📊 Full opportunity report: How The 24% Rule Highlights Flaws In AI Cloud Sovereignty Testing on ThorstenMeyerAI.com — validation score, market gap, and execution plan.
TL;DR
The 24% ownership cap in France’s SecNumCloud framework is exposing significant flaws in how AI and cloud providers are tested for legal sovereignty. This development underscores the challenge of ensuring data control and jurisdictional immunity in a globalized cloud ecosystem, raising questions about the effectiveness of current certification standards.
The 24% ownership threshold in France’s SecNumCloud framework is now serving as a key measure of legal sovereignty for cloud providers operating within the European Union. This rule, which limits foreign ownership to 24%, is exposing fundamental limitations in current certification approaches used to assess jurisdictional immunity, raising questions about whether certifications alone can guarantee sovereignty in a global cloud environment.
France’s SecNumCloud, created by ANSSI, is a government-backed qualification that assesses providers on technical, organizational, operational, and legal criteria. Unlike typical security certifications, it explicitly tests ownership and control through a simple arithmetic rule: foreign entities must hold less than 24% of voting rights. This ownership cap is designed to ensure legal sovereignty by preventing foreign control that could expose data to extraterritorial laws, such as the CLOUD Act.
As of mid-2026, only about ten providers, including OVHcloud and Outscale, have secured an active SecNumCloud qualification, which is mandatory for hosting sensitive French public-sector data. The rule’s simplicity—checking ownership percentages—makes it a unique, quantifiable measure of sovereignty, unlike traditional certifications that focus on security practices.
However, the framework’s reliance on ownership limits does not address other sovereignty concerns, such as jurisdictional immunity or legal reach, which remain complex and contested. US-based hyperscalers like AWS still operate within the EU but are subject to US law, despite holding certifications like C5 attestations that demonstrate security controls but not legal immunity.
The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty
ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.
C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.
Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.
The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.
Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.
Implications of the 24% Ownership Rule for Cloud Sovereignty
The introduction of the 24% ownership cap as a sovereignty test highlights a fundamental challenge: certifications that focus solely on security practices do not guarantee legal control over data. This exposes a gap in current frameworks, potentially allowing providers to meet security standards while remaining subject to extraterritorial laws. For European regulators and enterprises, this raises critical questions about the effectiveness of existing sovereignty testing and the need for more comprehensive measures.
For vendors, especially US-based hyperscalers, the rule incentivizes structural changes—such as joint ventures with European firms—to meet sovereignty criteria without relinquishing control. This could reshape how cloud services are structured and marketed across Europe, emphasizing ownership and control over mere compliance.
Ultimately, the 24% rule underscores the importance of ownership structure in sovereignty testing, but also reveals that current certification standards may fall short of ensuring true legal immunity, prompting calls for more robust, multi-layered approaches.
cloud sovereignty certification tools
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background on Sovereignty Testing and Certification Frameworks
Traditional cloud security certifications like ISO 27001, SOC 2, and BSI C5 primarily assess security practices, such as access controls, encryption, and incident management. They do not address legal jurisdiction or control, which are critical for sovereignty. The French SecNumCloud framework, introduced in 2016 and now on version 3.2, is unique in explicitly testing ownership and control.
SecNumCloud’s ownership rule—limiting foreign voting rights to 24%—is a straightforward, arithmetic approach to sovereignty. It is complemented by other legal requirements like EU data residency and immunity from non-EU extraterritorial laws. However, the framework does not prevent providers from being subject to foreign laws if ownership remains below the threshold, leading to potential sovereignty gaps.
Meanwhile, German C5 certifications focus on controls and transparency regarding jurisdiction but do not guarantee immunity from legal reach. US hyperscalers, despite holding security attestations, remain under US jurisdiction, prompting European regulators to explore structural workarounds like joint ventures that meet the ownership criteria.
“Achieving ISO 27001 is a 1 on the complexity scale, but SecNumCloud is a 10—it’s a much more demanding and prescriptive framework.”
— Scalingo CEO

Healthcare Information Privacy and Security: Regulatory Compliance and Data Security in the Age of Electronic Health Records
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Unresolved Questions About Sovereignty and Certification Effectiveness
It remains unclear how effectively the 24% ownership rule will prevent foreign legal influence, especially given the complexity of jurisdictional immunity and extraterritorial laws. There is also uncertainty about whether other frameworks, such as EU-wide regulations or future certifications, will address these gaps comprehensively. The long-term impact of structural workarounds, like joint ventures, on sovereignty remains to be seen, and regulators are still debating the best approaches to enforce sovereignty in a globalized cloud environment.
ownership verification tools for cloud providers
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Next Steps for Sovereignty Testing and Regulatory Development
Expect continued refinement of sovereignty frameworks, with regulators possibly adopting more comprehensive criteria beyond ownership caps. European authorities may increase scrutiny of joint ventures and control structures, aiming to tighten sovereignty enforcement. Additionally, more providers are likely to pursue SecNumCloud qualifications to meet national mandates, while US hyperscalers explore structural adjustments to comply with sovereignty rules without relinquishing control. Ongoing debates will shape the future landscape of cloud sovereignty testing and certification standards.

AI/ML Definitive Guide: Architecture, Models, Big Data, Deployment, Open-Source Tools, Cloud Services, MLOps, LLMs, Gen AI
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
Does holding a SecNumCloud qualification guarantee legal sovereignty?
No, it primarily tests control and compliance with specific security and legal criteria, but does not automatically guarantee immunity from foreign laws or jurisdictional influence.
Why is the 24% ownership rule considered important?
It provides a clear, quantifiable measure of ownership control, intended to prevent foreign entities from exerting undue legal influence over cloud providers operating in Europe.
Can US hyperscalers meet the sovereignty requirements?
They can attempt to meet ownership caps through structural arrangements like joint ventures, but remain subject to US law unless they restructure control in compliance with the rule.
What are the limitations of current sovereignty testing frameworks?
They often focus on control and security practices but may not fully address legal immunity, jurisdictional reach, or extraterritorial laws, leaving sovereignty gaps.
How might European regulators improve sovereignty assessments?
Future approaches could include more nuanced legal criteria, stricter control requirements, or enforceable legal immunity measures beyond simple ownership caps.
Source: ThorstenMeyerAI.com