Can AI Sovereignty Certifications Be Trusted? The 24% Rule Examines The Evidence

📊 Full opportunity report: Can AI Sovereignty Certifications Be Trusted? The 24% Rule Examines The Evidence on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

European authorities use the 24% ownership cap to assess sovereignty in cloud services. This rule challenges the trustworthiness of certifications like SecNumCloud and C5, highlighting ownership and control issues in AI data hosting.

European cybersecurity authorities have implemented a new control test, known as the 24% rule, to evaluate sovereignty in cloud and AI service providers. This rule, which limits foreign ownership to 24% per entity, directly impacts the trustworthiness of existing certifications like SecNumCloud and C5. The development underscores the importance of ownership and control in assessing legal sovereignty, especially for providers hosting sensitive data within the EU.

The 24% rule, created by France’s national cybersecurity agency ANSSI, is a control measure that limits foreign ownership in providers claiming sovereignty, requiring that no single non-EU entity holds more than 24% ownership. This arithmetic-based test is unique among certifications, which typically focus on security practices rather than ownership structure.

As of mid-2026, about ten providers, including OVHcloud and Outscale, have obtained an active SecNumCloud qualification, which is a government-backed certification requiring compliance with strict legal sovereignty criteria. This certification includes requirements for EU-based data storage, audited key custody, and immunity from non-EU extraterritorial laws. However, it does not guarantee immunity from U.S. or other foreign laws, a fact that remains a concern for some users.

Meanwhile, certifications like BSI C5, which verify security controls, do not address ownership or jurisdiction directly. While they require disclosure of jurisdiction, they do not prevent providers with foreign control from hosting EU data, leaving residual legal risks. Amazon’s European Sovereign Cloud, for example, holds a C5 report but remains subject to U.S. law, illustrating the ongoing challenge of sovereignty verification.

At a glance
reportWhen: developing as of mid-2026
The developmentEuropean sovereignty rule, known as the 24% rule, is being used to evaluate control over cloud providers, impacting trust in certifications for AI and data sovereignty.
Crypto market snapshot
Fear & Greed Index
28/100 — Fear
Bitcoin BTC$64,683▲ 1.2%
Ethereum ETH$1,868▲ 1.3%
Tether USDT$0.9993▼ 0.0%
BNB BNB$568.48▲ 0.1%
USDC USDC$0.9999▼ 0.0%
XRP XRP$1.1▲ 0.9%
Solana SOL$75.96▲ 1.4%
TRON TRX$0.3254▲ 1.1%
Live data · CoinGecko · alternative.me (24h change)
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Implications of the 24% Control Limit for AI Data Sovereignty

The 24% ownership cap is a decisive factor in establishing legal sovereignty for cloud and AI providers operating within the EU. It introduces a quantitative measure of control that directly affects trust in certifications like SecNumCloud, which claims to ensure sovereignty. For organizations handling sensitive data, especially in regulated industries, understanding whether a provider truly operates under EU control is critical. The rule could reshape procurement decisions, favoring providers that meet this ownership threshold and potentially leading to increased scrutiny of foreign-controlled providers claiming sovereignty.

Furthermore, the rule highlights a fundamental issue: certifications that focus solely on security controls do not necessarily guarantee legal sovereignty. The 24% rule emphasizes ownership and control as essential components, which could lead to a reevaluation of existing certification standards and the development of new frameworks that explicitly address jurisdiction and control.

Amazon

EU data sovereignty cloud certification

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Background on Sovereignty Certification and Control Measures

European regulators have long sought to ensure data sovereignty through certifications like SecNumCloud and C5, which verify security practices and compliance with legal requirements. SecNumCloud, created by France’s ANSSI, is a qualification rather than a traditional certification, requiring providers to meet specific legal sovereignty criteria, including EU data domicile and immunity from non-EU laws. It also incorporates the 24% ownership rule, which quantifies control based on ownership stakes.

Other standards like BSI C5 originate from Germany and focus on security controls without explicitly addressing jurisdiction or ownership. While they require providers to disclose jurisdictional information, they do not prevent foreign control, leaving residual legal risks. The ongoing debate centers on whether security certifications are sufficient or if control-based measures like the 24% rule are necessary to truly guarantee sovereignty.

Major providers like AWS have responded by creating separate, EU-based clouds that meet these controls, but they remain subject to U.S. law, illustrating the ongoing complexity of sovereignty certification in a globalized cloud ecosystem.

“The 24% rule is a straightforward, arithmetic measure of control that can be checked from a cap table, making sovereignty claims more transparent.”

— Thorsten Meyer, cybersecurity expert

Amazon

secure cloud storage for EU data

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Unresolved Questions About Certification Trustworthiness

It is still unclear how effectively the 24% ownership rule will prevent foreign control in practice, especially as providers may structure ownership to remain just below the threshold or use complex arrangements. Additionally, the extent to which existing security certifications like C5 or ISO 27001 can serve as proxies for sovereignty remains debated, as they do not directly address legal jurisdiction or control.

Furthermore, the impact of these measures on global cloud providers’ strategies and whether they will lead to more transparent ownership disclosures or new control mechanisms is still developing. The long-term legal and operational implications of the 24% rule are yet to be fully understood.

Amazon

European sovereignty cloud providers

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Next Steps for Certification and Sovereignty Verification

In the coming months, more providers are expected to pursue SecNumCloud certification or equivalent sovereignty controls to meet French and broader EU regulations. The number of providers with active certifications is likely to grow, especially as the EU pushes for stricter sovereignty measures.

Regulators may also refine the 24% rule or introduce additional control measures, potentially leading to more granular ownership transparency requirements. Meanwhile, organizations seeking to ensure sovereignty will need to evaluate not just security controls but also ownership structures and jurisdictional compliance when selecting providers.

Legal challenges and industry debates over the effectiveness of these sovereignty measures are anticipated, shaping future standards and certification schemes.

Amazon

government-backed cloud security certification

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

Does holding a SecNumCloud certification guarantee sovereignty?

No, it indicates compliance with specific security and legal sovereignty criteria, but providers can still be subject to foreign laws like the CLOUD Act if ownership or control is outside the EU.

What is the significance of the 24% ownership rule?

It provides a quantitative measure of control, limiting foreign ownership to ensure the provider is primarily under EU control, which is critical for sovereignty claims.

Can foreign-controlled providers still claim sovereignty?

They can obtain certifications like C5 or ISO 27001, but without meeting the ownership threshold or immunity requirements, sovereignty claims remain questionable.

Will the 24% rule prevent all foreign influence?

Not necessarily; providers might structure ownership to stay below the threshold or use complex arrangements, so the rule is a tool, not a complete solution.

What are the implications for AI providers in Europe?

AI service providers hosting sensitive data will need to demonstrate ownership control and sovereignty compliance, possibly through certifications like SecNumCloud, to meet regulatory demands.

Source: ThorstenMeyerAI.com

Nothing in this article is financial or investment advice. Cryptocurrency and precious-metal investments carry significant risk — do your own research and consider a licensed advisor.
You May Also Like

China: The Visible Hand

China’s government directs AI, robotics, and industrial policy through top-down planning, emphasizing state ownership and strategic priorities, with mixed impacts on inequality.

Software-Defined Warfare: How Ukraine’s Delta Turned the Battlefield Into a Shared, Real-Time Map

Ukraine’s Delta battlefield system, running on cloud and accessible via browsers, enhances real-time situational awareness and command speed, marking a shift in military tech.

Sovereignty Is a Pipe, Not a Passport

Analysis of Mistral’s claims on data sovereignty reveals that jurisdiction, not location, determines legal exposure, challenging European sovereignty narratives.

Classified AI: How Washington Turned Benchmarks Into A Security Asset By August 1

The US government will establish a classified benchmarking process for advanced AI models by August, shifting oversight to NSA and Treasury with voluntary industry participation.