📊 Full opportunity report: Are AI Sovereignty Certifications Reliable? The 24% Rule Provides Clues on ThorstenMeyerAI.com — validation score, market gap, and execution plan.
TL;DR
The 24% ownership rule in France’s SecNumCloud framework offers a tangible measure of legal sovereignty for cloud providers. While certifications like SecNumCloud and C5 attest to security practices, they do not guarantee immunity from jurisdictional laws. The reliability of these certifications in ensuring sovereignty remains a key question.
French cybersecurity authorities have implemented a unique sovereignty test for cloud providers: the 24% ownership rule. This rule is part of the SecNumCloud qualification, which verifies not only security practices but also legal control over data, making it a critical benchmark for European data sovereignty.
SecNumCloud, managed by France’s ANSSI, is a government-issued qualification that combines rigorous security requirements with legal sovereignty measures. Unlike typical certifications, it explicitly tests ownership and control by limiting foreign ownership to 24% per entity and 39% collectively. This arithmetic-based rule is designed to prevent foreign governments from exerting control over data hosted within the EU.
As of mid-2026, around nine to ten providers, including OVHcloud, Outscale, and Scaleway, hold an active SecNumCloud qualification. The framework is mandatory for hosting sensitive French public-sector data and is being extended to critical infrastructure sectors, such as energy and finance, under France’s Cloud au Centre doctrine.
In contrast, certifications like BSI C5, while demonstrating security controls, do not address jurisdictional sovereignty directly. C5 requires disclosure of jurisdiction but does not impose immunity from foreign laws, meaning providers with US parent companies still face residual CLOUD Act risks.
US hyperscalers like AWS, Microsoft, and Google have adapted by creating separate, EU-based entities with controlled ownership structures to meet the 24% rule, such as Thales-Google S3NS and Capgemini-Orange Bleu ventures. These arrangements aim to comply with sovereignty requirements without relinquishing control.
The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty
ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.
C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.
Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.
The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.
Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.
Implications of the 24% Ownership Rule for European Cloud Sovereignty
The 24% ownership threshold provides a clear, arithmetic measure of legal sovereignty, making it a practical tool for assessing control over data and infrastructure within the EU. This approach shifts the focus from security controls alone to ownership and jurisdiction, which are critical for compliance with European data laws and for safeguarding against foreign legal interference.
For organizations operating in regulated sectors, these certifications influence procurement decisions, as they impact data sovereignty and legal risk. The rule’s strictness underscores the challenge US-based providers face in meeting European sovereignty standards without restructuring ownership or control mechanisms.
AI sovereignty certification tools
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
European Frameworks and the Shift Toward Legal Sovereignty Testing
Traditional security certifications like ISO 27001, SOC 2, and BSI C5 mainly attest to security practices and operational controls. They do not address jurisdictional sovereignty directly. In contrast, France’s SecNumCloud, created in 2016 and now in version 3.2, introduces a legal sovereignty dimension by requiring EU domicile, EU-only data storage, and a maximum foreign ownership threshold of 24% per entity.
The framework is part of a broader European effort to establish independent, sovereign cloud infrastructure, especially for sensitive public data. The requirement for government-backed qualifications, issued after rigorous audits, aims to prevent foreign legal influence over data stored within the EU.
While US hyperscalers have sought to adapt through joint ventures and controlled ownership structures, the sovereignty test remains a significant hurdle, highlighting the tension between operational security standards and legal jurisdiction.
“The 24% ownership rule is the only practical, arithmetic test of sovereignty in the European cloud landscape, offering a tangible measure of control over foreign influence.”
— Thorsten Meyer

Security Architecture for Hybrid Cloud: A Practical Method for Designing Security Using Zero Trust Principles
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Remaining Questions About Certification Reliability and Enforcement
While the 24% rule offers a concrete measure of ownership control, it remains unclear how effectively it prevents foreign governments from exerting influence, especially through complex ownership structures or indirect control. The long-term enforcement and compliance monitoring of these rules are still evolving, and the impact on US hyperscalers adapting their structures is not fully known.
Additionally, the broader acceptance of these sovereignty measures outside France and Europe, and their influence on global cloud procurement practices, are still developing areas of debate and policy evolution.
data sovereignty compliance solutions
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Future Developments in European Cloud Sovereignty Standards
Expect further refinement of the ownership and sovereignty criteria, potentially expanding beyond the current 24% cap. As more providers seek SecNumCloud qualification, the framework’s influence will grow, possibly leading to broader adoption across Europe.
Regulatory bodies may also introduce additional measures to enforce compliance and transparency, including stricter audits and international cooperation to monitor ownership structures. The ongoing evolution of US hyperscaler strategies, such as joint ventures and local entities, will be closely watched to assess their effectiveness in meeting sovereignty standards.
European cloud sovereignty certification
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
What is the significance of the 24% ownership rule?
The 24% ownership rule is a tangible, arithmetic measure of legal sovereignty, preventing foreign governments from exerting control over EU-hosted data by limiting individual foreign ownership stakes.
Does certification guarantee immunity from foreign laws?
No. Certifications like SecNumCloud and C5 demonstrate security controls and disclose jurisdiction, but they do not eliminate legal risks such as the CLOUD Act or other extraterritorial laws.
Can US hyperscalers meet European sovereignty standards?
Yes, US providers can comply by restructuring ownership and control through joint ventures or EU-based entities, but they remain subject to US laws unless they meet the strict ownership thresholds and control criteria.
Is SecNumCloud mandatory for all cloud providers in Europe?
SecNumCloud is mandatory for hosting sensitive French public-sector data and is being extended to critical infrastructure sectors, but it is not yet universally required across all European countries.
How does C5 differ from SecNumCloud?
C5 certifies control and operational security but does not address jurisdictional sovereignty directly. SecNumCloud explicitly tests ownership and legal control, including the 24% ownership cap.
Source: ThorstenMeyerAI.com