March 2020 - Multi Cloud | Data Sovereignty | Gaia-X

Enabling Innovation – What GAIA-X offers SMEs

Andreas Weiss, Director of EuroCloud Deutschland e.V. and Head of the Digital Business Models division at eco, outlines how the new European data infrastructure project will enable innovation and give SMEs access to state-of-the-art digital infrastructure.

dot: Cloud | Orientation for Business Decisions

© agsandrew |

GAIA-X offers businesses exciting opportunities to digitalize without needing significant in-house resources. The new European data infrastructure project aims to grow a sovereign and self-determined digital ecosystem in Europe. Even with skilled staff, promising business models, and great products, keeping up with the ever-developing requirements of digitalization and tapping into the potential offered by cloud services and artificial intelligence (AI) is difficult for small and medium-sized companies (SMEs). GAIA-X will enable innovation by giving a large community of users access to a state-of-the-art, secure, distributed, and sovereign European data infrastructure.

Meeting the demands of different markets and jurisdictions

GAIA-X will account for the varying requirements of different markets and jurisdictions. While large corporations have legal departments to track and ensure compliance with relevant laws and regulations, most SMEs cannot afford such resources and struggle to keep up with the latest compliance requirements and with the specific requirements in different markets. Not only will services offered through GAIA-X be transparent about their compliance with the European General Data Protection Regulation (GDPR) when it comes to the processing of personal data, they can also specify whether they meet compliance requirements not just for e.g. the Netherlands and the Czech Republic, but also at the level of the German federal states, e.g. Bavaria or Saxony. This level of granularity is not offered by most hyperscalers.

The GAIA-X ecosystem will be a managed environment of thousands of nodes across Europe and worldwide. GAIA-X can also have nodes in Brazil or China, or wherever is relevant for customers. Customers, then, can make that choice. They can mandate that the data must remain in Europe or in Spain or within a specific region in Spain. They can mandate that the node is open source or supports Kubernetes or a specialist type of processing or service provision. While, of course, the customer must decide themselves about the suitability of the services they book in the end, GAIA-X will make it much easier to view, compare, and assess the products and services on offer.

This is also highly relevant for the public sector and their drawn-out digital transformation journey. Accepting the need to make use of on-premise and private cloud IT as part of state sovereignty, it is clearly necessary to follow a hybrid approach. Here, GAIA-X can provide services with low to medium-level criticality through a public cloud offering. The mass of municipal services would suit to this model. Through harmonization of these services, costs will decrease dramatically and at the same time there will be a strong increase in quality.

Different levels of service for different needs

If a business wants to offer a service which is not only GDPR-compliant, but offers e.g. an information security management system which is ISO/IEC 27001-certified, then they need to be able to prove their compliance with such standards. It is a complex and resource-intensive process that not all SMEs can afford. The automotive sector and the financial sector, to name just two examples, have quite different and often very strict sector-specific regulations and requirements. Even trying to vet third-party providers and assessing whether their certifications and attestations are sufficient is a complex task. GAIA-X offers an easy solution with its modular provision of tailored services.

Companies can choose the level of service that suits their individual requirements. If, for example, a company needs a very high level of security to connect to and exchange data with e.g. a major car manufacturer, but only medium-level security and GDPR-compliance to connect with their PR agency, then they can book the services they require accordingly. GAIA-X will be a one-stop shop for company’s infrastructure needs, enabling companies, in the words of Harald A. Summa, CEO of DE-CIX, to build their own Internet.

Shared interfaces

One dilemma faced by many SMEs working with data is the need to access a data pool in a different data space. If you have your data pool in AWS, it is not easy to grant an Ali Baba or Azure user access to the data and then later to revoke that access. Right now, you probably to make a copy of the data, but then you lose control of this copy. The common API planned for GAIA-X can offer a solution to this issue. If you need to connect to various federated groups, then a standard GAIA-X connection model and a standard data sharing model will enable you to do so with full control over granting and revoking access to your data.

Help in choosing the right service; gold, silver or bronze

GAIA-X will offer SMEs a helping hand in dealing with the complexity of choosing a digital infrastructure, of vetting and choosing digital services. A label system like bronze, silver, and gold categories for different levels of services will also offer guidance to customers when they do their homework about the providers offering their services through the GAIA-X platform. If, for example, you only need to process industrial data and not any personal data, then GDPR-compliance is not relevant, so perhaps a bronze-level service is sufficient for your needs. If you need strict GDPR-compliance, then you can book the gold-level service.

In building GAIA-X, we are already fostering a common understanding of criteria on the provider-side, because at the end of the day, we are talking about security, about risk, about confidentiality, the protection of intellectual property. We need to understand what the goals are and then to motivate all the stakeholders of these various certification regimes to work towards common objectives. A similar process is underway with the European Cyber Security Act. ENISA (the European Union Agency for Cybersecurity) is in the lead in the discussion towards developing a common cybersecurity standard; instead of the 25+ different security standards that can be found in various countries or stakeholder groups within the EU.

Common standards

We need this approach to develop common standards for interoperability and data portability, then SMEs can focus on developing and offering innovative services instead of fighting their way through the jungle of attestations, certifications, and regulatory frameworks. SMEs are the backbone of the European economy, so any work to reduce the burden of administrative overheads, encourage the use of standards, and guarantee a reliable innovation backbone is worth considering.


Andreas Weiss is Head of Digital Business Models at eco - Association of the Internet Industry. He started with eco in 1998 with the Competence Group E-Commerce and Logistics, moving afterwards to E-Business. Since 2010, he has been leading the eco Cloud Initiative as Director of EuroCloud Deutschland_eco and is engaged in several projects and initiatives for the use of artificial intelligence, data privacy, GDPR conformity, and overall security and compliance of digital services.