3. Introduction and scope
Compliance with policy rules objectives can be achieved via compliance with established standards, certifications, and codes of conduct. The addition and maintenance of these standards will be defined in this document. Where such tools are not available or approved to demonstrate such compliance, specific methodologies can be further developed and agreed upon within Gaia-X to be included in the attestation of Service Offerings.
For these high-level objectives, especially the ones related to cybersecurity, we follow, when it is possible, the current discussions on the European cybersecurity certification scheme for cloud services (the EU Cloud Services Scheme or EUCS). We may also add or subtract some high-level objectives. When the EUCS is finalised, Gaia-X may consider adapting the objectives in this document.
Please note that, in general, full adherence to applicable local legislation (e.g., in areas such as data protection and security) is a prerequisite and thus not waived or affected by the following policies and rules.
It is worth pointing out that participation within Gaia-X by providing Gaia-X conformant services shall not prevent any Provider from also providing non-Gaia-X Service Offerings outside the Gaia-X Ecosystem.
This document is a work in progress, i.e. it will be further worked on to evolve towards a fully clear and complete specification of the policies, rules and labels. At this stage, it can be clarified that: - Some of the rules are high-level objectives and still need to be more detailed and specified to be implementable and assessable. The Policy Rules Committee of Gaia-X with its three working groups will continue to work on this in further versions. - Redundancies are acknowledged. They shall be resolved to the extent possible in future iterations. Some redundancies that cannot be resolved are a result of externalities, such as underlying standards, schemes, and laws. - Some of the label criteria can be further detailed with the relevant standards. There will be a process to identify additional standards and to manage the lifecycle of already listed standards, which will follow good practices, using objective criteria. This shall ensure both the quality of accepted standards and neutral and fair access to the users of the Labelling Framework.
Gaia-X will update this document on a regular basis.
Following the publication of the Policy Rules Conformity Document (PRCD), the previous deliverables of the Policy Rules Committee (Gaia-X Policy Rules and Labelling Document, Gaia-X Trust Framework) are obsolete.
3.2 Design Principles for Labels
The Gaia-X Labelling Framework is designed using a set of core principles, starting from the high-level objectives which are refined by the labelling criteria.
3.2.1 Consistency among the Gaia-X Ecosystem
Gaia-X Labels reflect the essence of our objectives and concepts. They represent the results of decisions and deliverables introduced by the various Gaia-X Committees and approved by the Gaia-X Board of Directors. The labelling criteria are always in line with the corresponding concepts and specifications as defined by Gaia-X.
3.2.2 Scalability and extensibility
Based on the three basic labels further Gaia-X Labels can be created to fit new needs, in particular using extension profiles for country and domain-specific requirements. Extension profiles can also leverage the labelling criteria by adding and defining on-top requirements for particular purposes. To ensure the impact and consistency of Gaia-X Labels, new labels and extensions have to be authorized by the Gaia-X Board of Directors.
3.2.3 Composability and modularity
Gaia-X Labels are logical groupings of composable service attributes. This results in particular in the assignment of a common set of policies, technical requirements and data space criteria to one or multiple of three levels. At the same time, Gaia-X Labels are based upon existing schemes, certifications, and tested and approved codes of conduct where possible to allow the reuse of established standards and thereby simplify the process. Only in areas where no standard has been identified Gaia-X will introduce its own set of attributes and processes to verify the information given.
3.2.4 Standards, self-assessment and Conformity Assessment Bodies (CAB)
Gaia-X Labels do not normatively reference external documents which are not yet approved (for example the current proposal of the Data Act or the EUCS). Whenever such external documents are approved, Gaia-X may consider adapting its labels in accordance with them.
Conformity with label criteria can be declared by self-assessment (declaration) or supported by external Conformity Assessment Bodies (CAB) (certification) as defined later in this document.
Gaia-X Service Offerings are defined by Provider-generated attestations which include claims of adherence to the Labelling Criteria. The proof of validation of a claim will be technically realized through Verifiable Credentials. The Verifiable Credential can either be issued by a Provider or a CAB directly or it can be created by a trusted Verifiable Credential issuer based on existing documentation (like a signed PDF or paper document).
The Verifiable Credential includes the entity asserting the validity of the claim; the list of trusted Verifiable Credentials issuers is maintained in the Gaia-X Registry.
Users at any time can query the attestation of the Service Offering and for each claim extract the entity and the result of the assessment.
Conformity Assessment Bodies (CAB): Gaia-X reserves its right to choose its own CAB for its own three basic labels. A new detailed document will be issued on the process of choosing the relevant CAB. Where the Labelling Framework lacks reference to established standards, Gaia-X will define a dedicated Assessment Process including a process to appoint adequate CABs (Conformity Assessment Body). Both processes will follow internationally recognized good practices, including impartiality, comparability, reliability and accessibility.
3.2.5 Mapping and Referencing of existing standards
It is intended that this document will provide for each criterion a detailed mapping and references to existing standards and certification schemes. This mapping and referencing shall be as detailed as possible, saying that, instead of a generic identification of a standard, the relevant sections in such standards shall be identified.
Point Of Reference Standard (PORS): This document may provide so-called “Point of Reference Standards”, short “PORS”. PORS shall provide a first impression on existing documents, i.e., standards, conformity assessment programmes, authorities’ guidelines, procurement guidelines, etc. Indicated PORS are neither a guarantee that Gaia-X criteria are fully met, nor that compliance with respectively implementation of such PORS will be required to meet a Gaia-X criterion. It is rather a point of reference to support identifying related processes. Note: PORS will be added with minimum review. Once there is a minor relation this may suffice to add such standards as PORS. It is expected to review such standards in future iterations to upgrade such references to any more sophisticate type of reference. Likewise, a further review may result in a deletion of the reference, if the relation is considered too weak.
Example Standard: This document may provide so-called “Example Standards”. Example Standards shall identify potential means of implementation. Gaia-X strives to refer to existing standards and controls to the extent possible. Re-drafting shall be prevented. Nonetheless, Gaia-X and referenced standards may have a different focus and high-level objective. Example standards shall provide for possibilities how criteria may be implemented. Implementation as provided by such standards is not mandatory, and it is required to comply with any such standards. Gaia-X will provide additional notes, if significant differences are identified. Example Standards shall especially help in evaluating conformity with Gaia-X, as Example Standards can be considered “implementation guidance”. Note: Example Standards will be added after following a thorough assessment by the Gaia-X Working Groups maintaining this document. Such assessment shall follow a transparent process. No Example Standards shall be listed, prior to such process is defined and applied in the determination. The process shall foresee that third-party standards may reach out to Gaia-X and suggest being enlisted.
Permissible Standard: This document may provide so-called “Permissible Standards”. Permissible Standards shall identify standards respectively requirements/controls within such standards, where implementation shall be considered prima facie evidence of conformity with the related Gaia-X criterion. Note: Permissible Standards can only be added following a thorough assessment by the Gaia-X Working Groups maintaining this document. Such assessment shall follow a transparent process. No Permissible Standards shall be listed, prior to such process is defined and applied in the determination. The process shall foresee that third-party standards may reach out to Gaia-X and suggest being enlisted. The process shall cover both, the material requirements as well as the overarching conformity assessment programme, i.e., the means by which such Permissible Standard determines whether the subject of such assessment is indeed conformant/compliant.
3.3 Proof of Concept / Bootstrapping
3.3.1 Conformity Assessment Programme and Assessibility
The criteria listed in the PRCD must be and remain assessible at all times. Gaia-X is currently developing accompanying documents outlining the overarching conformity assessment programme and process.
Also, this PRCD will further evolve to enhance the assessibility of its criteria to the extent necessary, e.g. where Gaia-X will not or cannot rely on existing standards and conformity assessment programmes.
Gaia-X anticipates that the requirements outlined in this document are assessible. If comparability of assessment results cannot be guaranteed, or if ambiguities exist, Gaia-X may have to adapt these rules, criteria, or assessment mechanisms in future versions.
In this vein and as mentioned elsewhere in this document, Gaia-X will monitor current regulatory developments as well as developments in the field of standards and conformity assessment programmes. Whilst Gaia-X may consider existing drafts as inspiration, Gaia-X does not endorse any such drafts. Likewise, Gaia-X remains in control of whether to adapt its requirements to future iterations of any such external developments.
3.3.2 Federation of Verification
Gaia-X Labels are issued according to determined criteria and assessments in a federated manner. The concept of modularity also allows Gaia-X to reuse existing certifications for the underlying service attributes whenever possible, hence reducing the cost and complexity of embracing Gaia-X labelling, especially for existing, already certified, services. Assessment Processes defined by Gaia-X itself will also be based on a federation of responsibilities.
3.3.3 Further design principles
The modularity concept requires Gaia-X labelling criteria to describe rather high-level objectives as the detailed requirements are further described in the corresponding standards that are acknowledged. As of today, Gaia-X Labels are issued to a specific Service Offering unless stated otherwise.
3.4 Extendibility of Gaia-X Conformity
Gaia-X Conformity applies to all Gaia-X Service Offerings. And there shall be a Gaia-X Credential for all the entities defined as part of the Gaia-X Conceptual model:
- Participant including Consumer and Provider
- Service Offering
Gaia-X Conformity can be extended by an ecosystem as detailed in the Gaia-X Architecture Document.
3.5 Period of Validity
The targeted updating period of the document is eighteen (18) months. Exceptionally, in case of changes that have become appropriate under applicable laws or standards impacting the PRCD or the Conformity requirements, an update can be made earlier subject to a decision by the Gaia-X Board of Directors.
Upon revisions of the PRCD, the participants will have the choice of adapting their conformity to the revised requirements or remaining qualified under the former requirements, for a maximum duration of twelve (12) months from the entry into force of the revised PRCD requirements. Exceptionally, in case of changes that have become appropriate under applicable laws or standards impacting the PRCD, the Gaia-X Board of Directors can determine a grace period that deviates from the maximum twelve (12) months term, when relevant in view of the applicability of the changes of the applicable laws or standards.