📊 Full opportunity report: AI Sovereignty Certification: Do They Really Test Sovereignty? The 24% Rule Says No on ThorstenMeyerAI.com — validation score, market gap, and execution plan.
TL;DR
France’s SecNumCloud certification incorporates a unique ownership rule to test legal sovereignty, setting it apart from traditional security standards. Around ten providers hold this qualification as of mid-2026, but its implications remain complex.
France’s SecNumCloud certification uniquely tests legal sovereignty through a 24% ownership cap, making it the only certification explicitly designed to assess whether a foreign government can compel access to data stored within the EU.
Created by ANSSI, France’s national cybersecurity agency, SecNumCloud is a qualification rather than a traditional certification. It requires providers to meet over 360 criteria across technical, organizational, operational, and legal themes, with a key focus on sovereignty. The defining feature is the ownership rule: companies not based in the EU must hold less than 24% ownership individually, or 39% collectively, to qualify. This arithmetic threshold directly measures control over data, making it a practical test of sovereignty rather than a security practice.
As of mid-2026, approximately ten providers, including OVHcloud, Outscale, and Scaleway, hold active SecNumCloud qualifications. It is mandatory for hosting sensitive French public-sector data and is being pushed toward critical infrastructure operators across Europe. Unlike other standards like ISO 27001 or BSI C5, which focus on security controls, SecNumCloud explicitly links ownership structure to legal sovereignty.
The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty
ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.
C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.
Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.
The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.
Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.
Why Ownership Control Defines Sovereignty in Cloud Certifications
The 24% ownership rule embedded in SecNumCloud introduces a direct, quantifiable measure of legal sovereignty. This approach signifies a shift from traditional security certifications, which focus on technical controls, to a framework that explicitly tests who ultimately controls the data. For regulators and organizations, this means a clearer understanding of jurisdictional risks, especially regarding extraterritorial laws like the CLOUD Act. The certification’s emphasis on ownership limits aims to prevent foreign governments from exerting undue influence over data stored within the EU, impacting how multinational cloud providers structure their control and ownership.

RedHat Certified Cloud and Service Provider Certification Exam Study Guide Flashcards
Pass the RedHat Certified Cloud and Service Provider Certification Exam with updated flashcards packed with detailed content aligned…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
The Evolution of Sovereignty Testing in Cloud Certifications
Traditional cloud security standards such as ISO 27001 and BSI C5 primarily verify operational security practices—access controls, encryption, incident response—without addressing jurisdictional control. SecNumCloud, introduced in 2016 and now at version 3.2, breaks this pattern by adding legal sovereignty as a core criterion. Its ownership threshold stems from the recognition that legal control, especially in sensitive sectors, depends on who owns and controls the data infrastructure. The rule was designed in response to the dominance of US hyperscalers, who, despite holding certifications, remain subject to US laws like the CLOUD Act, which can compel data access regardless of security controls.
The rule’s practical effect is to limit foreign ownership, ensuring that providers with significant non-EU control cannot qualify, thereby safeguarding against legal jurisdictional risks. Companies like AWS, despite their European Sovereign Cloud offerings, remain subject to US law, illustrating the distinction between security certifications and sovereignty testing.
“The 24% rule is the only real test of sovereignty in the cloud. It measures actual control, not just security practices.”
— Thorsten Meyer
European sovereignty cloud hosting
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Unclear Impact of the 24% Ownership Limit on Global Providers
While the ownership rule is clear, its practical enforcement and impact on providers with complex ownership structures remain uncertain. Some companies may attempt to circumvent the rule through subsidiaries or control arrangements, and the extent to which this threshold effectively prevents foreign control is still being tested. Additionally, the broader influence of SecNumCloud on European cloud procurement and whether it will become a de facto sovereignty standard remains to be seen.

Law and Order Cap-Security – Navy
Design, Classic round baseball cap shape with gold yellow block letter embroidery on the front.
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Next Steps for Certification Adoption and Policy Impact
As of mid-2026, more providers are expected to seek SecNumCloud qualification, especially with France and Europe expanding mandates for critical infrastructure. Regulatory bodies may refine enforcement mechanisms, and industry discussions will likely focus on the effectiveness of the 24% rule. The certification’s influence could grow, potentially shaping future standards that explicitly incorporate sovereignty considerations into cloud provider assessments.

The Buildings That Store the World: Data Centres, Cloud, and the New Geography of Power (Infrastructure – The Hidden World)
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
What makes SecNumCloud different from other cloud security standards?
SecNumCloud explicitly tests legal sovereignty through a ownership cap, unlike standards like ISO 27001 or BSI C5, which focus solely on security controls.
Why is the 24% ownership rule important?
The rule provides a quantifiable measure of control, helping ensure that foreign governments cannot exert influence over data stored within the EU.
Can US-based providers qualify under SecNumCloud?
Generally no, because the ownership threshold and legal domicile requirements effectively exclude providers with significant non-EU control, although some joint ventures attempt to meet the criteria.
Will SecNumCloud become a global standard?
It is currently specific to France and Europe, but its emphasis on sovereignty might influence future standards and regulations worldwide.
What are the implications for companies using US hyperscalers in Europe?
Despite certifications, US hyperscalers remain subject to US laws like the CLOUD Act, which means they cannot fully guarantee sovereignty under the SecNumCloud criteria.
Source: ThorstenMeyerAI.com