Why Most AI Cloud Certifications Don’t Truly Measure Sovereignty (According To The 24% Rule)

📊 Full opportunity report: Why Most AI Cloud Certifications Don’t Truly Measure Sovereignty (According To The 24% Rule) on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

Most cloud security certifications verify operational security but do not address legal sovereignty or control over data. France’s SecNumCloud introduces a unique ownership cap, emphasizing sovereignty. This distinction impacts how providers are evaluated for sensitive data hosting.

Most existing AI and cloud security certifications, such as ISO 27001 and SOC 2, do not assess whether a provider can be legally compelled to give foreign governments access to data. Instead, these certifications focus on operational security practices. France’s SecNumCloud, however, is the first framework that explicitly tests legal sovereignty through a quantifiable ownership cap, making it a critical development in the measurement of data control and sovereignty.

Current certifications like ISO 27001, SOC 2, and BSI C5 primarily verify a provider’s security practices — including access controls, encryption, and incident response. They do not, however, address legal jurisdiction or the ability of foreign governments to access data under laws like the US CLOUD Act or other extraterritorial regulations.

In contrast, France’s SecNumCloud certification, issued by the national cybersecurity agency ANSSI, introduces a unique ownership threshold: foreign ownership must not exceed 24%, or combined foreign ownership must stay below 39%. This arithmetic control directly tests the provider’s legal sovereignty, ensuring that data hosted within the EU remains under EU jurisdiction and immune from non-EU laws.

SecNumCloud is a qualification, not a typical ISO-style certification. It is issued after an audit by an authorized evaluator and is backed by the French government, making it a legally binding standard. As of mid-2026, only about a dozen providers, including OVHcloud and Scaleway, hold an active SecNumCloud qualification, which is mandatory for hosting sensitive French public-sector data.

At a glance
analysisWhen: ongoing, with recent developments in 20…
The developmentExperts argue that current AI cloud certifications fail to measure data sovereignty, with France’s SecNumCloud being a notable exception due to its ownership-based control test.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Implications of Sovereignty Testing for Cloud Procurement

This development signifies a shift in how sovereignty is measured in cloud services. While traditional security certifications ensure operational security, they do not address legal jurisdiction or control. The introduction of ownership caps like SecNumCloud’s 24% foreign ownership rule offers a concrete way to assess and guarantee sovereignty, especially important for government and critical infrastructure data within Europe.

For organizations handling sensitive data, understanding whether a provider is subject to foreign laws is essential. Certifications that only verify security practices may give a false sense of sovereignty, while frameworks like SecNumCloud provide a more meaningful measure of control and legal immunity. This could influence procurement decisions and regulatory standards across Europe and beyond.

Amazon

AI cloud sovereignty certification

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Limitations of Traditional Cloud Security Certifications

Most widely adopted cloud security standards, including ISO 27001, SOC 2, and BSI C5, focus on operational controls such as encryption, incident management, and access control. They are designed to verify that providers follow best security practices, but do not incorporate legal jurisdiction or sovereignty considerations. This has been a longstanding gap, especially for governments and sectors with strict data sovereignty requirements.

France’s SecNumCloud, introduced in 2016 and now at version 3.2, fills this gap by adding legal sovereignty as a core criterion. It requires providers to be domiciled within the EU, store data locally, and, crucially, limit foreign ownership to a strict arithmetic threshold. This approach makes sovereignty measurable and enforceable, setting it apart from traditional certifications.

Meanwhile, US-based hyperscalers like AWS and Microsoft Azure can obtain security certificates but remain subject to US laws, such as the CLOUD Act, which complicates sovereignty claims. Some providers have created joint ventures or control structures to meet ownership thresholds, but these are workarounds rather than inherent features of their services.

“Certifications like ISO 27001 verify security practices but do not address jurisdictional control. SecNumCloud’s ownership cap introduces a tangible measure of sovereignty.”

— Thorsten Meyer, AI security expert

Amazon

data sovereignty compliance tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Uncertainties Around Sovereignty Certification Adoption

It remains unclear how widely SecNumCloud will be adopted outside France or how other European countries might develop similar sovereignty standards. The long-term impact on global cloud procurement practices is still evolving, and the effectiveness of ownership caps in preventing legal jurisdiction issues has yet to be fully tested in courts or real-world scenarios.

Additionally, the extent to which US-based providers will adapt their control structures to meet sovereignty requirements remains uncertain, especially given their existing legal obligations under US law.

Amazon

French SecNumCloud certified cloud providers

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Next Steps in Sovereignty Standard Development

Expect further adoption of sovereignty-focused frameworks like SecNumCloud across Europe, especially as regulators and governments emphasize data control. More providers are likely to seek qualification, and legal challenges or adaptations of control structures may emerge.

Additionally, other countries may develop similar standards, potentially leading to a patchwork of sovereignty criteria. Monitoring how these standards influence procurement policies and legal disputes will be key in the coming years.

Amazon

cloud security audit tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

Why do most cloud certifications not measure sovereignty?

Most certifications focus on operational security controls, such as encryption and incident response, rather than legal jurisdiction or ownership. They verify how well a provider manages security, not where or under which laws the data resides.

What makes France’s SecNumCloud different?

SecNumCloud includes a specific ownership cap: foreign ownership must not exceed 24%, or 39% combined. This arithmetic rule directly tests legal sovereignty, ensuring data hosted within the EU is under EU jurisdiction and immune from non-EU laws.

Can US providers meet sovereignty standards like SecNumCloud?

US providers can attempt to meet these standards by restructuring control, such as creating joint ventures or holding majority ownership within the EU. However, their compliance with US laws like the CLOUD Act remains a challenge to true sovereignty.

Will other countries develop similar sovereignty standards?

It is likely that other nations will develop their own frameworks, especially as data sovereignty becomes more prominent in regulation and procurement policies. The long-term global landscape remains uncertain.

Source: ThorstenMeyerAI.com

This content is for general information only and is not financial, tax or legal advice. Consult a qualified professional for decisions about your money.
You May Also Like

The bridge. Why the AI buildout runs on a nuclear story and a gas reality.

Analysis of the current energy infrastructure supporting AI expansion reveals a nuclear procurement rush contrasted by immediate reliance on natural gas generation.

Cybersecurity operations signal monitor: A backdoor in a LinkedIn job offer

Cybersecurity experts have identified a backdoor in a LinkedIn job posting, highlighting emerging threats and the need for targeted monitoring.

The mandate. Why the US conversational- finance surface does not translate to Europe.

The US launches permissionless finance surfaces, while Europe builds mandated, licensed systems. This impacts market structure and access.

Federal Agencies And State Gaming Regulators To Participate In The 2026 Annual BSA/AML Gaming Conference

Federal agencies and state gaming regulators will participate in the 2026 BSA/AML Gaming Conference, emphasizing coordinated efforts against financial crimes.