📊 Full opportunity report: The Truth About AI Sovereign Cloud Certifications And The 24% Benchmark on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

This article clarifies the meaning of European AI cloud certifications, focusing on the SecNumCloud ownership cap of 24%. It explains why this benchmark is crucial for sovereignty and what it reveals about data control in regulated industries.

European cybersecurity standards, particularly the SecNumCloud qualification, now include a 24% ownership cap designed to ensure legal sovereignty over data. This development marks a significant shift in how cloud providers demonstrate ownership control in regulated sectors, especially within France and the broader EU.

The SecNumCloud scheme, created by ANSSI, France’s national cybersecurity agency, is a qualification rather than a certification, requiring providers to meet over 360 criteria across technical, operational, and legal themes. A key requirement is that ownership and voting rights held by non-EU entities must not exceed 24% individually, or 39% collectively, ensuring legal sovereignty.

As of mid-2026, about nine to ten providers have secured an active SecNumCloud qualification, including major French cloud operators such as OVHcloud and 3DS Outscale. The scheme is mandatory for hosting sensitive French public-sector data and is being extended to critical infrastructure sectors under EU regulations like NIS2.

In contrast, other certifications such as ISO 27001, SOC 2, and BSI C5 primarily certify security practices rather than ownership or jurisdictional control. For example, BSI C5 includes controls on jurisdiction and data location but does not restrict non-EU control, leaving residual legal risk for providers with US or other non-EU ownership.

The 24% ownership rule is a clear arithmetic threshold that can be verified from a company’s cap table. It is considered brutally difficult to achieve, especially compared to ISO 27001 compliance, which is less complex but less focused on sovereignty.

At a glance
analysisWhen: developing, as of mid-2026
The developmentThe article analyzes the implications of the SecNumCloud ownership limit and certifications like C5, emphasizing their role in European data sovereignty and control.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Implications of the 24% Ownership Cap for Cloud Sovereignty

The 24% ownership limit is a decisive factor in ensuring legal sovereignty over data in European cloud services. By restricting non-EU control, it aims to prevent foreign governments or companies from exerting extraterritorial influence over sensitive data. For regulated industries like healthcare, finance, and energy, this cap is becoming a mandatory criterion for selecting cloud providers, especially within France.

This approach shifts the focus from traditional security certifications to ownership and jurisdictional control. It signals a move toward sovereign cloud architectures that prioritize legal immunity and control over data, which is vital amid ongoing geopolitical tensions and data sovereignty debates. For vendors, achieving SecNumCloud compliance with this ownership threshold is a significant commercial advantage in the European market.

Amazon

European cloud sovereignty certification

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Evolution of European Cloud Sovereignty Standards

European efforts to establish cloud sovereignty have intensified over recent years, driven by concerns over foreign jurisdictional influence and data privacy. France’s SecNumCloud scheme, introduced in 2016 and now in version 3.2, is the most comprehensive framework explicitly addressing ownership control. It builds on ISO 27001 but introduces legal sovereignty as a core criterion, including the ownership cap.

Other standards like BSI C5 from Germany focus on security controls and jurisdiction disclosure, but do not impose ownership limits. The distinction is critical: while C5 controls mitigate security risks, SecNumCloud’s ownership threshold directly addresses legal control and sovereignty.

As of mid-2026, the market sees a growing number of providers obtaining SecNumCloud, signaling a shift in compliance priorities among European cloud vendors. The scheme’s mandatory status for sensitive public data underscores its importance.

“The 24% ownership cap is the most concrete measure of sovereignty we’ve seen. It’s a simple but powerful arithmetic check that can be verified from a company’s ownership structure.”

— Thorsten Meyer, AI compliance expert

Amazon

SecNumCloud compliance tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Remaining Questions About Implementation and Market Impact

It remains unclear how many non-European providers will pursue SecNumCloud compliance given US and other non-EU ownership restrictions. The long-term market impact of the 24% ownership cap on global cloud vendor strategies is also still developing. Additionally, the exact legal and operational implications for providers with complex ownership structures are not fully understood, especially regarding how the cap interacts with multinational ownership arrangements.

Amazon

ownership cap verification software

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Next Steps for European Cloud Providers and Regulatory Developments

Providers seeking SecNumCloud certification will need to thoroughly review their ownership structures to meet the 24% limit. The coming months are likely to see increased efforts among European and non-European vendors to adjust ownership and control arrangements. Regulatory authorities may also refine or expand the framework, potentially extending sovereignty requirements to other sectors or regions. Monitoring how market players adapt will be key to understanding Europe’s evolving cloud sovereignty landscape.

Amazon

EU data control compliance products

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

What is the significance of the 24% ownership cap in SecNumCloud?

The 24% ownership cap is a concrete, arithmetic measure designed to ensure legal sovereignty over data by limiting non-EU control. It is a key criterion for compliance and sovereignty in European cloud services.

How does SecNumCloud differ from other certifications like ISO 27001 or BSI C5?

While ISO 27001 and BSI C5 certify security practices, SecNumCloud explicitly addresses ownership control and legal jurisdiction. Its unique ownership cap directly measures control rather than just security quality.

Can non-European cloud providers achieve SecNumCloud compliance?

Achieving SecNumCloud compliance is challenging for non-European providers due to the ownership limit. They would need to restructure ownership or control arrangements to meet the 24% threshold.

Why is the ownership control focus important for data sovereignty?

Ownership control directly impacts who can exert legal influence over data. Limiting non-EU ownership helps prevent foreign governments or companies from accessing or controlling sensitive data, thereby strengthening legal sovereignty.

What happens if a provider exceeds the 24% ownership limit?

They would not qualify for SecNumCloud, and thus could not meet the strict sovereignty requirements for hosting sensitive public-sector or critical infrastructure data under French law and broader EU directives.

Source: ThorstenMeyerAI.com

You May Also Like

The Birthplace of AI

A site in Toronto has been officially recognized as the birthplace of artificial intelligence, marking a significant milestone in AI history.

Forward-Deployed: The Integration Wall, and the Role That Now Pays $700K to Climb It

Forward-Deployed Engineers now command up to $700K in total compensation, transforming enterprise AI deployment and surpassing traditional roles in tech.

New arXiv policy: 1-year ban for hallucinated references

arXiv introduces a new policy imposing a one-year ban for authors submitting papers with hallucinated or fabricated references, aiming to improve research integrity.

The Coding Singularity Is Real — and Steeper Than Clark Presented

New data confirms rapid AI coding progress, revealing a faster-than-expected trajectory toward recursive self-improvement in software development.