AI Sovereignty Certification: Do They Really Test Sovereignty? The 24% Rule Says No

📊 Full opportunity report: AI Sovereignty Certification: Do They Really Test Sovereignty? The 24% Rule Says No on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

France’s SecNumCloud certification incorporates a unique ownership rule to test legal sovereignty, setting it apart from traditional security standards. Around ten providers hold this qualification as of mid-2026, but its implications remain complex.

France’s SecNumCloud certification uniquely tests legal sovereignty through a 24% ownership cap, making it the only certification explicitly designed to assess whether a foreign government can compel access to data stored within the EU.

Created by ANSSI, France’s national cybersecurity agency, SecNumCloud is a qualification rather than a traditional certification. It requires providers to meet over 360 criteria across technical, organizational, operational, and legal themes, with a key focus on sovereignty. The defining feature is the ownership rule: companies not based in the EU must hold less than 24% ownership individually, or 39% collectively, to qualify. This arithmetic threshold directly measures control over data, making it a practical test of sovereignty rather than a security practice.

As of mid-2026, approximately ten providers, including OVHcloud, Outscale, and Scaleway, hold active SecNumCloud qualifications. It is mandatory for hosting sensitive French public-sector data and is being pushed toward critical infrastructure operators across Europe. Unlike other standards like ISO 27001 or BSI C5, which focus on security controls, SecNumCloud explicitly links ownership structure to legal sovereignty.

At a glance
reportWhen: developing; as of mid-2026, about ten p…
The developmentFrance’s SecNumCloud certification includes a specific ownership threshold—24%—to assess legal sovereignty, marking a significant shift in cloud security certification standards.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Why Ownership Control Defines Sovereignty in Cloud Certifications

The 24% ownership rule embedded in SecNumCloud introduces a direct, quantifiable measure of legal sovereignty. This approach signifies a shift from traditional security certifications, which focus on technical controls, to a framework that explicitly tests who ultimately controls the data. For regulators and organizations, this means a clearer understanding of jurisdictional risks, especially regarding extraterritorial laws like the CLOUD Act. The certification’s emphasis on ownership limits aims to prevent foreign governments from exerting undue influence over data stored within the EU, impacting how multinational cloud providers structure their control and ownership.

RedHat Certified Cloud and Service Provider Certification Exam Study Guide Flashcards

RedHat Certified Cloud and Service Provider Certification Exam Study Guide Flashcards

Pass the RedHat Certified Cloud and Service Provider Certification Exam with updated flashcards packed with detailed content aligned…

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

The Evolution of Sovereignty Testing in Cloud Certifications

Traditional cloud security standards such as ISO 27001 and BSI C5 primarily verify operational security practices—access controls, encryption, incident response—without addressing jurisdictional control. SecNumCloud, introduced in 2016 and now at version 3.2, breaks this pattern by adding legal sovereignty as a core criterion. Its ownership threshold stems from the recognition that legal control, especially in sensitive sectors, depends on who owns and controls the data infrastructure. The rule was designed in response to the dominance of US hyperscalers, who, despite holding certifications, remain subject to US laws like the CLOUD Act, which can compel data access regardless of security controls.

The rule’s practical effect is to limit foreign ownership, ensuring that providers with significant non-EU control cannot qualify, thereby safeguarding against legal jurisdictional risks. Companies like AWS, despite their European Sovereign Cloud offerings, remain subject to US law, illustrating the distinction between security certifications and sovereignty testing.

“The 24% rule is the only real test of sovereignty in the cloud. It measures actual control, not just security practices.”

— Thorsten Meyer

Amazon

European sovereignty cloud hosting

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Unclear Impact of the 24% Ownership Limit on Global Providers

While the ownership rule is clear, its practical enforcement and impact on providers with complex ownership structures remain uncertain. Some companies may attempt to circumvent the rule through subsidiaries or control arrangements, and the extent to which this threshold effectively prevents foreign control is still being tested. Additionally, the broader influence of SecNumCloud on European cloud procurement and whether it will become a de facto sovereignty standard remains to be seen.

Law and Order Cap-Security - Navy

Law and Order Cap-Security – Navy

Design, Classic round baseball cap shape with gold yellow block letter embroidery on the front.

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Next Steps for Certification Adoption and Policy Impact

As of mid-2026, more providers are expected to seek SecNumCloud qualification, especially with France and Europe expanding mandates for critical infrastructure. Regulatory bodies may refine enforcement mechanisms, and industry discussions will likely focus on the effectiveness of the 24% rule. The certification’s influence could grow, potentially shaping future standards that explicitly incorporate sovereignty considerations into cloud provider assessments.

The Buildings That Store the World: Data Centres, Cloud, and the New Geography of Power (Infrastructure - The Hidden World)

The Buildings That Store the World: Data Centres, Cloud, and the New Geography of Power (Infrastructure – The Hidden World)

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

What makes SecNumCloud different from other cloud security standards?

SecNumCloud explicitly tests legal sovereignty through a ownership cap, unlike standards like ISO 27001 or BSI C5, which focus solely on security controls.

Why is the 24% ownership rule important?

The rule provides a quantifiable measure of control, helping ensure that foreign governments cannot exert influence over data stored within the EU.

Can US-based providers qualify under SecNumCloud?

Generally no, because the ownership threshold and legal domicile requirements effectively exclude providers with significant non-EU control, although some joint ventures attempt to meet the criteria.

Will SecNumCloud become a global standard?

It is currently specific to France and Europe, but its emphasis on sovereignty might influence future standards and regulations worldwide.

What are the implications for companies using US hyperscalers in Europe?

Despite certifications, US hyperscalers remain subject to US laws like the CLOUD Act, which means they cannot fully guarantee sovereignty under the SecNumCloud criteria.

Source: ThorstenMeyerAI.com

You May Also Like

7 Best PC Routers for Prime Day Deals in 2026

Discover the best PC routers on Prime Day 2026, including WiFi 7 options, wired ports, and setup ease. Find the perfect match for your needs today.

Command Line Interface Guidelines

Official CLI guidelines aim to standardize command line tools for better usability and security, impacting developers and users.

Three Public Vulnerabilities. Chained.

A chain of three known vulnerabilities was exploited in the TanStack npm packages on May 11, 2026, enabling a sophisticated supply chain attack. Details reveal public research was weaponized.

15 Best Graphics Cards for Gaming, AI, and Creative Work in 2026

Explore the 15 best graphics cards in 2026 for gaming, AI, and creative tasks, with detailed insights on performance, value, and suitability for different needs.