📊 Full opportunity report: Challenging The Validity Of AI Sovereignty Tests With The 24% Rule on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

The 24% ownership threshold in France’s SecNumCloud framework is under scrutiny, as industry experts debate whether it effectively ensures legal sovereignty. The rule aims to limit foreign control, but its practical impact remains uncertain.

Industry experts and legal analysts are questioning the effectiveness of France’s 24% ownership cap in the SecNumCloud sovereignty framework. The rule, designed to limit foreign control over providers hosting sensitive data in the EU, is now facing scrutiny over whether it genuinely guarantees legal sovereignty. This debate matters because it directly impacts how companies assess data security and jurisdictional risks in European cloud services.

The SecNumCloud framework, created by France’s ANSSI, includes a 24% ownership threshold for non-EU companies, intended to prevent foreign governments from exerting control over cloud providers hosting sensitive French and European data. This ownership cap is expressed as a simple arithmetic limit on voting rights and shareholding, making it a clear and checkable criterion. As of mid-2026, around ten providers, including OVHcloud and Outscale, have obtained this qualification, which is mandatory for hosting certain public sector data in France.

However, critics argue that the ownership rule alone does not address the broader legal sovereignty issues. While the cap limits direct ownership, it does not prevent foreign governments from influencing control through other means, such as contractual arrangements or indirect influence. Furthermore, the rule does not alter the underlying jurisdictional laws—meaning providers could still be subject to extraterritorial laws like the US CLOUD Act, regardless of ownership percentages. Industry insiders emphasize that the rule’s simplicity, while operationally straightforward, may give a false sense of security regarding sovereignty.

At a glance
reportWhen: developing; discussions and critiques h…
The developmentLegal and industry experts are challenging the effectiveness of France’s 24% ownership rule in SecNumCloud, questioning whether it truly guarantees legal sovereignty for cloud providers.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Implications of the 24% Control Limit for Cloud Sovereignty

The debate over the 24% ownership cap is significant because it challenges the assumption that numerical ownership limits alone can guarantee legal sovereignty. For companies and governments relying on SecNumCloud-certified providers, understanding whether this rule effectively prevents foreign legal influence is crucial. If the ownership cap is insufficient, it could undermine trust in the framework’s ability to protect sensitive data from foreign jurisdictional reach, potentially affecting procurement decisions and international data governance policies.

Amazon

ISO 27001 cybersecurity certification

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Legal and Technical Foundations of the 24% Rule

The SecNumCloud framework, established by France’s ANSSI in 2016, aims to ensure both security and sovereignty for cloud providers handling sensitive EU data. Unlike typical security certifications like ISO 27001 or C5, SecNumCloud is a qualification backed by government oversight, including legal sovereignty requirements. A key component is the ownership threshold, which restricts foreign control by capping voting rights at 24% individually and 39% collectively. This rule is intended to prevent foreign governments from exerting control via ownership, but it does not address other forms of influence or jurisdictional law, raising questions about its overall effectiveness.

Industry has observed that US-based hyperscalers, such as AWS, remain subject to US law despite obtaining certifications like C5 or participating in sovereignty initiatives through joint ventures that comply with the 24% rule. These arrangements, like Thales-Google S3NS or Capgemini-Orange Bleu, demonstrate attempts to work within the rule’s constraints but do not eliminate legal risks stemming from extraterritorial laws.

“The rule is designed to limit foreign influence, but we recognize that legal jurisdiction remains a complex challenge that no single control can fully resolve.”

— A French government official involved in SecNumCloud

Amazon

European cloud sovereignty compliance tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Effectiveness of the 24% Rule in Ensuring Sovereignty

It is still unclear whether the 24% ownership threshold effectively prevents foreign governments from exerting control or influence over cloud providers. Critics argue that indirect influence, contractual arrangements, or legal jurisdiction laws could undermine sovereignty despite ownership limits. The actual impact of these controls on legal sovereignty remains a subject of ongoing debate and analysis.

Amazon

cloud data security certification

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Next Steps in Evaluating Sovereignty Controls

Regulators, industry stakeholders, and legal experts are expected to continue scrutinizing the effectiveness of the 24% rule through audits, legal analyses, and real-world case studies. Further developments may include refining the rule, introducing supplementary controls, or revising certification standards to better address jurisdictional risks. Additionally, companies will likely increase transparency around control and influence structures to better assess sovereignty risks in their cloud providers.

Amazon

data sovereignty compliance software

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

No, the rule limits ownership but does not eliminate other forms of influence or jurisdictional risks. Legal sovereignty depends on multiple factors beyond ownership percentages.

Can foreign governments still influence providers with less than 24% ownership?

Yes, influence can occur through contractual arrangements, indirect control, or legal jurisdiction laws, which are not addressed solely by the ownership cap.

Why is the ownership threshold expressed as a percentage?

It provides a clear, arithmetic, and checkable control limit, making compliance straightforward for providers and auditors.

Are US-based hyperscalers eligible for SecNumCloud?

Generally no, because US companies are subject to US laws like the CLOUD Act. They can participate through joint ventures that comply with the ownership rules, but full sovereignty is more complex.

What are the implications for companies hosting sensitive data in France?

They must ensure their providers meet the sovereignty standards, including ownership and legal controls, to comply with French regulations and avoid jurisdictional risks.

Source: ThorstenMeyerAI.com

This content is for general information only and is not financial, tax or legal advice. Consult a qualified professional for decisions about your money.
You May Also Like

6 Best Regulatory Change Management Software of 2025 – Streamline Compliance Effortlessly

Keen to stay ahead of evolving regulations? Discover the top regulatory change management software of 2025 to simplify compliance effortlessly.

15 Best Safety Data Sheet Binders for Organized and Secure Storage

Protect your workplace with the 15 best SDS binders designed for ultimate organization and security—discover which options will keep your hazard info easily accessible.

Merchant of Record vs. Payment Facilitator: Legal Considerations

I need to understand how choosing between a Merchant of Record and a Payment Facilitator impacts your legal responsibilities and risks—continue reading to find out more.

Navigating Anti-Money Laundering (AML) Regulations

Just understanding AML regulations is only the beginning—discover the key steps to stay compliant and protect your organization from financial crimes.