📊 Full opportunity report: How Most AI 'Sovereign' Certifications Fall Short, Explained By The 24% Rule on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

Most AI and cloud security certifications focus on practices but do not address legal sovereignty. France’s SecNumCloud introduces a unique ownership rule limiting foreign control to 24%, highlighting gaps in existing certifications.

Most existing AI and cloud security certifications do not address the key legal sovereignty question: can a foreign government compel access to data? France’s SecNumCloud certification stands out by introducing a specific ownership threshold—24%—that tests control and sovereignty directly. This development matters because it highlights a critical gap in current certifications, which mainly verify security practices but not jurisdictional control.

While certifications like ISO 27001, SOC 2, and BSI C5 verify operational security controls—such as access management, encryption, and incident response—they do not address legal sovereignty or jurisdictional immunity. These standards confirm that a provider operates securely but do not prevent foreign laws from compelling data access, especially for providers outside the EU.

In contrast, France’s SecNumCloud qualification, created by ANSSI, explicitly incorporates a sovereignty test: ownership and voting rights held by non-EU entities must not exceed 24% individually or 39% collectively. This arithmetic cap is a direct, checkable measure of control, not just a policy or control implementation. Achieving this level of control is extremely complex—scalingo’s CEO describes it as a ’10’ on a 1-to-10 difficulty scale, compared to ISO 27001’s ‘1.’

Currently, about nine to ten providers have SecNumCloud certification, including OVHcloud and Outscale, with more in the pipeline. This certification is mandatory for hosting sensitive French public-sector data and is being pushed for broader critical infrastructure sectors.

At a glance
analysisWhen: developing; ongoing adoption and debate…
The developmentThe article explains why most AI sovereignty certifications are insufficient, emphasizing the significance of the 24% ownership rule in France’s SecNumCloud framework.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Implications of the 24% Control Limit for Cloud Sovereignty

This ownership cap fundamentally shifts the discussion from security practices to legal sovereignty. It ensures that providers cannot be controlled by outside actors beyond a strict threshold, reducing the risk of foreign governments gaining access through ownership structures. For European public and private sectors, this enhances data sovereignty and compliance with EU laws, especially amid increasing geopolitical tensions and extraterritorial legal claims.

However, it also exposes the limitations of traditional certifications, which do not address jurisdictional immunity, leaving gaps for providers that hold multiple certifications but remain under foreign jurisdiction. The 24% rule thus introduces a new standard for sovereignty, which could influence procurement and regulatory policies across Europe and beyond.

Amazon

AI sovereignty certification compliance tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Limitations of Existing Certifications in Addressing Sovereignty

Most security standards—ISO 27001, SOC 2, BSI C5—focus on operational security controls, assessing whether providers run data centers and processes securely. They do not evaluate ownership, jurisdiction, or legal control, which are critical for sovereignty. For example, BSI C5 includes controls on jurisdiction disclosures but does not require immunity from non-EU laws, meaning providers can still be subject to laws like the US CLOUD Act.

French SecNumCloud, introduced in 2016 and now in its third version, diverges by requiring legal sovereignty measures—EU domicile, data storage, audited key custody, and the ownership cap—making it a qualification backed by government standing, not just an audit opinion. This shift reflects a broader recognition that security controls alone are insufficient for sovereignty.

US hyperscalers, unable to meet the ownership threshold directly, have created joint ventures and control structures that comply with the 24% rule, effectively circumventing the limitations of existing certifications while maintaining US jurisdictional ties.

“The 24% ownership rule is the only test that directly measures control and sovereignty, not just security practices.”

— Thorsten Meyer

Burning Suite - Burn and Copy Software - CD/DVD/Blu-ray - Data, Music, Video - the all-in-one solution for Win 11, 10

Burning Suite – Burn and Copy Software – CD/DVD/Blu-ray – Data, Music, Video – the all-in-one solution for Win 11, 10

Data Loss Prevention – Avoid losing important files by securely backing up your data on CDs, DVDs, or…

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Remaining Questions About Implementation and Adoption

It is still unclear how widely the 24% ownership rule will be adopted outside France or how other European countries might incorporate similar measures. The actual enforcement and compliance process for joint ventures or control structures designed to meet the threshold remain complex and untested at scale. Additionally, how this framework interacts with global legal standards and whether it will influence international cloud procurement policies is still evolving.

SOC2 Cloud Compliance Mastery: Master SOC 2 For Cloud Tools | Secure Collaboration Fast | SOC 2 Controls Simplified | Trusted Compliance Blueprint | Fast-Track Cloud Compliance | SOC 2 For SaaS

SOC2 Cloud Compliance Mastery: Master SOC 2 For Cloud Tools | Secure Collaboration Fast | SOC 2 Controls Simplified | Trusted Compliance Blueprint | Fast-Track Cloud Compliance | SOC 2 For SaaS

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Future Developments in Sovereignty Certification Standards

Expect further adoption of SecNumCloud among European providers, especially those handling sensitive data. Regulatory bodies may develop similar sovereignty tests, and international discussions could emerge on integrating ownership controls into global standards. Monitoring how US and non-EU providers adapt control structures to meet sovereignty thresholds will be key in the coming months and years.

Amazon

Secure cloud hosting services France

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

What exactly is the 24% ownership rule?

The 24% ownership rule limits the individual ownership stake of non-EU entities in a provider to no more than 24%, or 39% collectively, as a direct measure of control and sovereignty.

Does a certification like C5 or ISO 27001 guarantee sovereignty?

No. These standards verify operational security practices but do not address jurisdictional control or immunity from foreign laws. SecNumCloud’s ownership rule is designed specifically to address sovereignty.

Why is achieving SecNumCloud certification so difficult?

Because it requires complex ownership and control structures to stay within the 24% threshold, which involves intricate legal, corporate, and operational arrangements, making it significantly more challenging than traditional security standards.

Will this ownership rule impact US cloud providers?

Yes. US providers seeking to meet French and broader European sovereignty standards must restructure control and ownership, often via joint ventures or control arrangements, to comply with the 24% cap.

Source: ThorstenMeyerAI.com

You May Also Like

Data processing agreement tracker for micro SaaS teams

A new DPA tracker for founder-led micro SaaS teams is being tested to streamline vendor and customer data paperwork, addressing compliance needs early in sales.

Data Residency: What Startups Need to Know

Having a clear understanding of data residency laws is crucial for startups to ensure compliance and avoid costly consequences—discover what you need to know.

Micro-Cut vs Cross-Cut Shredders: Which Security Level Fits Your Office?

Getting the right shredder depends on your security needs and workflow, but which option truly offers the best protection for your office?

Continuous Compliance Monitoring Tools

Optimize your compliance efforts with continuous monitoring tools that provide real-time insights—discover how they can transform your approach today.