📊 Full opportunity report: Challenging AI Sovereign Cloud Standards With The 24% Rule on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

France’s SecNumCloud introduces a unique sovereignty test based on a 24% ownership cap, challenging US-based cloud providers and reshaping European data governance. This rule emphasizes ownership control over security practices.

France’s national cybersecurity agency ANSSI has implemented a new sovereignty requirement for cloud providers, establishing a strict 24% ownership cap on foreign control. This rule is designed to ensure that providers hosting sensitive European data are under European control and immune from non-EU extraterritorial laws, marking a significant shift in cloud sovereignty standards across Europe.

The SecNumCloud framework, created by ANSSI in 2016 and now in its latest version 3.2, includes a legal sovereignty requirement, which is unique among European standards. It mandates that companies controlling cloud services must have capital and voting rights held by entities based in the EU, with foreign ownership not exceeding 24% individually and 39% collectively. This ownership cap is a straightforward, arithmetic check—unlike traditional security certifications—aimed explicitly at preventing foreign legal reach.

Currently, only around nine or ten providers hold an active SecNumCloud qualification, including OVHcloud, Dassault’s Outscale, and Scaleway, with several more in the pipeline. Under France’s Cloud au Centre doctrine, this standard is mandatory for hosting sensitive public-sector data, and it is being extended to critical infrastructure sectors such as health, energy, finance, and transport. US hyperscalers like AWS, despite their compliance with other certifications such as C5, cannot meet the sovereignty requirement unless they alter ownership structures, which some have done through joint ventures like S3NS and Bleu.

At a glance
reportWhen: developing as of mid-2026
The developmentFrance’s cybersecurity agency ANSSI enforces a sovereignty rule limiting foreign ownership to 24%, impacting cloud providers operating in Europe.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Implications of the 24% Ownership Cap for Cloud Control

The 24% ownership rule fundamentally shifts how cloud sovereignty is enforced in Europe. It emphasizes ownership control over technical or procedural security measures, compelling foreign providers to restructure ownership to comply. This development challenges US-based cloud giants, who typically operate under American jurisdiction, and could accelerate the emergence of European-controlled cloud services. The rule also signals a move toward legal sovereignty as a key criterion, which could influence future standards and regulations across Europe, affecting global cloud strategies and data governance.

Amazon

European cloud sovereignty compliance software

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

European Cloud Sovereignty and the Role of Certifications

European cloud standards have historically focused on security practices—such as ISO 27001, SOC 2, and BSI C5—which certify operational controls without addressing jurisdictional control. The introduction of SecNumCloud and its ownership cap marks a departure, emphasizing legal sovereignty as a core requirement. The framework’s unique approach, combining technical, legal, and ownership controls, reflects Europe’s broader push for digital sovereignty amid geopolitical tensions and US cloud dominance.

While certifications like C5 attest to control implementations, they do not address legal jurisdiction. Conversely, SecNumCloud’s ownership rule directly targets who controls the data and under which legal system, making it a more comprehensive sovereignty measure. US hyperscalers have responded by creating joint ventures or restructuring ownership to meet the 24% limit, illustrating the rule’s immediate impact on market strategies.

“Our goal is to guarantee that data hosting providers are under European control and immune from non-EU extraterritorial laws.”

— ANSSI spokesperson

Unresolved Questions About Implementation and Impact

It remains unclear how many US or non-EU providers will successfully restructure ownership to comply with the 24% rule. The long-term impact on the availability and competitiveness of cloud services in Europe is still uncertain, as providers may face significant operational and legal challenges in achieving compliance. Additionally, the extent to which this rule will influence future European regulations or inspire similar standards elsewhere is still developing.

Next Steps for Cloud Providers and Regulatory Adoption

Providers aiming for SecNumCloud qualification will continue to adjust ownership structures, potentially through joint ventures or local subsidiaries, to meet the 24% ownership threshold. ANSSI is expected to clarify enforcement timelines and expand the rule’s scope to critical sectors, including health and energy. Meanwhile, legal and industry experts will monitor how these standards influence European cloud procurement policies and whether other countries adopt similar sovereignty measures.

Key Questions

What exactly is the 24% ownership rule?

The 24% ownership rule limits foreign control of cloud providers operating in France and Europe, requiring that no single non-EU entity hold more than 24% of voting rights or capital, ensuring legal sovereignty and control.

How does SecNumCloud differ from other security certifications?

While certifications like ISO 27001 or C5 focus on operational security controls, SecNumCloud emphasizes ownership control and legal jurisdiction, making it a sovereignty-focused qualification.

Will US cloud providers be able to meet the sovereignty standards?

US providers can attempt to restructure ownership or create joint ventures to comply with the 24% cap, but fully meeting the sovereignty requirements may require significant operational changes.

What are the implications for European data sovereignty?

The rule strengthens European control over data hosting, potentially reducing reliance on US providers and encouraging the development of locally controlled cloud services.

Is this standard legally binding for all cloud providers in France?

Yes, for hosting sensitive public-sector data and critical infrastructure, compliance with SecNumCloud is mandatory under current French regulations.

Source: ThorstenMeyerAI.com

You May Also Like

Li‑Fi Networking Basics for Home Users

Providing faster, more secure home connectivity, Li-Fi networking basics offer exciting benefits—discover how to harness this innovative technology today.

How Neural Radiance Fields (NeRF) Will Change Mobile Photography

On the cusp of revolutionizing mobile photography, NeRF technology promises immersive, customizable scenes, but how exactly will it reshape your photo experience?

Three Public Vulnerabilities. Chained.

Attackers chained three known vulnerabilities to compromise TanStack npm packages, exposing supply chain risks and public research’s role in offensive tradecraft.