6. Gaia-X Trust Anchors¶
Gaia-X Trust Anchors are bodies, parties, i.e., Conformity Assessment Bodies or technical means accredited by the bodies of the Gaia-X Association to be parties eligible to issue attestations about specific claims.
For each accredited Trust Anchor, a specific scope of attestation is defined.
The Trust Anchors are not necessarily Root Certificate Authorities as commonly understood, but they can be relative to different properties in a claim.
6.1 Overall decision flowchart¶
The decision flowchart below is used to determine what type of Trust Anchor must be defined for a given criteria objective.
6.2 Trust Anchors¶
6.2.1 Signee’s role¶
In the Gaia-X Ontology, for specific attributes which are linked or dependent from each other, a criteria can mandate that an attribute must be signed by the same issuer - or signee - of another attribute.
For example, in the Gaia-X Trust Framework 22.10, it is mandatory for the information whether or not a Data Product contains PII that the attribute dataProduct.containsPII is signed by the Producer of this Data Product dataProduct.produceBy.
6.2.2 Trust Service Provider¶
By default, for the claims to be legally relevant, all claims must be signed with one or more cryptographic material which can be traced back to a Trust Anchor, which is in most case a Trust Service Provider (TSP).
The Trust Service Providers (TSP) accredited by Gaia-X must be entities issuing cryptographic material based on documented Know Your Business/Know Your Customer (KYB/KYC) processes. Those processes must verify the identity of the party requesting the digital certificate associated to the cryptographic material, such as, and not limited to:
- Business registration or license verification
- Physical address verification
- Phone number verification
The non-exclusive list of accepted Trust Service Providers belong to these categories: - EEA 🇪🇺, Iceland 🇮🇸, Liechtenstein 🇱🇮, Norway 🇳🇴: eIDAS Regulation (EU) No 910/2014. (Homepage, Trusted Data Source) - India 🇮🇳: eMuhdra (Homepage, Trusted Data Source) - South Korea 🇰🇷: KTNET (Homepage) - United Arab Emirates (UAE) 🇦🇪: PASS (Homepage)
To have a global reach, and only if there is no alternative specified in the Gaia-X Registry for the country of the business registration, Gaia-X allows the use of Extended Validation (EV) Secure Sockets Layer (SSL) certificate to sign attributes. (Homepage, Trusted Data Source)
The accepted TSP categories are determined within the Gaia-X Compliance document, while the detailed list of valid TSP belonging to these categories resides in the Gaia-X Registry.
6.3 Trusted Data Sources and Notaries¶
When an accredited Trust Anchor is not capable of issuing cryptographic material nor signing claim directly, the Gaia-X Association accredits one or more Notaries which convert “not machine readable” proofs into “machine readable” proofs. A Gaia-X Notary must be a Gaia-X participant capable of translating an unsigned evidence to a signed machine readable evidence. For signing, the Gaia-X Notary must use a cryptographic material issued by a Trust Anchor.
Notaries perform validations and issue attestations based on objective evidences from Trusted Data sources. The Verifiable Credentials issued by the Notaries contain the evidences of the validation process.
The following Trusted Data Sources have been accredited by Gaia-X and are currently used by the Gaia-X Notary Service to validate and issue attestations on the Participant’s Legal Registration Number:
EORI: the European Commission API.leiCode: the Global Legal Entity Identifier (GLEIF) APIlocal: the OpenCorporate API- the returned claim will also contain information about
headquarterAddress.countryCode
- the returned claim will also contain information about
vatID: for the European member states or North Ireland, the VAT Information Exchange System (VIES) API- the returned claim will also contain information about
headquarterAddress.countryCode
- the returned claim will also contain information about
The accepted Trusted Data Source categories and Notaries are determined within the Gaia-X Compliance document, while the detailed list of valid Trusted Data Sources and Notaries resides in the Gaia-X Registry.
6.4 CAB, “Equivalence CAB”, “Gap CAB“¶
All CABs which are accredited to attestate conformity against a permissable standard by the respective oganizations body are accepted by Gaia-X.
An “Equivalence CAB” is an identified entity approved by Gaia-X to verify that one or more issued certifications cover the entirety of a given criteria scope.
A “Gap CAB” is an identified entity approved by Gaia-X to issue a certification for a scope identified as not covered by an “Equivalence CAB”.
The full list of valid CAB, “Equivalence CAB”, “Gap CAB” is kept up-to-date and made available via the Gaia-X Registry.
| Scenario | The certification covers, at least, the entirety of the criterion’s scope. | Overlap of the various certification’s scope to be assessed by an equivalence CAB. | The certification(s) don’t cover the entirety of the criterion’s scope, requiring the gap to be assessed separately. |
|---|---|---|---|
| Trust Anchors type | List of CAB per certification scheme. | List of Gaia-X equivalence CAB | List of Gaia-X gap CAB |
| ## How to use CAB certifications ? |
CAB certifications issued by a CAB listed in the GAIA X Registry can be used to validate all criterions fully compliant covered by CAB certificate’s perimeter as described in this document.
6.5 GAP CAB Approval Process¶
The following defines the approval process for GAP CABs (if the CABs are supposed to issue verifiable credentials for Gaia-X Criteria not fully covered by Permissible Standards) to be approved for the verification and final decision. These criteria and proofs will ensure the required competence, a common understanding of the relevant documents, requirements, and procedures for the Gaia-X Labelling.
If Gaia-X criterion are all covered by several international Permissible Standards, this process may not be needed anymore and removed from this document.
6.5.1 Key GAIA-X commitments for the Approval process¶
Transparency
All processes and approval criteria are publicly disclosed (e.g. on the Gaia-X website), ensuring a transparent and fair approval process which creates reliable trustfullness.
Impartiality
The PRC ensures impartiality for the approval process in line with ISO/IEC 17011 principles.
Competence and experience
The PRC assures that an assessment of competence and experience is performed on Gap CAB applicant in order to demonstrate the required expertise in the domains of Gaia-X criteria and on other permissible standards in line with ISO/IEC 17011 principles.
Quality Assurance
The PRC assures an ongoing quality assurance mechanism, including periodic surveillance assessment and reviews of CABs’ continuous improvement plans.
6.5.2 Application¶
Entities, interested in becoming an approved/listed CAB for Gaia-X Labelling, submit an application form to Gaia-X AISBL including documented proofs of applicable criteria (e.g. qualification, experience, and impartiality).
Along with the application, a checklist that correlates with the criteria for CABs should be provided to aid in documenting the review.
6.5.3 Initial Evaluation¶
The PRC reviews the application for completeness and preliminary adherence to the criteria. Areas, where the applicant does not fully meet the criteria, are identified.
6.5.4 Assessment¶
If the criteria are only partial met, additional physical or virtual assessments might be necessary on behalf or by the PRC to validate the information provided and to ascertain the CAB’s adherence to criteria.
6.5.5 PRC Approval/Rejection¶
The final approval is based on the evaluation of the submitted documents and if conducted, the report about the physical or virtual assessments.
After positive evaluation, the CAB will get an Approval Certificate (Statement of Approval) by Gaia-X AISBL and be listed on the Gaia-X Registry.
In case of negative evaluation, the CAB will get a written notification detailing the reasons for refusal to approve and list them. This will include specific references to the applicable criteria for approval.
6.5.6 Criteria for the approval of CABs¶
This section defines the criteria that CABs shall fulfil to carry out the conformity assessments for verifiable credentials. These criteria and respective proofs will ensure the required competence for all conformity assessments related to the Gaia-X criteria which are relevant for the Gaia-X Labels.
-
If a CAB is not yet approved/accredited by the responsible Approval Body for a Permissible Standard, the CAB shall proof adherence to the Gaia-X Criteria as outlined in section “Criteria of approval for CAB that are not yet approved/accredited by an Approval Body for a Permissible Standard” below.
-
(Most probably) If a CAB is already active as a CAB for one or more of the Permissible Standards listed in this document and thus is approved/accredited by the responsible Approval Body to issue the corresponding verifiable credential, additional proofs are required with respect to technical competence of the personnel, due to the various domains of the Gaia-X Criteria not covered by each of the Permissible Standards. Which specific proofs are required per Permissible Standard is outlined in section “Proofs of suitability for approval as CAB to remediate gaps” below.
6.5.6.1 Criteria of approval for CAB that are not yet approved/accredited by an Approval Body for a Permissible Standard¶
6.5.6.1.1 Organisational structure and governance¶
Legal status
Criteria: Shall be a legally recognized entity capable of entering into contracts and assuming liability. Proof: Current extract from the commercial register
Impartiality and independence
Criteria: Policies should be in place to prevent commercial, financial, or other pressures from compromising impartiality.
Proof: Internal impartiality policy, organizational chart, documented procedures for dealing with conflicts of interest or accreditation certificate issued by a recognized accreditation body listed as a member of the International Accreditation Forum (IAF) or verification of respective statements in the audit firms’ Transparency Report issued in accordance with the requirement set forth in European statutory audit regulations (Article 13 of Regulation (EU) 537/2014) or an equivalent approval.
6.5.6.1.2 Competence and personnel¶
Technical competence
Criteria: Shall have personnel with expertise in the domains of the Gaia-X Criteria.
Proof: Records about existing approvals for Permissible Standards or appropriate evidence to proof the competence with respect to the domains of the Gaia-X Criteria.
Training
Criteria: Should have a continuous professional development programme in place.
Proof: Training plans, attendance records, training content.
Participation in Gaia-X meetings for experience exchange and training
Criteria: Shall participate in annual Gaia-X meetings for experience exchange and training to ensure a common understanding of all rules and procedures within Gaia-X Labelling and a fair competition between the Equivalence CABs.
Proof: Training plans, attendance records, training content.
6.5.6.1.3 Assessment process management¶
Process documentation
Criteria: Shall have comprehensive and up-to-date documentation for all assessment activities and follow the publication and updates by Gaia-X.
Proof: Process documentation, SOPs (Standard Operating Procedures).
Confidentiality
Criteria: Measures should be in place to protect confidential information.
Proof: Privacy policies, NDAs with employees and subcontractors.
Transparency
Criteria: Processes, criteria and results should be publicly available unless restricted by law or confidentiality.
Proof: Published procedures, public records of statements of conformity issued.
6.5.6.1.4 Quality assurance and continuous improvement¶
Internal audits
Criteria: Should conduct regular internal audits to assess compliance with processes and standards.
Proof: Internal audit reports, corrective action plans.
Management reviews
Criteria: Should periodically review the effectiveness of the quality management system.
Proof: Minutes of management review meetings, action items and follow-up reports.
6.5.6.1.5 Subcontracting and outsourcing¶
Responsibility
Criteria: Remains responsible for all outsourced activities and shall ensure that subcontractors for labeling issuing activities meet the same quality criteria.
Proof: Subcontractor agreements, quality control checks on subcontractor output.
Quality Control
Criteria: Shall have a monitoring system to assess the performance of subcontractors.
Proof: Monitoring reports, subcontractor performance metrics.
6.5.6.1.6 Records and documentation¶
Data management
Criteria: Shall securely manage all records and documentation related to labelling activities.
Proof: Data management policies, data security protocols.
Retention policy
Criteria: Shall have a documented retention policy in accordance with relevant laws and regulations.
Proof: Document retention policies, compliance audits.
6.5.6.1.7 Monitoring and control¶
Periodic reviews
Criteria: Shall conduct periodic surveillance reviews to ensure that Gaia-X Service Offerings, for which Gaia-X Statements of Conformity were issued, continue to meet Gaia-X criteria.
Proof: Surveillance review reports, re-assessment records.
Corrective actions
Criteria: Shall have processes to address non-compliance, ranging from corrective action plans to withdrawal of Gaia-X Statements of Conformity.
Proof: Corrective action plans, records of enforcement actions.
6.5.6.1.8 Appeals and complaints¶
Appeals procedures
Criteria: Shall provide a mechanism for organizations to appeal Gaia-X Labelling/registration decisions.
Proof: Documented appeals process, records of appeals handled.
Complaints handling
Criteria: Shall have a process for receiving and resolving complaints about its labelling activities.
Proof: Documented complaints procedure, log of complaints received, and action taken.
6.5.6.2 Proofs of suitability for approval as CAB to remediate gaps¶
CISPE.cloud
No additional proof required.
EU Cloud Code of Conduct
No additional proof required.
BSI C5
- Latest Transparency Report issued in accordance with the requirement set forth in European statutory audit regulations (Article 13 of Regulation (EU) 537/2014) does not indicate material deficiencies with respect to the criteria in section “Criteria for the approval of CABs”.
- Entity has performed at least 2 conformity assessments for Cloud Service Providers in accordance with the programme within 12 months prior to the application (see section “Application”) and can state respective references.
TISAX
Entity has performed at least 2 conformity assessments for Cloud Service Providers in accordance with the programme within 12 months prior to the application (see section “Application”) and can state respective references.
AICPA
- Latest Transparency Report issued in accordance with the requirement set forth in European statutory audit regulations (Article 13 of Regulation (EU) 537/2014) does not indicate material deficiencies with respect to the criteria in section “Criteria for the approval of CABs”.
- Entity has performed at least 2 conformity assessments for Cloud Service Providers in accordance with the programme within 12 months prior to the application (see section “Application”) and can state respective references.
ISO/IEC 27001
- Entity has performed at least 2 conformity assessments for Cloud Service Providers in accordance with the programme within 12 months prior to the application (see section “Application”) and can state respective references.
- Entity has appropriate knowledge and experience of GDPR
CCM v4
No additional proof required.
6.5.6.3 Additional proofs for the criteria on competence and personnel for CABs to remediate gaps¶
CISPE.cloud
No additional proof required.
EU Cloud Code of Conduct
No additional proof required.
BSI C5
Records for a minimum of 24h of structured training on GDPR requirements for personnel assigned to engagements to issue verifiable credentials with respect to the Gaia-X Criteria in the domain Data Protection.
TISAX
Records for a minimum of 24h of structured training on GDPR requirements for personnel assigned to engagements to issue verifiable credentials with respect to the Gaia-X Criteria in the domain Data Protection.
AICPA
If conformity assessments comprised the “Privacy” category of the Trust Services Criteria: no additional proof required. Otherwise: Records for a minimum of 24h of structured training on GDPR requirements for personnel assigned to engagements to issue verifiable credentials with respect to the Gaia-X Criteria in the domain Data Protection.
ISO/IEC 27001
Records for a minimum of 24h of structured training on GDPR requirements for personnel assigned to engagements to issue verifiable credentials with respect to the Gaia-X Criteria in the domain Data Protection.
CCM v4
Records for a minimum of 24h of structured training on GDPR requirements for personnel assigned to engagements to issue verifiable credentials with respect to the Gaia-X Criteria in the domain Data Protection.