📊 Full opportunity report: Why AI Sovereignty Certifications Often Miss The Mark According To The 24% Rule on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

European AI and cloud sovereignty standards, such as SecNumCloud, rely on ownership caps like the 24% rule to ensure legal sovereignty. However, these certifications mainly test control and practice, not legal jurisdiction, raising questions about their effectiveness.

European sovereignty standards for AI and cloud services, such as France’s SecNumCloud, rely on a unique ownership cap of 24% to determine legal sovereignty. This development highlights a fundamental limitation: certifications primarily assess control and security practices, not legal jurisdiction or immunity from foreign laws. This distinction is critical for organizations handling sensitive data in regulated European industries, where legal sovereignty is paramount.

SecNumCloud, created by France’s ANSSI, is a government-backed qualification that assesses providers against over 360 criteria, including legal sovereignty measures such as EU data residency, audited key custody, and immunity from non-EU extraterritorial laws. The key feature is the ownership cap of 24%, which restricts control by non-EU entities, aiming to ensure legal sovereignty.

However, certifications like ISO 27001, SOC 2, and BSI C5 focus on operational security controls—access management, encryption, incident response—rather than legal control or jurisdiction. They do not address whether a provider can be compelled by foreign governments, such as through the CLOUD Act or similar legislation.

Despite the rigorous security standards, U.S.-based hyperscalers can obtain European certifications while remaining subject to U.S. law. To circumvent ownership restrictions, U.S. cloud giants have established joint ventures with European control, such as Thales–Google S3NS or Capgemini–Orange Bleu, which meet the 24% ownership threshold but still fall under U.S. jurisdiction.

At a glance
analysisWhen: developing, as of mid-2026
The developmentThe article examines how sovereignty certifications like SecNumCloud use a 24% ownership rule to assess control, but do not guarantee immunity from non-EU laws, highlighting a gap in current standards.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Implications of the 24% Control Limit for Data Sovereignty

This analysis demonstrates that current European sovereignty certifications primarily test control and operational security, not legal immunity. As a result, organizations relying solely on these badges may overestimate their legal sovereignty, risking exposure to foreign legal processes. The 24% ownership rule, while a clear arithmetic measure, does not guarantee immunity from extraterritorial laws, which remains a significant challenge for European data sovereignty efforts.

Amazon

European data sovereignty cloud service

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Limitations of Existing Certifications in Enforcing Sovereignty

European and German certifications such as SecNumCloud and BSI C5 are designed to verify operational security controls and transparency about jurisdiction. SecNumCloud, in particular, emphasizes legal sovereignty through ownership caps and legal domicile requirements, but it does not eliminate the influence of non-EU laws. Many providers, especially U.S.-based hyperscalers, can meet certification criteria by restructuring control via joint ventures or ownership arrangements, without changing their legal jurisdiction or exposure to foreign laws.

This approach reveals a fundamental gap: certifications focus on practice and control, not on the legal protections against foreign legal claims. The 24% rule is a blunt arithmetic measure that does not account for the complex legal landscape surrounding data access and sovereignty.

“The 24% ownership cap in SecNumCloud is a simple, checkable arithmetic that aims to limit foreign control, but it does not guarantee immunity from extraterritorial laws like the CLOUD Act.”

— Thorsten Meyer

Amazon

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Unresolved Questions About Effective Sovereignty Measures

It is still unclear how effectively the 24% ownership rule prevents foreign legal intervention in practice, especially given the ability of U.S. firms to establish control through joint ventures. The actual legal immunity of providers meeting the ownership cap remains untested in court or operationally proven, raising questions about the real-world strength of these sovereignty standards.

Amazon

AI and cloud sovereignty compliance tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Future Developments in European Data Sovereignty Certification

Expect ongoing refinement of sovereignty standards, possibly including more explicit legal immunity criteria beyond ownership caps. European regulators may also increase scrutiny of joint ventures and control structures, and legal challenges could test the enforceability of sovereignty claims. The debate over certification effectiveness is likely to intensify as data security and legal sovereignty become more intertwined.

Express Schedule Free Employee Scheduling Software [PC/Mac Download]

Express Schedule Free Employee Scheduling Software [PC/Mac Download]

Simple shift planning via an easy drag & drop interface

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

No, certifications primarily verify operational security and control measures. The 24% ownership rule aims to limit foreign control but does not guarantee immunity from laws like the CLOUD Act.

Why is the 24% ownership cap considered a blunt measure?

Because it is an arithmetic threshold that can be met through restructuring control arrangements, without necessarily changing the provider’s legal jurisdiction or exposure to foreign laws.

Can U.S. cloud providers achieve European sovereignty standards?

Yes, by establishing joint ventures or control arrangements that keep ownership below 24%, U.S. providers can meet the control criteria but still remain subject to U.S. law.

What are the limitations of current European sovereignty certifications?

They mainly assess operational security and control but do not fully address legal immunity from extraterritorial laws, which remains a significant challenge.

What might change in future sovereignty standards?

Standards may evolve to include explicit legal immunity criteria, and regulators could increase scrutiny of control structures to better ensure sovereignty.

Source: ThorstenMeyerAI.com

You May Also Like

AI could breach government and business defenses in months, US and its intelligence partners warn

US and allies warn AI advancements could enable breaches of government and business security within months, raising urgent cybersecurity concerns.

Avengers Labs: How Ukraine Turned Its Front Line Into the World’s Scarcest AI Dataset

Ukraine’s Avengers Labs leverages battlefield drone footage to train AI models, transforming combat data into a key defense resource amid ongoing war.

Glasspane: One Dataset, Three Views

Glasspane launches a demo showcasing a single dataset viewed through role-specific perspectives to enhance trust and transparency in infrastructure monitoring.

AI models capable of devastating attacks on governments and business months away, rare Five Eyes statement warns

A rare Five Eyes intelligence alliance warning warns that advanced AI models may soon be capable of launching destructive cyber and physical attacks within months.