AI Cloud Sovereignty Certifications And The 24% Rule: A Critical Assessment

📊 Full opportunity report: AI Cloud Sovereignty Certifications And The 24% Rule: A Critical Assessment on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

European security frameworks like SecNumCloud and C5 establish sovereignty criteria for AI cloud providers. The 24% ownership rule is central to legal control, impacting US and non-EU companies operating in Europe. This article assesses what is confirmed, what remains uncertain, and why it matters.

European cybersecurity standards for AI cloud providers now include a specific ownership threshold — the 24% rule — which directly tests legal sovereignty over data. This development is crucial for companies operating in Europe, especially foreign firms, as it determines control and legal compliance within the EU.

SecNumCloud, managed by France’s ANSSI, is a government-backed qualification that enforces strict sovereignty requirements, including the ownership cap of 24% for non-EU controlling interests. It also mandates EU data storage, legal domicile, and immunity from non-EU extraterritorial laws. As of mid-2026, about ten providers hold active SecNumCloud qualifications, including OVHcloud and Dassault’s Outscale, with more in progress.

In contrast, the German BSI C5 certification, which is a security controls attestation rather than sovereignty test, requires providers to disclose jurisdiction but does not restrict ownership or control. Both frameworks address jurisdiction but differ fundamentally: C5 discloses, SecNumCloud restricts ownership to ensure sovereignty. Notably, US hyperscalers like AWS, despite holding C5 attestations, remain subject to US law, illustrating the limits of security certifications in establishing sovereignty.

To circumvent restrictions, US firms have adopted joint ventures and control-sharing arrangements, such as Thales and Google’s S3NS, which comply with the 24% ownership rule while maintaining operational control within the EU. These structures highlight the importance of ownership thresholds over mere compliance badges.

At a glance
analysisWhen: developing as of mid-2026
The developmentThe article examines the significance of the 24% ownership rule within European AI cloud sovereignty certifications and its impact on data control and legal jurisdiction.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Implications of the 24% Ownership Cap for Cloud Control

The 24% ownership rule fundamentally shifts how sovereignty is measured in European AI cloud services. It emphasizes ownership and control over security practices alone, affecting foreign companies’ ability to operate freely within the EU without risking legal exposure under non-EU laws like the CLOUD Act. This development could reshape the landscape of cloud providers, favoring those with EU-controlled ownership structures and potentially limiting US-based hyperscalers’ market access.

For European regulators and businesses, the rule offers a clearer legal framework to ensure data sovereignty, especially for sensitive sectors like health, energy, and finance. It also raises questions about the future of US cloud giants in Europe, as compliance may require complex ownership restructuring or joint ventures, potentially affecting cost, flexibility, and market competition.

Amazon

European AI cloud sovereignty certification

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

European Sovereignty Frameworks and Their Legal Foundations

The concept of sovereignty in European cloud standards has evolved from traditional security controls to include legal jurisdiction and ownership. SecNumCloud, introduced in 2016 and updated to version 3.2, is a government-issued qualification that enforces EU domicile, data storage, and immunity from non-EU laws, with the 24% ownership limit as a core test of sovereignty. It is mandatory for hosting sensitive French public sector data and is being extended to critical infrastructure sectors.

Meanwhile, the German C5 standard, developed by BSI, is a mature security controls scheme that requires disclosure of jurisdiction but does not restrict ownership, making it less effective as a sovereignty measure. US hyperscalers like AWS, despite C5 attestations, remain under US jurisdiction, illustrating that certification alone does not guarantee sovereignty. The recent emergence of joint ventures and control-sharing structures signifies a strategic adaptation by non-EU companies to meet the ownership threshold.

“The 24% ownership rule is the most direct test of sovereignty, expressed as a simple arithmetic check on control, not just security practice.”

— Thorsten Meyer

Amazon

cloud security compliance tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Unresolved Questions About Sovereignty Enforcement

While the 24% ownership rule is clear in principle, it remains uncertain how strictly regulators will enforce it across different sectors and providers. The impact of joint ventures and control-sharing arrangements on sovereignty compliance is still being evaluated, and there is no comprehensive legal precedent yet. Additionally, the potential for legal challenges or loopholes to undermine the rule’s effectiveness remains an open question.

Amazon

data sovereignty compliance software

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Next Steps in European Cloud Sovereignty Developments

Regulators are expected to publish further guidance on implementing and enforcing the ownership threshold. More providers will seek SecNumCloud certification or develop compliant joint ventures, especially as the European Union expands its sovereignty initiatives. The evolution of legal challenges and industry adaptations will shape the future landscape of cloud sovereignty, with ongoing debate about the balance between security, control, and market access.

Amazon

EU cloud data control solutions

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

What does the 24% ownership rule mean for foreign cloud providers in Europe?

The 24% rule limits non-EU ownership and control, requiring foreign providers to restructure ownership or form joint ventures to operate legally within the EU while maintaining sovereignty over data.

How does SecNumCloud differ from other certifications like ISO 27001 or C5?

SecNumCloud is a government-backed qualification that enforces legal sovereignty, including ownership restrictions, data location, and immunity from non-EU laws. ISO 27001 and C5 primarily certify security practices without explicitly addressing sovereignty or ownership control.

Can US hyperscalers meet the sovereignty requirements in Europe?

US hyperscalers can attempt to meet sovereignty standards through joint ventures and control-sharing arrangements that comply with the 24% ownership cap, but they remain subject to US jurisdiction unless they restructure ownership and control explicitly within the EU framework.

Will the 24% rule prevent US companies from operating in Europe?

Not necessarily; US companies can still operate by establishing EU-controlled entities or joint ventures that meet the ownership threshold, but this may involve significant restructuring and compliance costs.

Source: ThorstenMeyerAI.com

You May Also Like

Build, Rent, Or Quantize: Cutting Your Memory Bill Without Cutting Capability

Exploring how AI developers can cut memory expenses through building, renting, or quantizing models, with a focus on the latest techniques and their implications.

Forezai · Polybot: When the AI Disagrees With the Odds

Polybot, an open-source AI trading experiment, tests when and how an AI can diverge from prediction market prices, highlighting risks and insights.

After the Paycheck: The Book I Wrote Because Nobody Else Would Tell the Truth About AI and Your Income

Author Thorsten Meyer releases ‘After the Paycheck,’ analyzing how AI transforms labor, ownership, and economic security amid shifting ownership of automation.

Sovereignty Is a Pipe, Not a Passport

Mistral’s model highlights that sovereignty depends on data flow infrastructure, not just company nationality, exposing limits of EU data protections under US law.