📊 Full opportunity report: AI And Sovereignty: Why The 24% Rule Suggests Certification Gaps on ThorstenMeyerAI.com — validation score, market gap, and execution plan.
TL;DR
The French SecNumCloud framework uses a 24% ownership cap to enforce legal sovereignty over cloud providers. This rule exposes certification gaps, especially for foreign-owned providers, raising questions about data control and jurisdiction. The development highlights the limits of existing security certifications in ensuring legal sovereignty.
French cybersecurity authorities have introduced a 24% ownership control rule as part of the SecNumCloud qualification, a government-backed standard that enforces legal sovereignty for cloud providers handling sensitive public-sector data. This development underscores a critical gap in existing certifications, which focus on security practices but do not address jurisdictional control.
The SecNumCloud framework, managed by ANSSI, requires providers to meet over 360 criteria, including EU data residency, audited key custody, and immunity from non-EU extraterritorial laws. Its unique feature is the ownership cap—no individual or group outside the EU can hold more than 24% of voting rights—aimed at ensuring European legal sovereignty.
Currently, about nine to ten providers hold an active SecNumCloud qualification, including OVHcloud and Scaleway, with others in the pipeline. The regulation makes it mandatory for hosting certain sensitive French public data and is likely to expand to critical sectors like health, energy, and finance under broader EU directives.
In contrast, certifications like ISO 27001 or BSI C5 certify security practices but do not address legal control or jurisdiction, leaving gaps for foreign-owned providers operating within the EU market.
The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty
ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.
C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.
Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.
The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.
Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.
Implications of the 24% Ownership Rule for Data Sovereignty
The 24% ownership threshold introduces a clear, arithmetic measure of ownership control that directly impacts legal jurisdiction over cloud services. It aims to prevent foreign governments from exerting influence through ownership stakes, thus strengthening European data sovereignty.
This approach reveals a fundamental limitation: current security certifications do not account for ownership control. As a result, providers with foreign parent companies can still technically meet security standards but remain subject to extraterritorial laws like the CLOUD Act. The rule effectively creates a new layer of sovereignty, but its success depends on widespread adoption and compliance.
For European regulators and public-sector entities, this could mean a shift toward prioritizing ownership and control metrics over traditional security certifications, influencing procurement decisions and cloud architecture strategies.
EU cloud sovereignty certification
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
The Role of Certifications and Legal Control in Cloud Security
Existing certifications such as ISO 27001 and BSI C5 focus on security practices—access controls, encryption, incident response—but do not address jurisdictional control. Meanwhile, frameworks like SecNumCloud, introduced by France’s ANSSI, incorporate legal sovereignty through specific requirements, notably the ownership cap.
Historically, cloud providers like AWS have obtained multiple security attestations but remain subject to US laws, including the CLOUD Act. The introduction of the 24% rule aims to bridge the gap between security practice and legal control, but it is a novel measure that challenges traditional certification paradigms.
US hyperscalers have responded by restructuring ownership—such as Thales and Capgemini controlling operations—to meet the ownership threshold, thus maintaining access to the EU market while avoiding sovereignty conflicts.
“SecNumCloud is designed to ensure that providers operating within France meet strict legal and security standards, including ownership control.”
— ANSSI spokesperson
AI security compliance tools
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Unresolved Questions About Certification Efficacy and Enforcement
It remains unclear how broadly the ownership cap will be enforced across the EU, especially outside France. The long-term impact on foreign providers and whether this will lead to significant market shifts are still developing questions.
Additionally, the effectiveness of the rule in preventing foreign government influence depends on compliance and transparency, which are challenging to verify uniformly. There is also uncertainty about how other EU countries will adopt or adapt similar sovereignty measures.
cloud data jurisdiction compliance
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Next Steps for Adoption and Regulatory Evolution
Expect continued implementation of the ownership threshold in France, with increasing pressure on foreign providers to restructure ownership or withdraw from certain sectors. The EU may consider harmonizing sovereignty standards, potentially adopting similar caps or controls.
Regulatory authorities are likely to monitor compliance closely, and legal challenges or clarifications could shape future policy. Meanwhile, providers will need to evaluate their ownership structures and control mechanisms to remain compliant.
cybersecurity audit software
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
What is the significance of the 24% ownership rule?
The 24% ownership rule is a legal sovereignty measure that limits foreign control over cloud providers, aiming to prevent foreign governments from exerting influence through ownership stakes, thus strengthening European jurisdiction over data.
Does certification guarantee legal sovereignty?
No. Certifications like ISO 27001 or BSI C5 verify security practices but do not address ownership or jurisdiction. The SecNumCloud framework introduces ownership controls as a supplement to security standards.
How are foreign providers responding to the ownership cap?
Some providers are restructuring ownership, such as Thales and Capgemini controlling operations, to meet the 24% threshold, thus maintaining market access while complying with sovereignty requirements.
Will the 24% rule be adopted outside France?
It is uncertain. While France is leading with this measure, other EU countries may consider similar controls, but widespread adoption depends on regulatory consensus and market dynamics.
Source: ThorstenMeyerAI.com