📊 Full opportunity report: Can AI Sovereignty Certifications Be Trusted? The 24% Rule Examines The Evidence on ThorstenMeyerAI.com — validation score, market gap, and execution plan.
TL;DR
European authorities use the 24% ownership cap to assess sovereignty in cloud services. This rule challenges the trustworthiness of certifications like SecNumCloud and C5, highlighting ownership and control issues in AI data hosting.
European cybersecurity authorities have implemented a new control test, known as the 24% rule, to evaluate sovereignty in cloud and AI service providers. This rule, which limits foreign ownership to 24% per entity, directly impacts the trustworthiness of existing certifications like SecNumCloud and C5. The development underscores the importance of ownership and control in assessing legal sovereignty, especially for providers hosting sensitive data within the EU.
The 24% rule, created by France’s national cybersecurity agency ANSSI, is a control measure that limits foreign ownership in providers claiming sovereignty, requiring that no single non-EU entity holds more than 24% ownership. This arithmetic-based test is unique among certifications, which typically focus on security practices rather than ownership structure.
As of mid-2026, about ten providers, including OVHcloud and Outscale, have obtained an active SecNumCloud qualification, which is a government-backed certification requiring compliance with strict legal sovereignty criteria. This certification includes requirements for EU-based data storage, audited key custody, and immunity from non-EU extraterritorial laws. However, it does not guarantee immunity from U.S. or other foreign laws, a fact that remains a concern for some users.
Meanwhile, certifications like BSI C5, which verify security controls, do not address ownership or jurisdiction directly. While they require disclosure of jurisdiction, they do not prevent providers with foreign control from hosting EU data, leaving residual legal risks. Amazon’s European Sovereign Cloud, for example, holds a C5 report but remains subject to U.S. law, illustrating the ongoing challenge of sovereignty verification.
The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty
ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.
C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.
Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.
The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.
Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.
Implications of the 24% Control Limit for AI Data Sovereignty
The 24% ownership cap is a decisive factor in establishing legal sovereignty for cloud and AI providers operating within the EU. It introduces a quantitative measure of control that directly affects trust in certifications like SecNumCloud, which claims to ensure sovereignty. For organizations handling sensitive data, especially in regulated industries, understanding whether a provider truly operates under EU control is critical. The rule could reshape procurement decisions, favoring providers that meet this ownership threshold and potentially leading to increased scrutiny of foreign-controlled providers claiming sovereignty.
Furthermore, the rule highlights a fundamental issue: certifications that focus solely on security controls do not necessarily guarantee legal sovereignty. The 24% rule emphasizes ownership and control as essential components, which could lead to a reevaluation of existing certification standards and the development of new frameworks that explicitly address jurisdiction and control.
EU data sovereignty cloud certification
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background on Sovereignty Certification and Control Measures
European regulators have long sought to ensure data sovereignty through certifications like SecNumCloud and C5, which verify security practices and compliance with legal requirements. SecNumCloud, created by France’s ANSSI, is a qualification rather than a traditional certification, requiring providers to meet specific legal sovereignty criteria, including EU data domicile and immunity from non-EU laws. It also incorporates the 24% ownership rule, which quantifies control based on ownership stakes.
Other standards like BSI C5 originate from Germany and focus on security controls without explicitly addressing jurisdiction or ownership. While they require providers to disclose jurisdictional information, they do not prevent foreign control, leaving residual legal risks. The ongoing debate centers on whether security certifications are sufficient or if control-based measures like the 24% rule are necessary to truly guarantee sovereignty.
Major providers like AWS have responded by creating separate, EU-based clouds that meet these controls, but they remain subject to U.S. law, illustrating the ongoing complexity of sovereignty certification in a globalized cloud ecosystem.
“The 24% rule is a straightforward, arithmetic measure of control that can be checked from a cap table, making sovereignty claims more transparent.”
— Thorsten Meyer, cybersecurity expert
secure cloud storage for EU data
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Unresolved Questions About Certification Trustworthiness
It is still unclear how effectively the 24% ownership rule will prevent foreign control in practice, especially as providers may structure ownership to remain just below the threshold or use complex arrangements. Additionally, the extent to which existing security certifications like C5 or ISO 27001 can serve as proxies for sovereignty remains debated, as they do not directly address legal jurisdiction or control.
Furthermore, the impact of these measures on global cloud providers’ strategies and whether they will lead to more transparent ownership disclosures or new control mechanisms is still developing. The long-term legal and operational implications of the 24% rule are yet to be fully understood.
European sovereignty cloud providers
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Next Steps for Certification and Sovereignty Verification
In the coming months, more providers are expected to pursue SecNumCloud certification or equivalent sovereignty controls to meet French and broader EU regulations. The number of providers with active certifications is likely to grow, especially as the EU pushes for stricter sovereignty measures.
Regulators may also refine the 24% rule or introduce additional control measures, potentially leading to more granular ownership transparency requirements. Meanwhile, organizations seeking to ensure sovereignty will need to evaluate not just security controls but also ownership structures and jurisdictional compliance when selecting providers.
Legal challenges and industry debates over the effectiveness of these sovereignty measures are anticipated, shaping future standards and certification schemes.
government-backed cloud security certification
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
Does holding a SecNumCloud certification guarantee sovereignty?
No, it indicates compliance with specific security and legal sovereignty criteria, but providers can still be subject to foreign laws like the CLOUD Act if ownership or control is outside the EU.
What is the significance of the 24% ownership rule?
It provides a quantitative measure of control, limiting foreign ownership to ensure the provider is primarily under EU control, which is critical for sovereignty claims.
Can foreign-controlled providers still claim sovereignty?
They can obtain certifications like C5 or ISO 27001, but without meeting the ownership threshold or immunity requirements, sovereignty claims remain questionable.
Will the 24% rule prevent all foreign influence?
Not necessarily; providers might structure ownership to stay below the threshold or use complex arrangements, so the rule is a tool, not a complete solution.
What are the implications for AI providers in Europe?
AI service providers hosting sensitive data will need to demonstrate ownership control and sovereignty compliance, possibly through certifications like SecNumCloud, to meet regulatory demands.
Source: ThorstenMeyerAI.com