The 24% Rule: Why Most “Sovereign Cloud” Certifications Don’t Test Sovereignty

📊 Full opportunity report: The 24% Rule: Why Most “Sovereign Cloud” Certifications Don’t Test Sovereignty on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

Most cloud certifications focus on security practices and operational controls, not legal sovereignty. The 24% ownership cap in France’s SecNumCloud is the key test for sovereignty, but US hyperscalers adapt control structures to meet it. This distinction impacts data jurisdiction and legal protections.

European cloud standards such as France’s SecNumCloud include a unique ownership cap of 24% that directly tests legal sovereignty. This rule is the only certification criterion that addresses whether a foreign government can compel access to data, making it a critical factor for organizations handling sensitive data in Europe. While many certifications focus on security practices, this ownership rule fundamentally determines jurisdictional control.

SecNumCloud, created by France’s ANSSI, is not a typical certification but a government-backed qualification that enforces strict legal sovereignty requirements. It mandates EU domicile, data storage within the EU, audited key custody, and immunity from non-EU extraterritorial laws. The core test is the ownership threshold: companies with more than 24% ownership from non-EU entities cannot qualify. This arithmetic control is designed to prevent foreign governments from exerting legal influence over cloud providers.

Despite the strict sovereignty criteria, US-based hyperscalers like AWS can still participate by restructuring control. They create joint ventures where control is held by non-US entities, such as Thales or Capgemini, effectively circumventing the ownership cap. These arrangements allow US companies to meet sovereignty standards without changing their legal jurisdiction, highlighting a loophole in the certification’s intent.

Currently, roughly nine to ten providers hold an active SecNumCloud qualification, including OVHcloud and Scaleway, with more in the pipeline. Under French law, SecNumCloud is mandatory for hosting sensitive public-sector data, and its influence is expected to grow as regulators extend sovereignty requirements to vital sectors.

At a glance
analysisWhen: developing as of mid-2026, with ongoing…
The developmentThe article explains how the 24% ownership rule in French sovereign cloud standards is the only test for legal sovereignty, revealing many certifications do not address jurisdictional control.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Implications of the 24% Ownership Cap for Cloud Sovereignty

The 24% ownership rule fundamentally defines legal sovereignty in European cloud standards. It prevents non-EU control but can be technically bypassed through control restructuring, which raises questions about the effectiveness of certification as a sovereignty guarantee. For organizations, this means that certifications alone do not guarantee immunity from foreign legal influence, especially when US companies adapt their control structures. The distinction between security practice certifications and ownership control is critical for compliance and risk management in sensitive sectors.

This development underscores the importance of understanding the actual legal and jurisdictional implications behind certifications, moving beyond surface-level badges to the underlying control mechanisms. It also signals a shift toward more nuanced sovereignty standards that could influence global cloud procurement and regulation.

Amazon

European sovereign cloud certification

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

European Sovereign Cloud Standards and Control Loopholes

European countries have been developing sovereignty standards to protect data from foreign legal reach, especially in sensitive sectors like health, finance, and energy. France’s SecNumCloud, introduced in 2016 and now in version 3.2, is the most comprehensive, with a focus on legal sovereignty through the ownership cap. Germany’s BSI C5, established in 2016, emphasizes security controls and transparency about jurisdiction but does not impose an ownership limit.

While certifications like ISO 27001 and SOC 2 focus on security practices, they do not address jurisdictional control. The key difference is that SecNumCloud’s arithmetic ownership rule is a direct test of sovereignty, making it unique among European standards. US hyperscalers, unable to meet the ownership threshold directly, have created joint ventures with non-US entities to maintain control while complying with the rule.

As of mid-2026, the landscape includes providers like OVHcloud and Scaleway with active qualifications, and US companies are adapting control structures to participate in the European sovereign cloud market without relinquishing US jurisdiction.

“The 24% ownership cap is the only sovereignty test that matters. It’s an arithmetic control, not a policy or security measure.”

— Thorsten Meyer

Unresolved Questions About Control Restructuring Loopholes

While the control restructuring approach allows US hyperscalers to meet the ownership cap indirectly, it remains unclear how regulators will monitor or enforce the true extent of control. The long-term effectiveness of the 24% rule in preventing foreign influence is still under debate, and legal challenges could emerge as more providers adopt these structures. Additionally, the impact of evolving EU and national regulations on these arrangements is uncertain.

Future Developments in Sovereignty Certification Standards

Regulators are likely to refine sovereignty standards, possibly introducing more direct control assessments or tightening ownership limits. The European Commission and national authorities may also scrutinize joint ventures and control structures more closely, closing loopholes. The adoption of sovereignty standards is expected to expand beyond France, influencing procurement policies across Europe and potentially prompting US companies to develop new compliance strategies. Monitoring how these standards evolve will be critical for providers and organizations handling sensitive data.

Key Questions

What does the 24% ownership rule mean for foreign cloud providers?

The 24% ownership rule limits non-EU control over providers seeking sovereignty certification, effectively preventing foreign governments from exerting legal influence through ownership stakes. US hyperscalers can meet this by creating control structures with non-US entities, but this raises questions about actual sovereignty.

Not necessarily. Certifications like SecNumCloud focus on operational security and control, but the key sovereignty test is the ownership cap. Meeting the 24% threshold does not automatically prevent legal influence if control is restructured through joint ventures or control arrangements.

Are US hyperscalers barred from European sovereign cloud standards?

US hyperscalers are not outright barred; they participate by restructuring control through joint ventures with non-US entities to meet ownership thresholds, but this approach may not fully address sovereignty concerns.

Will the ownership control approach be effective long-term?

It remains uncertain. Regulators may tighten rules or increase oversight, potentially closing loopholes. The ongoing evolution of sovereignty standards will determine how effective control restructuring remains as a compliance strategy.

Source: ThorstenMeyerAI.com

You May Also Like

AI Trading Bot — Week Two: The candidate edge collapsed

The promising BTC fair-value strategy lost nearly all its gains, and other approaches failed, leaving the entire fleet in the red after two weeks.

Phone-based injury-risk movement screening for hiring

A new approach using phone cameras and pose estimation aims to screen physical-labor job candidates remotely, potentially reducing injury risks and costs.

10 Best Ultrawide Monitors For Work And Gaming In 2026

Discover the 10 best ultrawide monitors in 2026 for productivity and gaming, including Dell, Samsung, MSI, and more. Updated for current market options.

IdeaNavigator AI: One Evidence-Mined Idea a Day

IdeaNavigator AI now publicly ships one evidence-mined idea per day, transforming complaint analysis into validated software concepts autonomously.