-based entities, but they remain subject to US laws unless they meet the strict ownership thresholds and control criteria.

Is SecNumCloud mandatory for all cloud providers in Europe?

SecNumCloud is mandatory for hosting sensitive French public-sector data and is being extended to critical infrastructure sectors, but it is not yet universally required across all European countries.

How does C5 differ from SecNumCloud?

C5 certifies control and operational security but does not address jurisdictional sovereignty directly. SecNumCloud explicitly tests ownership and legal control, including the 24% ownership cap.

Source: ThorstenMeyerAI.com

You May Also Like

Social Engineering Attacks: Why Humans Are the Weakest Link

Acknowledge how social engineering exploits human psychology, making us the weakest link in cybersecurity—learn how to spot and prevent these manipulative attacks.

The Frameworks Can’t See the Thing That Matters: A Year of AI-Enabled Cyber Threats

Anthropic mapped 832 banned accounts to MITRE ATT&CK and found technique counts no longer track AI-enabled cyber risk.

Palantir has hired more than 30 senior UK Government officials

Palantir has employed more than 30 senior UK government and public sector officials over the past decade, raising transparency and conflict-of-interest concerns.

The Cyber Arms Race: Nations in Digital Warfare

Sparking a global surge in digital warfare, the cyber arms race reveals how nations vie for dominance, shaping the future of global security.