Skip to content

4. Overarching Rules

4.1 Overarching Conformity Assessment Rules

  • For Compliance Criteria/Label Levels requiring ‘Certification’, a Provider shall ensure that the Service Offerings demonstrate compliance criterion per criterion with recognized standards by providing verifiable evidence of adherence to:

    1. Permissible Standards formally recognized by Gaia-X under its standard recognition procedure. These shall include:

      1. Standards published by internationally recognized standardization bodies (e.g., ISO, CEN/CENELEC, ETSI) or national standards officially issued by EU Member States;

        or

      2. De facto standards or codes of conduct that are formally recognized by Gaia-X under its standard recognition procedure.

      or

    2. A valid attestation of conformity, demonstrably covering the applicable criteria requirements, issued by an accredited Conformity Assessment Body (CAB) or gap CAB, where the CAB is authorized to certify against one of the Permissible Standards recognized in the above option (i) or (ii), through an established accreditation process.

      or, if less than two Permissible Standards are listed for a Compliance Criterion

    3. The assessment procedure described within the Compliance Document for ‘Declaration’ covering the required claims and evidences for technical validation by the Gaia-X Compliance Service.

    Note

    Once two or more Permissible Standards exist for a Compliance Criterion, and such Permissible Standards have been formally recognized by Gaia-X, the third-party attestation for Label Levels requiring ‘Certification’ becomes mandatory again.

  • A certificate of a standardisation body formally recognized in the Gaia-X Compliance Document enables ‘Certification’ for all Gaia-X Compliance Criteria where this Permissible Standard is listed, regardless of whether ‘Declaration’ or ‘Certification’ is required for these Gaia-X Compliance Criteria.

  • If a Gaia-X Participant holds a valid certificate of a standardisation body formally recognized by Gaia-X that is no longer available/active (e.g.: the standardisation body was dissolved or the standard ceased), this certificate may be used to prove certification according to this standard until the expiry date of this certificate.

With the next release of the Gaia-X Compliance Document following the latest expiry date possible for such a certificate issued by the ceased standard, the standard that has ceased will be delisted as Permissible Standard from the Gaia-X Compliance Document.

4.2 Inheritance mechanism

Since Gaia-X service offerings can be made from composable services on top of other services, it is important to also address how compliance is handled in such compositions (see the section about “services and service composition” in the Architecture Document and the section about “composability and modularity” in the Compliance Document.)

The Gaia-X Service Offering Compliance process is a way to prove and validate that the underlying accountable service provider meets the minimal interoperability, transparency, and identify standards of the Gaia-X ecosystem. This process is considered the initial step in achieving Gaia-X Compliance for providers and their services, and requires fulfillment of the minimal mandatory Gaia-X criteria, in the format described in the Gaia-X Standard Conformity assessment scheme.

A Gaia-X Cloud Service Offering is a specific subset of a Service Offering, as defined in the Gaia-X Compliance Criteria for Cloud Services. Both Gaia-X Service Offerings and Gaia-X Cloud Service Offerings are composable and can inherit attributes and compliant status from the Gaia-X Compliance Criteria for Cloud Services, as both service types offerings can be based on or dependent on various services.

Service offering inheritance schema Fig: Service offering inheritance schema

A Gaia-X Service Offering is only eligible for Gaia-X Standard Compliance, unless the necessary Label Level requirements of Cloud Services have been inherited through the declaration of the cloud services and the required Gaia-X Credentials for these services (hosted on, depends on). It is optional for a generic service provider to do this for Standard Compliance, but mandatory if Label Levels 1,2, or 3 want to be achieved. To achieve Gaia-X Standard Compliance each service listed as dependency must also meet the criteria for Gaia-X Standard Compliance.

A Gaia-X Service Offering always “falls back” to the minimum level of Gaia-X Compliance of any of its dependencies to indicate the “weakest link” in the service composition.

4.2.1 Gaia-X Service Offering

This is the generic format for all Gaia-X Service Offerings.

4.2.2 Gaia-X Compliance Criteria for Gaia-X Service Offering

A Gaia-X Service Offering is a generic service offering available for order, as described in the Gaia-X Ontology offered by a Gaia-X Participant which fullfills the conformity criteria that will be defined in this document and will be described and verified through the Gaia-X Compliance Engine.

Suggest a modification