📊 Full opportunity report: The 24% Rule And Its Role In Shaping AI Sovereignty Certification Standards on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

The 24% ownership rule, part of France’s SecNumCloud framework, enforces ownership restrictions to ensure legal sovereignty over cloud and AI services. This development shapes European AI certification standards and controls foreign influence.

The 24% ownership rule is a key component of France’s SecNumCloud framework, which requires providers to have less than 24% ownership by non-EU entities to qualify for sovereignty certification. This rule is now influencing European AI and cloud service standards, aiming to ensure legal sovereignty and data control over foreign-controlled providers.

SecNumCloud, created by France’s ANSSI in 2016, is not a traditional certification but a government-issued qualification that verifies compliance with strict security and sovereignty criteria. The ownership cap of 24% is the defining feature, designed to prevent foreign legal jurisdictions from exerting influence over critical services. As of mid-2026, about nine providers, including OVHcloud and Outscale, hold active SecNumCloud qualifications, with more in the pipeline.

US-based hyperscalers like AWS and Microsoft have adapted by creating joint ventures where control is shifted to European entities, thus meeting the ownership threshold. For example, Thales and Google’s S3NS and Capgemini with Orange’s Bleu are operating within these rules, with control held by European firms despite US parentage. These arrangements exemplify how the 24% rule is shaping provider strategies and certification standards across Europe.

At a glance
reportWhen: developing as of mid-2026, with active…
The developmentThe 24% ownership cap in France’s SecNumCloud framework is actively shaping AI sovereignty certification standards across Europe.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

How the 24% Ownership Cap Shapes European AI Control

The 24% ownership rule directly impacts the structure of AI and cloud service providers in Europe, emphasizing legal sovereignty over mere security practices. It limits foreign influence, ensuring data remains under European jurisdiction, which is crucial for sensitive sectors like health, energy, and finance. This regulation could set a precedent for broader AI sovereignty standards, influencing global data governance and international tech competition.

Amazon

European cloud sovereignty certification

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Background on European Sovereignty Certification Frameworks

The concept of sovereignty in cloud and AI services gained prominence with frameworks like France’s SecNumCloud and Germany’s BSI C5. SecNumCloud, issued by ANSSI, emphasizes legal control through ownership restrictions, data location, and immunity from non-EU law. BSI C5, developed by Germany’s BSI, focuses on security controls and transparency about jurisdiction but does not restrict ownership directly. As European regulators seek to reduce dependency on US tech giants, these frameworks are becoming central to procurement and strategic planning.

The 24% rule is a distinctive feature of SecNumCloud, introduced to prevent foreign control and ensure legal sovereignty. It has already influenced provider strategies, with joint ventures designed to meet the ownership threshold while maintaining operational control within Europe.

“SecNumCloud is designed to ensure that critical cloud services in France are under European control, with ownership caps serving as a clear boundary.”

— ANSSI representative

Amazon

AI sovereignty compliance tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Unclear Long-Term Implications for Global AI Standards

It remains unclear how broadly the 24% ownership rule will influence international AI certification standards beyond Europe. While it is shaping provider strategies within France and neighboring countries, whether similar ownership restrictions will become a global norm or influence international agreements is still uncertain. Additionally, the full impact on US and other non-European providers adapting control structures is evolving and may face legal or political challenges.

Amazon

ownership structure analysis software

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Next Steps in European AI Sovereignty Certification Development

Regulators are expected to expand the adoption of ownership-based sovereignty standards across Europe, particularly targeting critical infrastructure sectors. More providers are likely to seek SecNumCloud qualification or develop similar control structures to meet sovereignty requirements. International discussions on data sovereignty and AI regulation are also anticipated to influence the evolution of these standards, potentially leading to broader global frameworks by 2028.

Amazon

cybersecurity certification for cloud providers

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

What is the 24% ownership rule?

The 24% ownership rule restricts non-EU ownership in providers seeking SecNumCloud qualification, ensuring no single non-EU entity holds more than 24% of voting rights, thereby safeguarding European legal sovereignty over critical services.

How does the 24% rule affect US tech companies?

US tech companies must create joint ventures or control structures that limit foreign ownership to under 24%, often by shifting control to European entities, to qualify for European sovereignty certifications like SecNumCloud.

Is the 24% rule legally binding?

Yes, it is a mandatory requirement for SecNumCloud qualification, backed by government authority, and is part of France’s legal framework for critical infrastructure security.

Will this rule influence global AI standards?

It is uncertain. While it currently shapes European provider strategies, whether similar ownership restrictions will become a global norm remains to be seen, with ongoing international policy discussions likely to influence future standards.

What are the main differences between SecNumCloud and C5?

SecNumCloud emphasizes ownership control, legal sovereignty, and data location, while C5 focuses on security controls and transparency about jurisdiction without restricting ownership levels directly.

Source: ThorstenMeyerAI.com

You May Also Like

Memory Stopped Being a Commodity

Micron’s new long-term contracts signal a fundamental change in memory market dynamics, with buyers pre-funding capacity and memory no longer a pure commodity.

Cloud’s Hidden Memory Bill

Rising memory costs in cloud infrastructure are hidden in billing adjustments, prompting re-evaluation of cloud vs. on-premises strategies amid shortages.

The Skills Marketplace Nobody Is Building Yet

A new open standard for AI skills has emerged, but a dedicated marketplace remains absent. This gap could shape the future of AI infrastructure and value capture.

Why Stablecoins Might Replace Bank Savings Accounts Within a Decade

Looming financial shifts suggest stablecoins could soon replace traditional savings accounts, but what factors are driving this potential change?