📊 Full opportunity report: How The 24% Rule Reveals Gaps In AI Sovereignty Testing Processes on ThorstenMeyerAI.com — validation score, market gap, and execution plan.
TL;DR
The 24% ownership threshold used in France’s SecNumCloud framework exposes critical gaps in assessing AI sovereignty. While certifications demonstrate security practices, they do not guarantee legal control, raising questions about true sovereignty in AI services.
The 24% ownership cap in France’s SecNumCloud framework is revealing significant gaps in how European authorities test AI sovereignty, especially regarding control over data and legal jurisdiction. This threshold, which limits foreign ownership to 24%, is the only publicly known measure that directly tests ultimate control, making it a critical benchmark for sovereignty assessments. Its implications challenge the adequacy of current certification schemes in guaranteeing legal sovereignty over AI services.
SecNumCloud, created by France’s national cybersecurity agency ANSSI, incorporates a unique sovereignty test: no single foreign entity can hold more than 24% ownership in a provider. This arithmetic cap is designed to ensure legal control remains within the EU, specifically to prevent non-EU laws from compelling access to data. As of mid-2026, roughly nine providers, including OVHcloud and Dassault’s Outscale, hold active SecNumCloud qualifications, which are mandatory for hosting sensitive French public-sector data. However, the framework’s focus on ownership control reveals a fundamental distinction: certifications like ISO 27001, SOC 2, or BSI C5 primarily verify security practices, not legal jurisdiction or control. While these certifications confirm operational security measures, they do not address who ultimately controls the data or the service, nor do they prevent extraterritorial legal claims.
Major US-based hyperscalers like AWS and Google, despite possessing certifications and regional data centers, remain subject to US law, including the CLOUD Act. To address this, some providers have adopted the joint-venture approach, such as Thales–Google’s S3NS, where operational control is held by a European entity, and ownership is kept below the 24% threshold. This workaround allows foreign companies to meet sovereignty requirements without relinquishing control, but it raises questions about the effectiveness of the ownership rule as a comprehensive sovereignty measure.
The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty
ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.
C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.
Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.
The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.
Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.
Implications of the 24% Ownership Cap for AI Sovereignty
The 24% ownership rule is a blunt but crucial measure because it directly tests control over data and legal jurisdiction, which are central to sovereignty. Its application demonstrates that current certification schemes, while effective at verifying security practices, do not fully address legal sovereignty issues. This gap is especially significant as European regulators seek to ensure AI and cloud services are not subject to non-EU laws, such as the CLOUD Act. The reliance on ownership thresholds and control arrangements highlights the need for more comprehensive sovereignty assessments beyond operational security, impacting how AI providers structure their ownership and control models in Europe.
For European public and private sectors, this means that certifications alone are insufficient to guarantee sovereignty. They must also scrutinize ownership structures and control arrangements, especially when working with foreign or US-based providers. The 24% rule exemplifies this shift toward controlling legal and operational sovereignty, but its limitations suggest that a more nuanced, multi-layered approach is necessary to truly safeguard data and AI services within the EU.
AI sovereignty testing tools
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
European Sovereignty Testing and Certification Limitations
European efforts to ensure AI sovereignty have historically relied on security certifications like ISO 27001, SOC 2, and BSI C5, which verify operational security but do not address legal jurisdiction. France’s SecNumCloud, introduced in 2016 and now in its third version, is unique in explicitly testing sovereignty through a control on ownership: no foreign entity can hold more than 24% ownership in a provider. This threshold is designed to prevent non-EU laws from compelling access to data, addressing a key sovereignty concern that certifications do not cover.
However, the framework’s focus on ownership as arithmetic rather than control as a legal or operational concept exposes gaps. US hyperscalers like AWS and Google, despite compliance with European standards and certifications, remain subject to US laws. To circumvent this, providers have created control arrangements, such as joint ventures, to meet the ownership cap while maintaining operational control. This approach reveals that current sovereignty testing methods are limited, as they primarily verify operational security rather than enforce legal sovereignty.
“Achieving SecNumCloud is extremely challenging because it requires not only security controls but also complex ownership and control arrangements.”
— A provider executive involved in compliance
data control and security certifications
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Unresolved Questions About Sovereignty Testing Effectiveness
It remains unclear how comprehensive and enforceable the 24% ownership rule will be in practice, especially as providers develop control structures to bypass the threshold. The long-term effectiveness of this approach in ensuring true legal sovereignty over AI services is still uncertain. Additionally, the broader implications for other frameworks and whether additional measures will be adopted to address control and jurisdiction remain to be seen.
cloud security compliance software
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Future Developments in AI Sovereignty Verification
Moving forward, European regulators are likely to refine sovereignty testing frameworks, possibly incorporating more nuanced control and jurisdiction assessments. The adoption of control arrangements like joint ventures indicates a trend toward complex ownership models designed to meet sovereignty criteria. Monitoring how regulators respond to these strategies and whether new standards emerge will be critical in shaping the future landscape of AI sovereignty testing and certification.
European AI data sovereignty solutions
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
Why is the 24% ownership cap important for AI sovereignty?
The 24% ownership cap directly tests whether a foreign entity can exert legal control over a provider, which is central to sovereignty. It aims to prevent non-EU laws from compelling access to data by limiting foreign ownership.
Do current certifications guarantee legal sovereignty?
No. Certifications like ISO 27001, SOC 2, and BSI C5 primarily verify operational security practices. They do not address legal jurisdiction or control, which are crucial for sovereignty.
How are foreign providers meeting sovereignty requirements despite US laws?
Many adopt control arrangements such as joint ventures or ownership structures that keep foreign ownership below 24%, while operational control remains within European entities, to comply with sovereignty rules.
Will the 24% rule be sufficient to ensure sovereignty?
It is uncertain. While effective as an arithmetic control, it does not fully address legal jurisdiction or operational control complexities, which may require additional measures.
What are the implications for AI providers in Europe?
Providers must carefully structure ownership and control arrangements to meet sovereignty requirements, recognizing that security certifications alone are insufficient to guarantee legal sovereignty over AI services.
Source: ThorstenMeyerAI.com