Decoding The 24% Rule: What It Means For AI Sovereignty Testing Standards

📊 Full opportunity report: Decoding The 24% Rule: What It Means For AI Sovereignty Testing Standards on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

The 24% ownership rule is a key criterion in European AI sovereignty testing, determining control and legal jurisdiction. It influences how cloud providers qualify for sovereignty standards like SecNumCloud, impacting data governance and compliance.

European authorities have confirmed that the 24% ownership cap is the decisive measure for assessing legal sovereignty in AI and cloud service providers under the SecNumCloud framework. This rule directly impacts which companies can host sensitive data within the EU, reinforcing the legal control and jurisdiction criteria that are now central to sovereignty testing.

SecNumCloud, created by France’s ANSSI, incorporates a strict ownership threshold: companies with more than 24% ownership by non-EU entities cannot qualify. This arithmetic-based rule is unique among European standards, which typically focus on security controls. The ownership cap ensures EU legal sovereignty over data by limiting foreign control.

Currently, roughly nine or ten providers hold an active SecNumCloud qualification, including OVHcloud and Scaleway, with several more in progress. The rule is mandatory for hosting sensitive French public-sector data and is expected to influence broader EU policies on critical infrastructure and data sovereignty.

Meanwhile, other certification schemes like BSI C5 focus on control implementation but do not explicitly address sovereignty or ownership, highlighting a key distinction in the European framework landscape.

At a glance
reportWhen: developing as of mid-2026
The developmentEuropean cybersecurity authorities have clarified that the 24% ownership cap is central to sovereignty testing, affecting cloud providers’ eligibility for secure hosting of sensitive data.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

The Impact of the 24% Ownership Cap on Cloud Sovereignty

The 24% ownership rule fundamentally shifts how cloud providers approach sovereignty in Europe. It explicitly ties ownership control to legal jurisdiction, making it a practical, arithmetic measure rather than a policy or technical control. This ensures that providers hosting sensitive data within the EU are genuinely under EU legal authority, reducing risks associated with extraterritorial laws like the CLOUD Act.

For vendors, this means that achieving compliance involves not only technical security measures but also restructuring ownership and voting rights to stay below the threshold. It may limit the participation of foreign investors and influence corporate governance structures, potentially increasing operational complexity but strengthening legal sovereignty.

For European regulators and public sector entities, the rule provides a clear, measurable standard to prevent foreign control over critical data infrastructure, aligning with broader strategic goals for digital sovereignty and resilience.

NIS2 Practical Compliance for SMEs: A Practical Step-by-Step Guide to EU Cybersecurity Directive Compliance for Small Businesses

NIS2 Practical Compliance for SMEs: A Practical Step-by-Step Guide to EU Cybersecurity Directive Compliance for Small Businesses

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

European Sovereignty Testing Frameworks and Their Differentiators

The European landscape features multiple certification schemes: ISO 27001, SOC 2, BSI C5, and EUCS primarily certify security practices, not ownership or jurisdiction. SecNumCloud, in contrast, incorporates a legal sovereignty test via the 24% ownership rule, making it distinct in its focus on control and legal immunity.

Created by France’s ANSSI, SecNumCloud is a qualification rather than a certification, requiring compliance with specific legal and ownership criteria, including EU data residency and immunity from non-EU extraterritorial laws. The rule effectively limits foreign ownership to ensure EU sovereignty over data.

While providers like AWS’s European Sovereign Cloud hold security attestations like C5, they remain subject to US law, illustrating the difference between security controls and sovereignty measures. The 24% rule addresses this gap explicitly.

“SecNumCloud is designed to guarantee that providers hosting sensitive data are under EU jurisdiction, with ownership controls at its core.”

— ANSSI spokesperson

Generative AI for Developers: Integrating Open-Source LLMs into Your Applications: Build Private, Scalable, and Cost-Effective AI Solutions with Llama 3, Mistral, and RAG

Generative AI for Developers: Integrating Open-Source LLMs into Your Applications: Build Private, Scalable, and Cost-Effective AI Solutions with Llama 3, Mistral, and RAG

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Remaining Questions About the 24% Ownership Rule’s Implementation

It is still unclear how strictly the ownership cap will be enforced across different providers and whether there will be exceptions or transitional arrangements. The impact of restructuring ownership to meet the threshold, especially for large or multinational companies, remains to be seen. Additionally, the precise legal implications for providers with foreign control structures are still under discussion within European regulatory circles.

Azure Data Fundamentals: A Guide to DP-900 Certification and Beyond

Azure Data Fundamentals: A Guide to DP-900 Certification and Beyond

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Next Steps in European Sovereignty Certification Developments

As of mid-2026, more providers are expected to seek SecNumCloud qualification, with ongoing discussions about refining the ownership rules and extending sovereignty standards to other critical sectors. Regulators may clarify enforcement mechanisms and introduce guidance for companies restructuring ownership. The evolution of the 24% rule will likely influence broader EU policy on digital sovereignty, data control, and cross-border data flows.

[By Jocko Willink ] Extreme Ownership: How U.S. Navy SEALs Lead and Win (Hardcover)【2018】by Jocko Willink (Author) (Hardcover)

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

Why is the 24% ownership rule important for AI sovereignty?

The rule directly links ownership control to legal jurisdiction, ensuring that data hosted within the EU remains under EU law, which is crucial for sovereignty and legal immunity.

How does the 24% cap differ from other security certifications?

Unlike certifications such as ISO 27001 or BSI C5, which focus on technical controls, the 24% rule is a quantitative ownership threshold that enforces legal sovereignty by limiting foreign control.

Which providers are currently meeting the 24% ownership criteria?

Providers like OVHcloud, Scaleway, and several others have obtained SecNumCloud qualification by restructuring ownership to stay below the 24% threshold, with more in progress.

Will the ownership rule affect foreign investment in European cloud providers?

Yes, the rule may restrict foreign ownership stakes, potentially limiting investment but strengthening EU control over critical data infrastructure.

What are the implications for companies with US-based parents?

They must restructure ownership or voting rights to comply with the 24% cap if they want to qualify for sovereignty standards like SecNumCloud, which could impact corporate governance and investment strategies.

Source: ThorstenMeyerAI.com

You May Also Like

AI output review queue for customer support macros

Support teams are testing a new AI macro review queue to ensure policy compliance and tone accuracy before publication.

The largest available Minecraft world, totalling 15 TB

A new Minecraft world has been created, totaling 15 terabytes, making it the largest available in the game. Details on its development and implications.

Is DoorDash down? Thousands report errors amid widespread outage; ‘something went wrong’ | Hindustan Times

Thousands of users report errors and service disruptions on DoorDash, marking a significant outage. Details are still emerging about the cause and scope.

We scaled PgBouncer to 4x throughput

PgBouncer has been scaled to deliver four times its previous throughput, enhancing database connection pooling performance significantly.