The 24% Rule: Why Most “Sovereign Cloud” Certifications Don’t Test Sovereignty

📊 Full opportunity report: The 24% Rule: Why Most “Sovereign Cloud” Certifications Don’t Test Sovereignty on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

Most cloud certifications focus on security practices, not legal sovereignty. The 24% ownership rule in SecNumCloud is unique in testing control, but many providers still remain subject to foreign law. This distinction impacts cloud procurement and sovereignty claims.

Most European ‘sovereign cloud’ certifications do not actually test whether a provider is legally subject to foreign government control, with the exception of France’s SecNumCloud framework, which uses a unique 24% ownership rule to assess sovereignty.

Certifications like ISO 27001, SOC 2, and BSI C5 primarily verify security practices such as access controls, encryption, and incident response. They do not address legal jurisdiction or government control over data. In contrast, SecNumCloud, issued by France’s ANSSI, includes a specific ownership cap: foreign companies must hold less than 24% ownership to qualify, directly testing sovereignty.

This ownership rule is arithmetic-based, making it straightforward to verify from a company’s cap table, and is designed to prevent foreign government influence. As of mid-2026, around a dozen providers, including OVHcloud and Scaleway, hold active SecNumCloud qualifications, which are mandatory for hosting sensitive French public-sector data.

Other certifications like BSI C5, while comprehensive in security controls, do not inherently address jurisdictional immunity, merely requiring disclosure of legal domicile and data location. AWS’s European Sovereign Cloud, certified with a C5 report, remains subject to US law despite its physical separation within the EU.

At a glance
analysisWhen: developing as of mid-2026, with ongoing…
The developmentThe article explains how the 24% ownership cap in SecNumCloud certification is the only measure directly testing sovereignty, contrasting it with other security certifications that do not address legal jurisdiction.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Implications of the 24% Ownership Limit for Cloud Sovereignty

This analysis reveals that most certifications do not guarantee sovereignty, as they focus on security practices rather than legal control. The 24% ownership rule in SecNumCloud is a rare, measurable criterion directly testing whether a provider is immune from foreign legal influence. This distinction impacts procurement decisions, especially for sensitive data in regulated industries.

Understanding this difference helps organizations evaluate true sovereignty claims and avoid being misled by badges that do not address jurisdictional sovereignty. As more providers seek SecNumCloud qualification, the ownership rule may become a standard benchmark for sovereignty in cloud services.

Amazon

European sovereign cloud certification

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Evolution of Sovereignty Testing in Cloud Certifications

Traditional security certifications like ISO 27001 and SOC 2 have long been used to verify security practices but do not address legal jurisdiction or sovereignty. European frameworks such as EUCS and BSI C5 focus on controls and disclosure but do not prevent foreign legal reach. France’s SecNumCloud, introduced in 2016 and now at version 3.2, stands out by incorporating a specific ownership threshold—24%—to directly test sovereignty.

This framework was created in response to concerns about foreign influence and extraterritorial laws like the US CLOUD Act. It requires providers to be physically and legally within the EU, with data stored locally, and to have audited control over encryption keys and ownership structures. The ownership cap is a key element, making SecNumCloud a unique hybrid of security and sovereignty testing.

Despite the proliferation of security badges, the industry has yet to develop a comprehensive, universally accepted measure of sovereignty. The 24% rule remains the only arithmetic, checkable test of legal control, and its adoption is growing among providers serving sensitive European sectors.

“Achieving ISO 27001 is a 1 on the complexity scale, but SecNumCloud is a 10—it’s a very high bar for sovereignty.”

— Scalingo CEO

SOC2 Cloud Compliance Mastery: Master SOC 2 For Cloud Tools | Secure Collaboration Fast | SOC 2 Controls Simplified | Trusted Compliance Blueprint | Fast-Track Cloud Compliance | SOC 2 For SaaS

SOC2 Cloud Compliance Mastery: Master SOC 2 For Cloud Tools | Secure Collaboration Fast | SOC 2 Controls Simplified | Trusted Compliance Blueprint | Fast-Track Cloud Compliance | SOC 2 For SaaS

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Unresolved Questions About Sovereignty Certification Effectiveness

It remains unclear how many providers will fully comply with the ownership cap in practice, or how enforcement will be monitored over time. The impact of the rule on foreign-controlled providers operating within the EU is still evolving, and whether other frameworks will adopt similar measures is uncertain.

Additionally, the extent to which certification guarantees immunity from foreign laws like the CLOUD Act, despite ownership restrictions, is still debated among legal experts.

[1760558206] [9781760558208]Extreme Ownership: How U.S. Navy SEALs Lead and Win-Paperback

[1760558206] [9781760558208]Extreme Ownership: How U.S. Navy SEALs Lead and Win-Paperback

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Future Developments in Sovereignty Certification Standards

Expect increased adoption of SecNumCloud by providers aiming to serve sensitive public sector data in France and Europe. Regulatory agencies may tighten ownership limits or introduce new criteria to enhance sovereignty testing. Meanwhile, other European countries might develop similar frameworks, potentially leading to a broader shift in sovereignty verification standards for cloud services.

Organizations should monitor certification updates and legal developments to ensure compliance and sovereignty in their cloud strategies.

Motherboard Coil Tester – Precision Electrical Detection Tool, Accurate Analyzer Device, Electronic Repair Instrument | Circuit Diagnosis Equipment for Computer Automotive Boards, Workshop

Motherboard Coil Tester – Precision Electrical Detection Tool, Accurate Analyzer Device, Electronic Repair Instrument | Circuit Diagnosis Equipment for Computer Automotive Boards, Workshop

Efficient Testing Tool: inductance tester combines stable performance and high accuracy measurement, empowering users to conduct precise tests…

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

What makes SecNumCloud different from other certifications?

SecNumCloud includes a specific ownership cap—24%—which directly tests whether a provider is under foreign control, unlike other certifications that focus solely on security practices.

Does a security certification guarantee sovereignty?

No. Certifications like ISO 27001 or BSI C5 verify security controls but do not address legal jurisdiction or control, which is what sovereignty testing requires.

Can foreign companies qualify for SecNumCloud?

Only if they meet the ownership threshold of less than 24% foreign ownership and comply with other legal and operational requirements set by ANSSI.

Will other European countries adopt similar sovereignty tests?

It remains uncertain. France’s approach is unique, but increasing concerns about foreign influence may inspire similar frameworks elsewhere in Europe.

What is the significance of the 24% ownership rule?

It provides a clear, arithmetic-based measure of legal sovereignty, making it a practical tool for verifying control and immunity from foreign government influence.

Source: ThorstenMeyerAI.com

You May Also Like

Apple Sues OpenAI, Accusing It of Stealing Company Secrets

Apple has filed a lawsuit against OpenAI, accusing the AI company of stealing proprietary information. The case raises questions about corporate espionage in AI development.

The Laptop Spec Trap That Makes Premium Machines Feel Slow

Discover why high-end laptops can feel sluggish despite top specs. Learn hidden bottlenecks and how to fix performance traps in your premium machine.

There Are No Instances in ATProto

ATProto does not use instances like Mastodon. This article explains the difference and why it matters for decentralization.

The Menu: What Ten Answers Reveal

An analysis of how ten jurisdictions respond to automation and AI, revealing patterns in income, capital, work, skills, and institutions, and their implications.