📊 Full opportunity report: The 24% Rule And Its Impact On AI Cloud Sovereignty Claims on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

The 24% ownership limit in France’s SecNumCloud framework enforces legal sovereignty by restricting foreign control over cloud providers. This impacts how AI cloud services are governed and their jurisdictional claims, with US hyperscalers adapting through joint ventures.

France’s national cybersecurity agency, ANSSI, enforces a 24% ownership cap on foreign-controlled companies seeking the SecNumCloud qualification, a move that directly impacts claims of AI cloud sovereignty. Learn more about the explosion of AI in sovereignty markets. This regulation aims to ensure legal sovereignty by restricting foreign ownership, marking a significant shift in European cloud governance and sovereignty claims.

SecNumCloud, established by ANSSI in 2016 and now at version 3.2, is a qualification that certifies cloud service providers meet strict security, operational, and legal standards, including EU domicile and EU-only data storage. Discover how sovereignty impacts cloud standards. Its defining feature is the ownership control rule: companies with more than 24% ownership by non-EU entities cannot qualify, effectively limiting foreign influence over critical cloud infrastructure.

As of mid-2026, roughly nine to ten providers hold an active SecNumCloud qualification, including OVHcloud, Outscale, and Scaleway, with more in the pipeline. This regulation is mandatory for hosting sensitive French public-sector data and is expected to extend to vital sectors such as health, energy, and finance under the NIS2 directive. US-based hyperscalers like AWS, Microsoft, and Google have responded by creating joint ventures with European firms, where control is shifted to comply with the ownership cap, exemplified by Thales–Google’s S3NS and Capgemini–Orange’s Bleu. Read about the leading company sale in AI sovereignty markets.

At a glance
reportWhen: developing as of mid-2026
The developmentFrance’s SecNumCloud introduces a 24% ownership cap to enforce legal sovereignty, influencing AI cloud providers’ control structures and sovereignty claims.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Implications of the 24% Ownership Cap on Cloud Control

The 24% ownership rule fundamentally alters how foreign cloud providers can claim sovereignty within Europe, emphasizing ownership control over mere security certifications. It pushes US tech giants to restructure control through joint ventures, potentially affecting data sovereignty and jurisdictional authority. This regulation signals a shift towards legal sovereignty as a key criterion for cloud service control, impacting international cloud strategies and sovereignty claims across Europe.

Amazon

European cloud sovereignty certification

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

European Frameworks and the Rise of Legal Sovereignty

European cloud sovereignty efforts have historically focused on security standards like ISO 27001, SOC 2, and BSI C5, which certify security practices but do not address legal jurisdiction. The SecNumCloud framework introduces a legal sovereignty dimension, requiring providers to demonstrate EU domicile and immunity from extraterritorial laws. The 24% ownership rule is a unique feature, designed to prevent foreign control and ensure compliance with EU sovereignty principles. This approach contrasts with traditional security certifications, which do not address ownership or jurisdictional control.

“SecNumCloud is designed to guarantee that providers under its scope are truly under EU control, both legally and operationally.”

— ANSSI spokesperson

Amazon

SecNumCloud compliant cloud providers

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Unclear Aspects of the 24% Ownership Enforcement

It remains unclear how strictly the 24% ownership cap will be enforced across different types of joint ventures and restructuring efforts, and whether future legal or political challenges could modify or weaken the rule. The long-term impact on existing foreign-controlled providers and their ability to adapt remains to be seen. Additionally, the precise legal mechanisms for verifying ownership and control in practice are still under development.

Amazon

EU data sovereignty cloud services

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Next Steps for Cloud Providers and European Policy

More providers are expected to pursue SecNumCloud certification or establish joint ventures to comply with the 24% ownership rule. Regulatory agencies may refine enforcement procedures, and legal challenges could arise. European policymakers are likely to expand the scope of sovereignty rules, potentially affecting more sectors and providers. Monitoring how US hyperscalers adapt—through restructuring or new partnerships—will be critical in assessing the evolution of cloud sovereignty in Europe.

Amazon

cloud security certification for sensitive data

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

What is the 24% ownership rule in SecNumCloud?

The 24% ownership rule limits non-EU ownership to 24% per individual and 39% collectively, ensuring providers are under European control to claim legal sovereignty.

How does this rule affect US cloud providers?

US providers must restructure ownership, often through joint ventures where control is shifted to European entities, to qualify under SecNumCloud.

Does certification guarantee sovereignty?

No. Certifications like SecNumCloud demonstrate compliance with security and legal control standards but do not eliminate jurisdictional risks or extraterritorial laws.

Will this rule impact data privacy and security?

Yes, by enforcing ownership control and legal jurisdiction, it aims to strengthen data sovereignty, but it also complicates international cloud operations.

What happens if a provider exceeds the ownership cap?

Such providers would not qualify for SecNumCloud, potentially losing access to certain government contracts and critical sectors requiring compliance.

Source: ThorstenMeyerAI.com

You May Also Like

The Eye Over the City: How Wide-Area Motion Imagery Works — and Where It Goes Blind

An in-depth look at how Wide-Area Motion Imagery (WAMI) works, its capabilities, limitations, and future developments in city-scale surveillance technology.

Canada: The Proof It Didn’t Keep

Canada’s COVID-19 emergency benefit demonstrated the country’s ability to deliver near-universal income support quickly, but efforts to institutionalize it have stalled.