📊 Full opportunity report: Are AI Sovereignty Certifications Genuine? The 24% Rule Says Otherwise on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

European sovereignty standards like SecNumCloud include a strict ownership cap of 24%, questioning whether certifications truly guarantee legal sovereignty. This affects providers and users in regulated industries.

European security standards for cloud and AI services now include a legal ownership cap of 24%, a rule that directly tests sovereignty by limiting foreign control. This rule is part of the SecNumCloud framework, created by France’s national cybersecurity agency, ANSSI, and is already impacting providers operating within the EU. The development raises questions about whether certifications alone can guarantee legal sovereignty or if ownership restrictions are the true measure.

SecNumCloud, established in 2016 and now at version 3.2, is a qualification rather than a traditional certification, issued after an audit by PASSI-accredited evaluators. It emphasizes legal sovereignty by requiring providers to have EU domicile, EU-only data storage, and immunity from non-EU extraterritorial laws. The key criterion is the ownership cap of 24%, which limits the share of voting rights held by non-EU entities, effectively controlling foreign influence over providers.

As of mid-2026, about ten providers, including OVHcloud and Outscale, have secured an active SecNumCloud qualification, with others in the pipeline. The rule is mandatory for hosting sensitive French public-sector data and is being pushed for broader applications across vital sectors under EU directives like NIS2. Notably, US-based hyperscalers like AWS remain subject to US law, even if they hold European certifications, because certifications do not alter jurisdictional control.

At a glance
reportWhen: developing as of mid-2026
The developmentEuropean cybersecurity framework SecNumCloud enforces a 24% foreign ownership limit to ensure legal sovereignty, raising questions about the authenticity of AI sovereignty certifications.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Implications of the 24% Ownership Cap for AI Sovereignty

The 24% ownership rule fundamentally challenges the assumption that security certifications alone establish legal sovereignty. It makes clear that ownership control and jurisdiction are decisive factors, especially for organizations in regulated sectors. This impacts how companies evaluate their cloud and AI providers, emphasizing ownership structure over certification badges. For European regulators and clients, the rule underscores the importance of ownership transparency and jurisdictional immunity, shaping future procurement and compliance strategies.

Amazon

European cybersecurity compliance software

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

European Sovereignty Frameworks and Certification Limits

Traditional security standards like ISO 27001, SOC 2, and BSI C5 focus on security practices—access controls, encryption, incident response—without addressing jurisdictional control. In contrast, France’s SecNumCloud explicitly incorporates sovereignty criteria, including the ownership cap, to ensure providers are not under foreign legal influence. US providers, despite holding European certifications, remain subject to US laws such as the CLOUD Act, unless ownership restrictions are enforced.

The introduction of the 24% rule is a response to the need for true sovereignty in sensitive sectors, as the EU pushes for more control over data and AI infrastructure within its borders. This marks a significant shift from purely technical compliance to legal and ownership control, influencing procurement policies across Europe.

Amazon

AI sovereignty certification tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Remaining Questions About Certification Authenticity and Implementation

It is still unclear how many providers will be able to meet the 24% ownership threshold in practice, given the complexity of ownership structures. Additionally, questions remain about how this rule will be enforced globally, especially for multinational companies with diverse ownership arrangements. The long-term impact on US-based hyperscalers and their European operations is also uncertain, as they must adapt control structures to comply.

Amazon

cloud security audit software

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Next Steps for Providers and Regulators in Sovereignty Enforcement

Providers aiming for SecNumCloud qualification will need to reassess ownership structures, potentially restructuring control to stay within the 24% limit. Regulators are expected to tighten oversight and expand the rule’s scope, possibly extending it to other sectors and jurisdictions. Monitoring how providers adapt and whether new ownership arrangements emerge will be key to understanding the future landscape of AI sovereignty in Europe.

Amazon

data sovereignty compliance solutions

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

No, certifications like ISO 27001 or C5 focus on security practices. They do not alter jurisdictional control or ownership structure, which are critical for sovereignty.

What is the significance of the 24% ownership limit?

The 24% rule limits foreign control over providers, ensuring legal sovereignty by preventing non-EU entities from holding majority voting rights.

Can US-based cloud providers meet the sovereignty rules?

While they can hold certifications, US providers remain subject to US law unless they restructure ownership to comply with the 24% cap, which is complex and challenging.

Will the 24% rule affect non-European cloud providers?

Yes, any provider wishing to qualify under SecNumCloud or similar frameworks will need to ensure ownership control within the specified limits to demonstrate sovereignty.

Is the ownership rule legally binding?

Yes, as part of the SecNumCloud qualification issued by ANSSI, the 24% ownership cap is a legal requirement for providers seeking certification within France and potentially broader EU applications.

Source: ThorstenMeyerAI.com

You May Also Like

AMD expands its Ryzen 9000 PRO lineup with six new SKUs, now featuring 3D V-Cache for the first time — new workstation CPUs have up to 170W TDPs, available with OEMs later this year

AMD expands its Ryzen 9000 PRO lineup with six new SKUs, including models with 3D V-Cache and higher TDPs, aimed at workstation users.

Why Enclosed Laser Engravers Are Easier to Live With

An enclosed laser engraver offers safer, cleaner operation with less maintenance, but there’s more to discover about why they are easier to live with.

3D Printing Vs CNC Machining for Prototyping

Want to discover which prototyping method—3D printing or CNC machining—best suits your project’s needs and why it matters?

Pink Printers Taking Over? See Why This Craze Is Exploding

Discover why pink printers are capturing hearts and transforming workspaces, but could there be hidden downsides to this vibrant trend?