📊 Full opportunity report: The 24% Rule Explained: What It Means For AI Sovereign Cloud Standards on ThorstenMeyerAI.com — validation score, market gap, and execution plan.
TL;DR
The 24% ownership rule is a key criterion in France’s SecNumCloud framework, limiting foreign control over cloud providers. This impacts sovereignty and compliance in European AI cloud services. The development signals a shift towards stricter control standards for sensitive data.
France’s SecNumCloud framework enforces a 24% ownership cap on non-EU investors for cloud providers seeking government approval, a key development in establishing European cloud sovereignty. This rule directly impacts foreign technology companies operating in Europe, especially U.S.-based giants, by limiting their control over cloud infrastructure hosting sensitive data.
The 24% ownership rule is part of the SecNumCloud qualification, issued by France’s national cybersecurity agency, ANSSI. Unlike typical certifications, SecNumCloud is a qualification backed by government authority, requiring providers to meet strict legal sovereignty criteria, including EU-only data storage, audited key custody, and immunity from non-EU extraterritorial laws.
As of mid-2026, roughly nine to ten providers hold an active SecNumCloud qualification, including OVHcloud, 3DS Outscale, and Scaleway. The rule effectively prevents non-EU companies, particularly U.S. firms, from exerting control exceeding 24% ownership, which is checked through detailed ownership structures and cap tables. This approach aims to ensure European control over critical cloud infrastructure, especially for public sector and sensitive data.
The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty
ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.
C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.
Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.
The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.
Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.
Legal Sovereignty and European Cloud Control
The 24% ownership cap signifies a move toward legal sovereignty in European cloud services, emphasizing control over who can influence or access data. It represents a shift from traditional security certifications to ownership and control restrictions, aiming to reduce foreign legal risks, especially from U.S. laws like the CLOUD Act. This development could reshape the landscape for international cloud providers operating in Europe, as they must now navigate ownership limits or establish local control structures.
European cloud sovereignty certification
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
European Regulatory Frameworks and Cloud Sovereignty Efforts
The SecNumCloud framework was introduced by ANSSI in 2016, evolving to version 3.2, and is now central to France’s strategy for secure cloud services. It builds on ISO 27001 but adds mandatory legal sovereignty requirements, including EU data residency and immunity from non-EU laws. The ownership cap is a distinctive feature, designed to enforce sovereignty beyond technical controls.
Other frameworks, such as Germany’s BSI C5, focus on security controls and transparency but do not impose ownership restrictions. The 24% rule is unique in its arithmetic approach, quantifying control limits explicitly, and is now influencing broader EU policies, especially with the push for cloud independence and critical infrastructure security.
“The 24% ownership rule is the clearest measure of sovereignty we’ve seen; it’s not just about security practices but about who ultimately controls the data and infrastructure.”
— Thorsten Meyer, AI compliance expert

Automotive Cybersecurity: ISO 21434 and UNECE WP.29 Guide: A Practical Engineering Reference for Vehicle Cybersecurity Compliance (Software-Defined Vehicle Engineering Series)
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Unclear Aspects of the 24% Control Limit’s Application
It remains unclear how the 24% ownership cap will be enforced in complex ownership structures, especially for multinational corporations with diverse holdings. The exact mechanisms for auditing and verifying compliance across different jurisdictions are still being developed. Additionally, the impact on U.S. hyperscalers and their ability to adapt control structures is an evolving issue, with some companies creating joint ventures to comply.
data sovereignty audit tools
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Future Developments in European Cloud Sovereignty Standards
Expect further regulatory clarification on ownership and control limits, with more providers pursuing SecNumCloud qualification or similar sovereignty standards. The European Union may also introduce broader policies to enforce sovereignty, potentially influencing global cloud strategies. Key milestones include the expansion of SecNumCloud requirements to more sectors and the potential for new legislation tightening control over foreign ownership.
cloud ownership structure analysis software
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
What is the significance of the 24% ownership cap in SecNumCloud?
The 24% ownership cap limits foreign control over cloud providers, ensuring European sovereignty and reducing legal risks from non-EU laws like the CLOUD Act. It is a core part of the framework’s legal sovereignty requirements.
How does SecNumCloud differ from other security certifications?
Unlike ISO 27001 or SOC 2, which certify security practices, SecNumCloud is a qualification that enforces ownership and control restrictions. It requires compliance with legal sovereignty criteria, including ownership caps and data residency.
Are U.S.-based cloud providers able to qualify for SecNumCloud?
Most U.S. providers cannot qualify directly due to ownership restrictions, but they can establish joint ventures or control structures that meet the 24% ownership limit, as seen with Thales-Google and Capgemini-Orange partnerships.
What are the implications for foreign companies operating in Europe?
Foreign companies must adapt ownership structures or establish local control to comply with the 24% limit, which may involve significant restructuring or joint ventures to meet sovereignty criteria.
Will the 24% rule become a standard across the EU?
While currently specific to France’s SecNumCloud, the rule’s principles are influencing broader EU policies on cloud sovereignty, with potential adoption or adaptation in other member states’ frameworks.
Source: ThorstenMeyerAI.com