📊 Full opportunity report: Understanding The Gaps In AI Sovereignty Testing Via The 24% Rule on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

European sovereignty testing for cloud and AI providers hinges on a unique 24% ownership rule. This article explains what the rule is, how it impacts provider control, and why it matters for data sovereignty and legal jurisdiction.

European cybersecurity authorities have implemented a novel sovereignty test for cloud and AI providers, based on a strict 24% ownership limit for foreign control. This measure aims to ensure legal sovereignty over data stored within the EU, directly impacting how providers structure ownership and control. The rule is a key development in European efforts to safeguard data from extraterritorial legal reach, and it is now shaping provider compliance strategies.

The sovereignty test, introduced by France’s national cybersecurity agency ANSSI as part of the SecNumCloud qualification, measures ownership control through a simple arithmetic cap: foreign ownership must not exceed 24% individually, or 39% collectively. This control test is unique because it is expressed as a numerical threshold, not a security or policy control, making it highly transparent and checkable from a cap table.

As of mid-2026, around ten providers hold an active SecNumCloud qualification, with several more in the pipeline. These providers include major French and European cloud firms such as OVHcloud, Outscale, Oodrive, and Scaleway. The rule effectively mandates that providers must be primarily owned by EU-based entities to qualify, especially for hosting sensitive public-sector data under France’s Cloud au Centre doctrine. US-based hyperscalers like AWS cannot meet the ownership control requirement in their native form, leading to the creation of joint ventures and control arrangements that comply with the 24% limit.

This ownership cap is significant because it explicitly links legal sovereignty to ownership structure, rather than relying solely on security controls or contractual clauses. It is designed to prevent non-EU entities from exerting control that could trigger extraterritorial laws like the CLOUD Act, which can compel data access regardless of security certifications.

At a glance
analysisWhen: developing in mid-2026, with active pro…
The developmentEuropean authorities have introduced a sovereignty test based on a 24% ownership cap to determine control over cloud and AI providers handling sensitive data.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Implications of the 24% Ownership Cap for European Data Sovereignty

The 24% ownership rule represents a fundamental shift in how European authorities enforce data sovereignty. It moves beyond traditional security certifications, focusing instead on control and legal jurisdiction. For providers, this means restructuring ownership or control arrangements to meet sovereignty criteria, often through joint ventures or local ownership. For European users, it offers a clearer assurance that data stored within compliant providers remains under EU legal control, reducing exposure to foreign extraterritorial laws. This development could influence global cloud strategies, as providers seek to access the lucrative European market while respecting sovereignty requirements.

Moreover, the rule underscores the importance of legal sovereignty in the evolving landscape of data regulation. It signals a move toward transparency and control over ownership, which could set a precedent for other jurisdictions seeking to limit foreign control over critical infrastructure and data assets.

Amazon

EU data sovereignty cloud provider

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

European Sovereignty Testing and the Rise of Control-Based Certification

European efforts to enhance data sovereignty have increasingly focused on legal control, with certifications like SecNumCloud and standards such as C5 emphasizing compliance with local laws and jurisdictional transparency. The introduction of the ownership cap as a control measure builds on these trends, offering a tangible, arithmetic threshold that directly measures control rather than relying solely on security practices.

Historically, certifications like ISO 27001 and C5 have demonstrated security practices but did not address jurisdictional control explicitly. The SecNumCloud scheme, created by ANSSI in 2016, introduced a more prescriptive approach, including legal sovereignty requirements such as EU data domicile and immunity from non-EU extraterritorial law. The 24% rule is the latest evolution, making ownership a quantifiable and enforceable criterion.

This approach aligns with recent European policies emphasizing data localization and sovereignty, especially under frameworks like NIS2 and the Cloud Act’s legal reach.

“The SecNumCloud qualification is not just a security certificate; it guarantees legal sovereignty and compliance with EU control requirements.”

— ANSSI spokesperson

Amazon

AI ownership control compliance tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Unresolved Questions About Implementation and Enforcement

It remains unclear how strictly the 24% ownership cap will be enforced across different provider structures, especially in complex joint ventures or indirect control arrangements. The precise legal and regulatory mechanisms for verifying compliance at scale are still under development, and it is not yet confirmed how disputes or non-compliance will be handled. Additionally, the impact on US-based hyperscalers and their strategies for European market entry continues to evolve, with ongoing negotiations and legal challenges.

Amazon

European cloud security certification

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Next Steps in European Control and Certification Standards

Regulators and certification bodies are expected to refine enforcement procedures and develop clearer guidelines for ownership verification. Several providers are actively pursuing SecNumCloud qualification, with more expected to follow as the market adapts. Legal debates and potential legislative adjustments may also shape how the 24% rule is applied, especially concerning joint ventures and indirect ownership structures. European authorities will likely increase oversight to ensure compliance, reinforcing the control-based sovereignty framework.

Amazon

ownership cap compliance software

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

What is the 24% ownership rule in European sovereignty testing?

The 24% ownership rule limits foreign control over cloud and AI providers to ensure legal sovereignty, requiring that no single foreign entity owns more than 24% of the provider, or combined foreign ownership does not exceed 39%.

How does the ownership cap impact US tech giants operating in Europe?

US-based companies cannot meet the ownership control requirement in their native form, prompting them to establish joint ventures or control arrangements that comply with the 24% limit to qualify for sovereignty certifications.

Does a certification like C5 or SecNumCloud guarantee immunity from legal jurisdiction?

No. While C5 certifies security controls, it does not address jurisdictional immunity. SecNumCloud explicitly requires legal sovereignty measures, including ownership controls, to prevent extraterritorial legal reach.

What are the practical challenges providers face in meeting the 24% rule?

Providers must carefully structure ownership and control arrangements, often through complex joint ventures, to stay below the ownership thresholds, which can be operationally and legally complex.

What is the significance of the ownership control measure for European data security?

The control measure directly links legal sovereignty to ownership structure, providing a clear, checkable standard that enhances data protection from foreign legal interference.

Source: ThorstenMeyerAI.com

You May Also Like

Europe Regulated the Interface and Forgot to Build the Engine

Europe regulated the user interface for AI consent but failed to develop or fund the underlying AI technology, risking its competitiveness.

Some Reasons Why Google Had Such A Bad Day

An analysis of the key factors contributing to Google’s recent operational setbacks and their implications for the tech giant.

Comcast Outtage Surges In Global Coverage

A widespread outage has impacted Comcast’s services worldwide, with reports surging across multiple regions. The cause remains under investigation.

The Kill Switch: What the Anthropic Export Ban Really Costs the AI Industry

Anthropic’s export controls on its latest models led to their shutdown, raising concerns over AI reliance, security, and industry stability.