GAIA-X is designed to reduce dependencies on any single provider in conjunction with lock-in effects, to promote cloud and data services on a broad basis to the European economy, and to create a digital ecosystem for innovation. However, all of these are first and foremost dependent on the concept of data sovereignty; one of the fundamental promises of GAIA-X.
Looking at the topic of data sovereignty with regard to GAIA-X, there are various levels of assessment that need to be taken into account:
- IT security with respect to European standards
- Reasonable transparency about service provisioning
- Data protection/privacy objectives in accordance with the GDPR
The GAIA-X Working Group for Accreditation and Certification is scoping the development of requirements and procedures for trustworthy service provisioning. Therefore, applicable standards for assessment like certification, attestation, and quality seals are taken as points of reference. These types of accreditation, typically provided by third parties with appropriate governance, are referred to as evidence for the self-description of GAIA-X providers and their related nodes and services. The working group is composed of representatives of associations, providers, certification bodies and companies, research entities, and governmental agencies.
IT security with respect to European standards
In the domain of IT security, the European Union has taken an important step in creating the “Cybersecurity Act”. As officially stipulated in Regulation (EU) 2019/881 (Cybersecurity Act), the EU cybersecurity certification framework lays down the procedure for certification schemes, covering ICT products, services, and processes. Each scheme will specify the level of assurance on the basis of the level of risk associated with the envisioned use of the product, service, or process. These schemes are set to replace the corresponding existing national schemes (Art. 57,1 EU-CSA).
Due to the importance of cloud computing for the Digital Single Market and the competitiveness of the European economy, the Commission has issued the request to ENISA to prepare such a scheme for cloud services. In carrying out this task, ENISA is supported by an expert group, of which the Kompetenznetzwerk Trusted Cloud is a member.
GAIA-X will use the controls and assessment methods of the framework as a basis for the assurance of security of GAIA-X services and nodes. This is beneficial not only in creating a harmonized standard throughout Europe, but also from the viewpoint of cloud service providers, who can re-use audit results and thereby reduce the effort for demonstrating compliance to GAIA-X.
Data protection/privacy objectives in accordance with the GDPR
The regulatory basis for data protection is provided by the GDPR. In this regard, the criteria catalogue and the conformity assessment program of the AUDITOR project (www.auditor-cert.eu) lay the groundwork for GAIA-X data protection. In the AUDITOR project, a data protection certification in accordance with Art. 42 GDPR has been developed and is currently in the accreditation process with the competent national and European bodies. When this process is completed, it will form a very important component of the GAIA-X promise of adherence to European values and regulations.
Reasonable transparency about service provisioning
For the aspect of transparency, we can build upon the experiences gained in the context of the Trusted Cloud label. The foundation is formed by a catalogue of criteria covering not only IT security and data protection, but also transparency regarding the involved sub-processors and data centers, the geo-location of processing and administration, the contract conditions (according to applicable law), certificates, operative processes, interoperability, and architecture of the service and service levels.
The experience gained in this listing process for the Trusted Cloud label is used in the design of the above-mentioned self-description, aiming to give users a transparent basis for the decision upon choosing the GAIA-X service according to the desired quality of service.
The goal is to design an approach which assures a level of conformity that is in line with the GAIA-X principles, but also allows organizations with limited resources (SMEs, start-ups) to enter the GAIA-X ecosystem. This implies that a clear and unambiguous indication of the level of assurance for each service has to be provided to allow for the customer to take an informed decision as to which service and the respective provider matches their individual preferences. The GAIA-X Working Group for Accreditation and Certification is bringing together these different strands to draft an approach that will work for a broad variety of future GAIA-X stakeholders.
Since January 2016, Thomas Niessen has held the position of Managing Director of the Trusted Cloud Competence Network (www.trusted-cloud.de) under the patronage of the German Ministry of Economics and Energy (BMWi). The Competence Network issues the Trusted Cloud Label based on criteria in the domains of IT security, privacy compliance, functionality/interoperability, operations, and contractual framework. Currently, Niessen is also involved in the German AUDITOR project for developing GDPR certification according to Art. 42 and is a member of the ENISA working group on cloud security certification under the EU Cybersecurity Act. Prior to his current position, he managed some of the largest German innovation programs (Internet of Services/Cloud) and was Vice President of a software company specializing in information retrieval/Big Data.
Andreas Weiss is Head of Digital Business Models at eco - Association of the Internet Industry. He started with eco in 1998 with the Competence Group E-Commerce and Logistics, moving afterwards to E-Business. Since 2010, he has been leading the eco Cloud Initiative as Director of EuroCloud Deutschland_eco and is engaged in several projects and initiatives for the use of artificial intelligence, data privacy, GDPR conformity, and overall security and compliance of digital services.
Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s own and do not reflect the view of the publisher, eco – Association of the Internet Industry.