📊 Full opportunity report: How The 24% Rule Reveals Gaps In AI Sovereignty Testing Processes on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

The 24% ownership threshold used in France’s SecNumCloud framework exposes critical gaps in assessing AI sovereignty. While certifications demonstrate security practices, they do not guarantee legal control, raising questions about true sovereignty in AI services.

The 24% ownership cap in France’s SecNumCloud framework is revealing significant gaps in how European authorities test AI sovereignty, especially regarding control over data and legal jurisdiction. This threshold, which limits foreign ownership to 24%, is the only publicly known measure that directly tests ultimate control, making it a critical benchmark for sovereignty assessments. Its implications challenge the adequacy of current certification schemes in guaranteeing legal sovereignty over AI services.

SecNumCloud, created by France’s national cybersecurity agency ANSSI, incorporates a unique sovereignty test: no single foreign entity can hold more than 24% ownership in a provider. This arithmetic cap is designed to ensure legal control remains within the EU, specifically to prevent non-EU laws from compelling access to data. As of mid-2026, roughly nine providers, including OVHcloud and Dassault’s Outscale, hold active SecNumCloud qualifications, which are mandatory for hosting sensitive French public-sector data. However, the framework’s focus on ownership control reveals a fundamental distinction: certifications like ISO 27001, SOC 2, or BSI C5 primarily verify security practices, not legal jurisdiction or control. While these certifications confirm operational security measures, they do not address who ultimately controls the data or the service, nor do they prevent extraterritorial legal claims.

Major US-based hyperscalers like AWS and Google, despite possessing certifications and regional data centers, remain subject to US law, including the CLOUD Act. To address this, some providers have adopted the joint-venture approach, such as Thales–Google’s S3NS, where operational control is held by a European entity, and ownership is kept below the 24% threshold. This workaround allows foreign companies to meet sovereignty requirements without relinquishing control, but it raises questions about the effectiveness of the ownership rule as a comprehensive sovereignty measure.

At a glance
reportWhen: developing as of mid-2026
The developmentThe 24% ownership rule in France’s SecNumCloud framework uncovers fundamental limitations in current AI sovereignty testing processes, revealing gaps between security certifications and legal control.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Implications of the 24% Ownership Cap for AI Sovereignty

The 24% ownership rule is a blunt but crucial measure because it directly tests control over data and legal jurisdiction, which are central to sovereignty. Its application demonstrates that current certification schemes, while effective at verifying security practices, do not fully address legal sovereignty issues. This gap is especially significant as European regulators seek to ensure AI and cloud services are not subject to non-EU laws, such as the CLOUD Act. The reliance on ownership thresholds and control arrangements highlights the need for more comprehensive sovereignty assessments beyond operational security, impacting how AI providers structure their ownership and control models in Europe.

For European public and private sectors, this means that certifications alone are insufficient to guarantee sovereignty. They must also scrutinize ownership structures and control arrangements, especially when working with foreign or US-based providers. The 24% rule exemplifies this shift toward controlling legal and operational sovereignty, but its limitations suggest that a more nuanced, multi-layered approach is necessary to truly safeguard data and AI services within the EU.

Amazon

AI sovereignty testing tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

European Sovereignty Testing and Certification Limitations

European efforts to ensure AI sovereignty have historically relied on security certifications like ISO 27001, SOC 2, and BSI C5, which verify operational security but do not address legal jurisdiction. France’s SecNumCloud, introduced in 2016 and now in its third version, is unique in explicitly testing sovereignty through a control on ownership: no foreign entity can hold more than 24% ownership in a provider. This threshold is designed to prevent non-EU laws from compelling access to data, addressing a key sovereignty concern that certifications do not cover.

However, the framework’s focus on ownership as arithmetic rather than control as a legal or operational concept exposes gaps. US hyperscalers like AWS and Google, despite compliance with European standards and certifications, remain subject to US laws. To circumvent this, providers have created control arrangements, such as joint ventures, to meet the ownership cap while maintaining operational control. This approach reveals that current sovereignty testing methods are limited, as they primarily verify operational security rather than enforce legal sovereignty.

“Achieving SecNumCloud is extremely challenging because it requires not only security controls but also complex ownership and control arrangements.”

— A provider executive involved in compliance

Amazon

data control and security certifications

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Unresolved Questions About Sovereignty Testing Effectiveness

It remains unclear how comprehensive and enforceable the 24% ownership rule will be in practice, especially as providers develop control structures to bypass the threshold. The long-term effectiveness of this approach in ensuring true legal sovereignty over AI services is still uncertain. Additionally, the broader implications for other frameworks and whether additional measures will be adopted to address control and jurisdiction remain to be seen.

Amazon

cloud security compliance software

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Future Developments in AI Sovereignty Verification

Moving forward, European regulators are likely to refine sovereignty testing frameworks, possibly incorporating more nuanced control and jurisdiction assessments. The adoption of control arrangements like joint ventures indicates a trend toward complex ownership models designed to meet sovereignty criteria. Monitoring how regulators respond to these strategies and whether new standards emerge will be critical in shaping the future landscape of AI sovereignty testing and certification.

Amazon

European AI data sovereignty solutions

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

Why is the 24% ownership cap important for AI sovereignty?

The 24% ownership cap directly tests whether a foreign entity can exert legal control over a provider, which is central to sovereignty. It aims to prevent non-EU laws from compelling access to data by limiting foreign ownership.

No. Certifications like ISO 27001, SOC 2, and BSI C5 primarily verify operational security practices. They do not address legal jurisdiction or control, which are crucial for sovereignty.

How are foreign providers meeting sovereignty requirements despite US laws?

Many adopt control arrangements such as joint ventures or ownership structures that keep foreign ownership below 24%, while operational control remains within European entities, to comply with sovereignty rules.

Will the 24% rule be sufficient to ensure sovereignty?

It is uncertain. While effective as an arithmetic control, it does not fully address legal jurisdiction or operational control complexities, which may require additional measures.

What are the implications for AI providers in Europe?

Providers must carefully structure ownership and control arrangements to meet sovereignty requirements, recognizing that security certifications alone are insufficient to guarantee legal sovereignty over AI services.

Source: ThorstenMeyerAI.com

You May Also Like

Data Sharing Policies: Balancing Openness and Confidentiality

Balancing openness and confidentiality in data sharing policies is vital; discover practical strategies to protect privacy while promoting transparency.

The referral. How AI search severs the content-for-traffic contract that funded the open web.

AI search now answers queries directly, ending the traditional referral traffic for publishers, threatening their revenue model.

Academic Integrity in Homework Help: Finding the Line

Offering essential tips, “Academic Integrity in Homework Help: Finding the Line” reveals how to seek assistance ethically and confidently.

Die Finanziellen Vor- Und Nachteile: Forge Oder Self-Hosting Für KI?

Analyse der finanziellen Vor- und Nachteile von Forge-Plattformen und Self-Hosting bei KI-Modelleinsätzen, basierend auf aktuellen Marktdaten.