The 24% Rule Explained: What It Means For AI Sovereign Cloud Standards

📊 Full opportunity report: The 24% Rule Explained: What It Means For AI Sovereign Cloud Standards on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

The 24% ownership rule is a key criterion in France’s SecNumCloud framework, limiting foreign control over cloud providers. This impacts sovereignty and compliance in European AI cloud services. The development signals a shift towards stricter control standards for sensitive data.

France’s SecNumCloud framework enforces a 24% ownership cap on non-EU investors for cloud providers seeking government approval, a key development in establishing European cloud sovereignty. This rule directly impacts foreign technology companies operating in Europe, especially U.S.-based giants, by limiting their control over cloud infrastructure hosting sensitive data.

The 24% ownership rule is part of the SecNumCloud qualification, issued by France’s national cybersecurity agency, ANSSI. Unlike typical certifications, SecNumCloud is a qualification backed by government authority, requiring providers to meet strict legal sovereignty criteria, including EU-only data storage, audited key custody, and immunity from non-EU extraterritorial laws.

As of mid-2026, roughly nine to ten providers hold an active SecNumCloud qualification, including OVHcloud, 3DS Outscale, and Scaleway. The rule effectively prevents non-EU companies, particularly U.S. firms, from exerting control exceeding 24% ownership, which is checked through detailed ownership structures and cap tables. This approach aims to ensure European control over critical cloud infrastructure, especially for public sector and sensitive data.

At a glance
reportWhen: ongoing, with current certifications an…
The developmentFrance’s national cybersecurity agency, ANSSI, enforces a 24% ownership cap for cloud providers seeking SecNumCloud qualification, emphasizing sovereignty and legal control over data.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Legal Sovereignty and European Cloud Control

The 24% ownership cap signifies a move toward legal sovereignty in European cloud services, emphasizing control over who can influence or access data. It represents a shift from traditional security certifications to ownership and control restrictions, aiming to reduce foreign legal risks, especially from U.S. laws like the CLOUD Act. This development could reshape the landscape for international cloud providers operating in Europe, as they must now navigate ownership limits or establish local control structures.

Amazon

European cloud sovereignty certification

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

European Regulatory Frameworks and Cloud Sovereignty Efforts

The SecNumCloud framework was introduced by ANSSI in 2016, evolving to version 3.2, and is now central to France’s strategy for secure cloud services. It builds on ISO 27001 but adds mandatory legal sovereignty requirements, including EU data residency and immunity from non-EU laws. The ownership cap is a distinctive feature, designed to enforce sovereignty beyond technical controls.

Other frameworks, such as Germany’s BSI C5, focus on security controls and transparency but do not impose ownership restrictions. The 24% rule is unique in its arithmetic approach, quantifying control limits explicitly, and is now influencing broader EU policies, especially with the push for cloud independence and critical infrastructure security.

“The 24% ownership rule is the clearest measure of sovereignty we’ve seen; it’s not just about security practices but about who ultimately controls the data and infrastructure.”

— Thorsten Meyer, AI compliance expert

Automotive Cybersecurity: ISO 21434 and UNECE WP.29 Guide: A Practical Engineering Reference for Vehicle Cybersecurity Compliance (Software-Defined Vehicle Engineering Series)

Automotive Cybersecurity: ISO 21434 and UNECE WP.29 Guide: A Practical Engineering Reference for Vehicle Cybersecurity Compliance (Software-Defined Vehicle Engineering Series)

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Unclear Aspects of the 24% Control Limit’s Application

It remains unclear how the 24% ownership cap will be enforced in complex ownership structures, especially for multinational corporations with diverse holdings. The exact mechanisms for auditing and verifying compliance across different jurisdictions are still being developed. Additionally, the impact on U.S. hyperscalers and their ability to adapt control structures is an evolving issue, with some companies creating joint ventures to comply.

Amazon

data sovereignty audit tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Future Developments in European Cloud Sovereignty Standards

Expect further regulatory clarification on ownership and control limits, with more providers pursuing SecNumCloud qualification or similar sovereignty standards. The European Union may also introduce broader policies to enforce sovereignty, potentially influencing global cloud strategies. Key milestones include the expansion of SecNumCloud requirements to more sectors and the potential for new legislation tightening control over foreign ownership.

Amazon

cloud ownership structure analysis software

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

What is the significance of the 24% ownership cap in SecNumCloud?

The 24% ownership cap limits foreign control over cloud providers, ensuring European sovereignty and reducing legal risks from non-EU laws like the CLOUD Act. It is a core part of the framework’s legal sovereignty requirements.

How does SecNumCloud differ from other security certifications?

Unlike ISO 27001 or SOC 2, which certify security practices, SecNumCloud is a qualification that enforces ownership and control restrictions. It requires compliance with legal sovereignty criteria, including ownership caps and data residency.

Are U.S.-based cloud providers able to qualify for SecNumCloud?

Most U.S. providers cannot qualify directly due to ownership restrictions, but they can establish joint ventures or control structures that meet the 24% ownership limit, as seen with Thales-Google and Capgemini-Orange partnerships.

What are the implications for foreign companies operating in Europe?

Foreign companies must adapt ownership structures or establish local control to comply with the 24% limit, which may involve significant restructuring or joint ventures to meet sovereignty criteria.

Will the 24% rule become a standard across the EU?

While currently specific to France’s SecNumCloud, the rule’s principles are influencing broader EU policies on cloud sovereignty, with potential adoption or adaptation in other member states’ frameworks.

Source: ThorstenMeyerAI.com

You May Also Like

The calendar technicality. Why Elon Musk’s lawsuit against Sam Altman and OpenAI lost on timing, not on substance.

Elon Musk’s lawsuit claiming illegal transfer of charitable assets was dismissed on procedural grounds, leaving underlying legal questions unresolved.

Raw-feed licensing. The contract that doesn’t exist yet.

A new licensing category for downstream AI rewriting lacks an industry-standard contract, creating a structural gap with significant economic and legal implications.

Employee handbook change digest for small employers

Small employers will test a new workflow for updating employee handbooks, aiming to simplify compliance amid policy changes and remote work trends.

Warranty claim packet builder for appliance repair shops

A new workflow tool for independent appliance repair shops aims to streamline warranty claims by prompting for required evidence and exporting claim summaries.