📊 Full opportunity report: The 24% Rule: Why Most “Sovereign Cloud” Certifications Don’t Test Sovereignty on ThorstenMeyerAI.com — validation score, market gap, and execution plan.
TL;DR
Most cloud certifications focus on security practices and operational controls, not legal sovereignty. The 24% ownership cap in France’s SecNumCloud is the key test for sovereignty, but US hyperscalers adapt control structures to meet it. This distinction impacts data jurisdiction and legal protections.
European cloud standards such as France’s SecNumCloud include a unique ownership cap of 24% that directly tests legal sovereignty. This rule is the only certification criterion that addresses whether a foreign government can compel access to data, making it a critical factor for organizations handling sensitive data in Europe. While many certifications focus on security practices, this ownership rule fundamentally determines jurisdictional control.
SecNumCloud, created by France’s ANSSI, is not a typical certification but a government-backed qualification that enforces strict legal sovereignty requirements. It mandates EU domicile, data storage within the EU, audited key custody, and immunity from non-EU extraterritorial laws. The core test is the ownership threshold: companies with more than 24% ownership from non-EU entities cannot qualify. This arithmetic control is designed to prevent foreign governments from exerting legal influence over cloud providers.
Despite the strict sovereignty criteria, US-based hyperscalers like AWS can still participate by restructuring control. They create joint ventures where control is held by non-US entities, such as Thales or Capgemini, effectively circumventing the ownership cap. These arrangements allow US companies to meet sovereignty standards without changing their legal jurisdiction, highlighting a loophole in the certification’s intent.
Currently, roughly nine to ten providers hold an active SecNumCloud qualification, including OVHcloud and Scaleway, with more in the pipeline. Under French law, SecNumCloud is mandatory for hosting sensitive public-sector data, and its influence is expected to grow as regulators extend sovereignty requirements to vital sectors.
The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty
ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.
C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.
Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.
The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.
Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.
Implications of the 24% Ownership Cap for Cloud Sovereignty
The 24% ownership rule fundamentally defines legal sovereignty in European cloud standards. It prevents non-EU control but can be technically bypassed through control restructuring, which raises questions about the effectiveness of certification as a sovereignty guarantee. For organizations, this means that certifications alone do not guarantee immunity from foreign legal influence, especially when US companies adapt their control structures. The distinction between security practice certifications and ownership control is critical for compliance and risk management in sensitive sectors.
This development underscores the importance of understanding the actual legal and jurisdictional implications behind certifications, moving beyond surface-level badges to the underlying control mechanisms. It also signals a shift toward more nuanced sovereignty standards that could influence global cloud procurement and regulation.
European sovereign cloud certification
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
European Sovereign Cloud Standards and Control Loopholes
European countries have been developing sovereignty standards to protect data from foreign legal reach, especially in sensitive sectors like health, finance, and energy. France’s SecNumCloud, introduced in 2016 and now in version 3.2, is the most comprehensive, with a focus on legal sovereignty through the ownership cap. Germany’s BSI C5, established in 2016, emphasizes security controls and transparency about jurisdiction but does not impose an ownership limit.
While certifications like ISO 27001 and SOC 2 focus on security practices, they do not address jurisdictional control. The key difference is that SecNumCloud’s arithmetic ownership rule is a direct test of sovereignty, making it unique among European standards. US hyperscalers, unable to meet the ownership threshold directly, have created joint ventures with non-US entities to maintain control while complying with the rule.
As of mid-2026, the landscape includes providers like OVHcloud and Scaleway with active qualifications, and US companies are adapting control structures to participate in the European sovereign cloud market without relinquishing US jurisdiction.
“The 24% ownership cap is the only sovereignty test that matters. It’s an arithmetic control, not a policy or security measure.”
— Thorsten Meyer
Unresolved Questions About Control Restructuring Loopholes
While the control restructuring approach allows US hyperscalers to meet the ownership cap indirectly, it remains unclear how regulators will monitor or enforce the true extent of control. The long-term effectiveness of the 24% rule in preventing foreign influence is still under debate, and legal challenges could emerge as more providers adopt these structures. Additionally, the impact of evolving EU and national regulations on these arrangements is uncertain.
Future Developments in Sovereignty Certification Standards
Regulators are likely to refine sovereignty standards, possibly introducing more direct control assessments or tightening ownership limits. The European Commission and national authorities may also scrutinize joint ventures and control structures more closely, closing loopholes. The adoption of sovereignty standards is expected to expand beyond France, influencing procurement policies across Europe and potentially prompting US companies to develop new compliance strategies. Monitoring how these standards evolve will be critical for providers and organizations handling sensitive data.
Key Questions
What does the 24% ownership rule mean for foreign cloud providers?
The 24% ownership rule limits non-EU control over providers seeking sovereignty certification, effectively preventing foreign governments from exerting legal influence through ownership stakes. US hyperscalers can meet this by creating control structures with non-US entities, but this raises questions about actual sovereignty.
Does a certification guarantee legal sovereignty?
Not necessarily. Certifications like SecNumCloud focus on operational security and control, but the key sovereignty test is the ownership cap. Meeting the 24% threshold does not automatically prevent legal influence if control is restructured through joint ventures or control arrangements.
Are US hyperscalers barred from European sovereign cloud standards?
US hyperscalers are not outright barred; they participate by restructuring control through joint ventures with non-US entities to meet ownership thresholds, but this approach may not fully address sovereignty concerns.
Will the ownership control approach be effective long-term?
It remains uncertain. Regulators may tighten rules or increase oversight, potentially closing loopholes. The ongoing evolution of sovereignty standards will determine how effective control restructuring remains as a compliance strategy.
Source: ThorstenMeyerAI.com