7. Gaia-X Policy Rules and Labelling Criteria for Cloud Services

Note: we use the term ‘Provider’ throughout this section as the short denominator for a cloud Service Provider or CSP, i.e., the participant who provides cloud Service Offerings in the Gaia-X ecosystem. We use the term ‘Customer’ in this section to denominate the cloud service Customer, i.e., the participant who consumes a Service Offering from a cloud Service Provider.

Note: we use the term ‘Customer Data’ throughout this section for all customer provided or generated data, both personal and non-personal data, as processed by a Provider. This is not about the data-about-the-Customer, which the Provider needs to administer the service offering, to deploy, meter and bill the service to the Customer. Such data-about-the-Customer or know-my-customer-data need to be handled according to applicable legislation by the Provider and this falls outside the scope of this PRCD. Please note that additional contractual arrangements, inclusions or exclusions, can be made regarding specific types of data in the scope of a service agreement.

Note: whereas certain rules have originated from personal data privacy legislation, and other rules are suggested in a non-personal context, in practice, it is in most cases impossible for a Provider to differentiate between these data types. The Provider does not, and in many cases ought not even know which type of data is stored or processed with its services. Still, we have explicitly indicated which rules apply to personal data, where relevant.

Note: the policy rules and label criteria are listed using a hierarchical numbering system, prefixed by a “P” to indicate Provider targeted criteria. The hierarchical numbering allows to assign stable numbers to criteria, also when future additions or deletions are made.

Note: we use the following abbreviations in this section: BC (Basic Conformity), L1 (Gaia-X Label level 1), L2 (Gaia-X Label level 2) and L3 (Gaia-X Label level 3).

7.1 Nomenclature and Versioning of Referenced Standards

7.1.1 Contractual framework

This section reflects provisions associated with the contractual framework between a ‘Provider’ and a ‘Customer’, required for any Service Offering regardless of its type, purpose, or processed category of data. It is divided into requirements related to the governance of contract and material aspects that shall be addressed in contracts. This section, and subordinate criteria shall not provide exact and exhaustive contractual language. It shall rather allow providers to reflect the requirements subject to their individual needs of structure and language.

Additionally, it is not expected that individual contracts will be subject to an evaluation process by Gaia-X. Gaia-X will rather focus on evaluating a process, reflected by documented internal policies or procedures, that safeguard conformity with the requirements laid out in this section.

Note to the extent GDPR standards are mapped as permissible standards in this section, i.e., Contractual Governance and General Material Requirements and Transparency: By their very nature, GDPR standards address the processing of personal data. As theoretically implemented technical and organizational measures may differ to the extent personal or non-personal data are affected, this is considered a limited practical concern. Against this background, GDPR standards were mapped as permissible standards accordingly. Consequently, Customers are invited to evaluate if they need any additional assurances.

7.1.1.1 Contractual governance

Criterion P1.1.1: The Provider shall offer the ability to establish a legally binding act. This legally binding act shall be documented.

Note: The Provider needs to ensure a process that guarantees that a legally binding act is in place before delivering any form of service.

Note: The legally binding act can be a contract.

Note: Documented can be by any means, provided that both parties have the same access to such documentation, including the possibility to technically copy and share such documentation without hindrance. The possibility to technically copy and share without hindrance does not prevent the parties to agree upon any NDA or other means, that might provide for reasonable legal limitations.

Assessing Entity: Gaia-X Association or mandated entity

Assessment Process: self-assessment

Permissible Standards:

• SecNumCloud: 19.1
• BSI C5: BC-01, OIS-03
• CISPE (GDPR, Infrastructure & IaaS): 4.2
• EU Cloud CoC (GDPR, XaaS): 5.1.A, 5.1.B
• CSA CCM: STA-09
• SWIPO IaaS: FR1, FR2

Example Standards: n/a

Criterion P1.1.2: The Provider shall have an option for each legally binding act to be governed by EU/EEA/Member State law.

Assessing Entity: Gaia-X Association or mandated entity

Assessment Process: self-assessment

Permissible Standards:

• SecNumCloud: 19.1.c
• CISPE (GDPR, Infrastructure & IaaS): 4.2
• EU Cloud CoC (GDPR, XaaS): 5.1.A, 5.1.B, 5.1.C, 5.1.F, 5.4.F

Example Standards:

• BSI C5: BC-01
• CSA CCM: STA-09
• SWIPO IaaS: FR1, FR2

Criterion P1.1.3: The Provider shall clearly identify for which parties the legal act is binding.

Assessing Entity: Gaia-X Association or mandated entity

Assessment Process: self-assessment

Permissible Standards:

• SecNumCloud: 19.1.b
• EU Cloud CoC (GDPR, XaaS): 5.1.C, 5.1.F, 5.1.H

Example Standards:

• BSI C5: BC-01, OIS-03
• CISPE (GDPR, Infrastructure & IaaS): 4.2
• CSA CCM STA-09
• SWIPO IaaS: FR1, FR2

Criterion P1.1.4: The Provider shall ensure that the legally binding act covers the entire provision of the Service Offering.

Rationale: The provisions of the Service Offering may comprise several elements. Increased complexities of individual Service Offerings must not undermine the necessity of a documented legally binding act. To address practical needs, the legally binding act may comprise multiple separate documents, e.g., a master agreement and exhibits such as service level agreements or data protection agreements.

Assessing Entity: Gaia-X Association or mandated entity

Assessment Process: self-assessment

Permissible Standards:

• SecNumCloud: 19.1, 19.4
• BSI C5: BC-01, BC-02, BC-04
• CISPE (GDPR, Infrastructure & IaaS): 4.2
• EU Cloud CoC (GDPR, XaaS): 5.1.C, 5.1.F, 5.1.H
• CSA CCM: STA-09

Example Standards:

• SWIPO IaaS: FR1, FR2

Criterion P1.1.5: The Provider shall clearly identify in each legally binding act the applicable governing law.

Assessing Entity: Gaia-X Association or mandated entity

Assessment Process: self-assessment

Point Of Reference Standards:

• SecNumCloud 3.2.a – 19.1.c

7.1.1.2 General material requirements and transparency

Criterion P1.2.1: The Provider shall ensure there are specific provisions regarding service interruptions and business continuity (e.g., by means of a service level agreement), Provider’s bankruptcy or any other reason by which the Provider may cease to exist in law.

Assessing Entity: Gaia-X Association or mandated entity

Assessment Process: self-assessment

Permissible Standards:

• SecNumCloud: 17.1, 17.2, 19.1.j
• BSI C5: BCM-02, BCM-03
• CISPE (GDPR, Infrastructure & IaaS): 5.5
• CSA CCM: BCR-01, BCR-02, BCR-03

Example Standards:

• EU Cloud CoC (GDPR, XaaS): 6.2.Q
• ISO/IEC 27001: A.5.30, A.8.21
• SWIPO IaaS: DP08
• TISAX: 17.1

Criterion P1.2.2: The Provider shall ensure there are provisions governing the rights of the parties to use the service and any Customer Data therein.

Assessing Entity: Gaia-X Association or mandated entity

Assessment Process: self-assessment

Permissible Standards:

• SecNumCloud: 19.1.b, 19.1.d, 19.1.h, 19.1.k
• BSI C5: PI-02
• CISPE (GDPR, Infrastructure & IaaS): 4.7, 4.10, 5.7
• EU Cloud CoC (GDPR, XaaS): 5.1.F, 5.1.H, 5.7.A, 5.10.A, 5.10.B
• CSA CCM: IPY-01, IPY-04
• SWIPO IaaS: TR-04

Example Standards: n/a

Criterion P1.2.3: The Provider shall ensure there are provisions governing changes, regardless of their kind.

Assessing Entity: Gaia-X Association or mandated entity

Assessment Process: self-assessment

Permissible Standards:

• SecNumCloud: 12.2, 14.2a, 15.4.a
• BSI C5: BC-01, OIS-03, DEV-03
• CISPE (GDPR, Infrastructure & IaaS): 4.3
• EU Cloud CoC (GDPR, XaaS): 5.3.F, 6.2.K
• CSA CCM: CCC-01, CCC-05

Example Standards:

• ISO/IEC 27001: A.8.32
• SWIPO IaaS: TR-04
• TISAX: 5.2.1

Criterion P1.2.4: The Provider shall ensure there are provisions governing aspects regarding copyright or any other intellectual property rights.

Assessing Entity: Gaia-X Association or mandated entity

Assessment Process: self-assessment

Permissible Standards:

• SecNumCloud: 7.2.c
• SWIPO IaaS: SCR02
• CISPE (GDPR, Infrastructure & IaaS): 4.8
• EU Cloud CoC (GDPR, XaaS): 5.1.F, 5.2.D, 5.12.A, 5.12.B, 5.12.C, 5.12.D, 5.12.F

Example Standards:

• BSI C5: HR-06
• CSA CCM: HRS-08, HRS-10
• ISO/IEC 27001: A.6.2, A.6.3, A.6.5
• TISAX: 8.2.1, 8.2.2, 8.2.3

Criterion P1.2.5: The Provider shall declare the general location of any processing of Customer Data, allowing the Customer to determine the applicable jurisdiction and to comply with Customer’s requirements in the context of its business and operational context.

Note:

• The general location is a geographical reference, such as a city or city region area.
• Business and operational context shall address elements such as business continuity, by e.g., safeguarding minimum distances between Customer’s processing activities.

Assessing Entity: Gaia-X Association or mandated entity

Assessment Process: self-assessment

Permissible Standards:

• CISPE (GDPR, Infrastructure & IaaS): 4.4
• CSA CCM: DSP-19

Example Standards:

• SecNumCloud: 19.1.b, 19.2.a
• BSI C5: BC-01
• EU Cloud CoC (GDPR, XaaS): 5.3.E, 5.3.G, 5.4.B

Criterion P1.2.6: The Provider shall explain how information about subcontractors and related Customer Data localization will be communicated.

Note: this applies to the subcontractors essential to the provision of the Service Offering, including any sub-processors.

Assessing Entity: Gaia-X Association or mandated entity

Assessment Process: self-assessment

Permissible Standards:

• SecNumCloud: 15.1, 15.2, 19.1.b, 19.2.a
• BSI C5: 3.4.4.1, BC-01
• CISPE (GDPR, Infrastructure & IaaS): 4.5
• EU Cloud CoC (GDPR, XaaS): 5.3.C, 5.3.E, 5.3.F, 5.3.G
• CSA CCM: DSP-19, STA-03, STA-09

Example Standards:

• ISO/IEC 27001: A.5.19, A.5.20
• TISAX: 6.1.1

Criterion P1.2.7: The Provider shall communicate to the Customer where the applicable jurisdiction(s) of subcontractors will be.

Note: this applies to the subcontractors essential for the provision of the Service Offering, including any sub-processors.

Assessing Entity: Gaia-X Association or mandated entity

Assessment Process: self-assessment

Permissible Standards:

• CISPE (GDPR, Infrastructure & IaaS): 4.5
• EU Cloud CoC (GDPR, XaaS): 5.3.A, 5.3.E, 5.3.F, 5.3.G

Example Standards:

• SecNumCloud: 15.1, 15.2, 19.1.b, 19.2.a
• BSI C5: 3.4.4.1, BC-01
• CSA CCM: DSP-19, STA-03, STA-09
• ISO/IEC 27001: A.5.19, A.5.20
• TISAX: 6.1.1

Criterion P1.2.8: The Provider shall include in the contract the contact details where Customer may address any queries regarding the Service Offering and the contract.

Note: Queries include requests during the pre-contractual state, before coming to an agreement.

Note: As it is generally foreseen that Lvl2 and Lvl3 will require third-party attestations, for this requirement shall apply the following: For the time being, there exists only one Permissible Standard. Until more Permissible Standards will be identified to this Crition, Lvl2 and Lvl3 shall only require a self-declaration.

Assessing Entity: Gaia-X Association or mandated entity

Assessment Process: self-assessment

Permissible Standards:

• EU Cloud CoC (GDPR, XaaS): 5.7, 5.9.A, 5.9.B

Example Standards:

• SecNumCloud: 19.1.b
• BSI C5: BC-02, OIS-03
• CISPE (GDPR, Infrastructure & IaaS): 4.3, 4.6

Criterion P1.2.9: The Provider shall declare the mandatory service and resource attributes in the self-description of each Service Offering.

Note: the list of the mandatory attributes to be provided in Gaia-X Credentials to describe Services and Resources is reported in Chapter 8 - “Services and Resources - Mandatory attributes”, while the recommended optional attributes are reported in the Annex.

7.1.1.3 Technical compliance requirements

Criterion P1.3.1: The Provider shall describe the Permissions, Requirements and Constraints of the Service Offering using a common Domain-Specific Language (DSL) in the self-description.

Source: AD v2112, Chapter: 4.1

Assessing Entity: Gaia-X Compliance Service Provider

Assessment Process: Gaia-X Trust Framework checking the attestation

Permissible Standards: n/a

Example Standards: n/a

Criterion P1.3.2: The Provider shall ensure that the Service Offering is operated by a Gaia-X participant defined by a verified self-description.

Source: AD v2112, Chapter: 4.2 / 4.3

Assessing Entity: Gaia-X Compliance Service Provider

Assessment Process: Gaia-X Trust Framework checking the attestation

Permissible Standards: n/a

Example Standards: n/a

Criterion P1.3.3: Not in use

Criterion P1.3.4: Not in use.

Criterion 1.3.5: Not in use.

7.1.2 Data Protection

This section only applies in the case of processing personal Customer Data. It reflects GDPR requirements without extending GDPR’s obligations, and it cites some of these requirements as they are judged to be explicitly relevant. By principle, this section shall only apply to personal data that are processed and are subject to the commercial relationship between the Customer and the Provider (we call them ‘personal Customer Data’), but not those personal data that are processed by the Provider to establish and maintain such commercial relationship for its own purposes, e.g., contract handling and invoicing. Provided a service offering will not process any personal data in this sense, requirements as laid down in this section shall not apply.

Note: In this section, Permissible Standards are limited to standards, which have officially passed the Data Protection Supervisory Authorities’ approval process. Saying, Permissible Standards must meet the Gaia-X criterion and meet the legal requirements of claiming to be a GDPR standard. Other standards, which might also address the Gaia-X criterion entirely, are listed as Example Standards. Where the Example Standard might address a Gaia-X criterion in its entirety a (*) has been added. Otherwise, Example Standards remain aligned with the common methodology of this document.

7.1.2.1 General

Criterion P2.1.1: The Provider shall offer the ability to establish a contract under Union or EU/EEA/Member State law and specifically addressing GDPR requirements.

Note: GDPR requires EU/EEA or Member State law to be applicable. The Provider needs to ensure a process that guarantees that a legally binding act is in place before delivering any form of service.

Note: The GDPR requires suitable documentation, whilst clarifying, e.g., in Art. 28 (9) GDPR, that such documentation shall be in writing, including electronic form.

Assessing Entity:

L1: Gaia-X Association or mandated entity

L2/L3: In cases of a Code of Conduct (Art. 40 GDPR): accredited monitoring body for the respective Code of Conduct, Art. 41 GDPR; In case of a Certification (Art. 42 GDPR): accredited Certification Body for the respective Certification (Art. 43 GDPR).

Assessment Process:

L1: legally binding statement towards Gaia-X via the Trust Framework to comply with the Gaia-X Labelling criterion.

L2/L3: In case of a Code of Conduct (Art. 40 GDPR): assessment process as defined by the respective Code of Conduct / accredited monitoring body; In case of a Certification (Art. 43 GDPR): assessment process as defined by the respective Certification / accredited certification body.

Permissible Standards:

• SecNumCloud: 18.1.a, 19.1
• CISPE (GDPR, Infrastructure & IaaS): 4.2
• EU Cloud CoC (GDPR, XaaS): 5.1.A, 5.1.C

Example Standards:

• SecNumCloud: 18.1.a, 19.1(*)

Criterion P2.1.2: The Provider shall define the roles and responsibilities of each party.

Note: This considers the roles and responsibilities of the parties involved in the scope of this Service Offering.

Assessing Entity:

BC/L1: Gaia-X Association or mandated entity

L2/L3: In case of a Code of Conduct (Art. 40 GDPR): accredited monitoring body for the respective Code of Conduct, Art. 41 GDPR; In case of a Certification (Art. 42 GDPR): accredited Certification Body for the respective Certification (Art. 43 GDPR).

Assessment Process:

BC/L1: legally binding statement towards Gaia-X via the Trust Framework to comply with the Gaia-X Labelling criterion.

L2/L3: In case of a Code of Conduct (Art. 40 GDPR): assessment process as defined by the respective Code of Conduct / accredited monitoring body; In case of a Certification (Art. 43 GDPR): assessment process as defined by the respective Certification / accredited certification body.

Permissible Standards:

• SecNumCloud: 6.1.e, 19.1
• CISPE (GDPR, Infrastructure & IaaS): 4.3, 5.1
• EU Cloud CoC (GDPR, XaaS): 5.1.C

Example Standards:

• SecNumCloud: 6.1.e, 19.1 (*)

Criterion P2.1.3: The Provider shall clearly define the technical and organizational measures in accordance with the roles and responsibilities of the parties, including an adequate level of detail.

Assessing Entity:

BC/L1: Gaia-X Association or mandated entity

L2/L3: In cases of a Code of Conduct (Art. 40 GDPR): accredited monitoring body for the respective Code of Conduct, Art. 41 GDPR; In case of a Certification (Art. 42 GDPR): accredited Certification Body for the respective Certification (Art. 43 GDPR).

Assessment Process:

BC/L1: legally binding statement towards Gaia-X via the Trust Framework to comply with the Gaia-X Labelling criterion.

L2/L3: In case of a Code of Conduct (Art. 40 GDPR): assessment process as defined by the respective Code of Conduct / accredited monitoring body; In case of a Certification (Art. 43 GDPR): assessment process as defined by the respective Certification / accredited certification body.

Permissible Standards:

• SecNumCloud: 5 to 17
• BSI C5: All Basic Criteria
• CISPE (GDPR, Infrastructure & IaaS): 4.3
• EU Cloud CoC (GDPR, XaaS): Entire Section 6

Example Standards:

• SecNumCloud: 5 to 17 (*)
• BSI C5: All Basic Criteria (*)
• CSA CCM: All controls except Domain “Universal Endpoint Management” (*)
• ISO/IEC 27001: Entire Annex A (*)
• TISAX: All Information Security Requirements (*)

7.1.2.2 GDPR Art. 28

Criterion P2.2.1: The Provider shall be ultimately bound to instructions of the Customer.

Assessing Entity:

BC/L1: Gaia-X Association or mandated entity.

L2/L3: In cases of a Code of Conduct (Art. 40 GDPR): accredited monitoring body for the respective Code of Conduct, Art. 41 GDPR; In case of a Certification (Art. 42 GDPR): accredited Certification Body for the respective Certification (Art. 43 GDPR).

Assessment Process:

BC/L1: legally binding statement towards Gaia-X via the Trust Framework to comply with the Gaia-X Labelling criterion.

L2/L3: In case of a Code of Conduct (Art. 40 GDPR): assessment process as defined by the respective Code of Conduct / accredited monitoring body; In case of a Certification (Art. 43 GDPR): assessment process as defined by the respective Certification / accredited certification body.

Permissible Standards:

• CISPE (GDPR, Infrastructure & IaaS): 4.1
• EU Cloud CoC (GDPR, XaaS): 5.1.F, 5.2.D

Example Standards: n/a

Criterion P2.2.2: The Provider shall clearly define how Customer may instruct, including by electronic means such as configuration tools or APIs.

Assessing Entity:

BC/L1: Gaia-X Association or mandated entity.

L2/L3: In cases of a Code of Conduct (Art. 40 GDPR): accredited monitoring body for the respective Code of Conduct, Art. 41 GDPR; In case of a Certification (Art. 42 GDPR): accredited Certification Body for the respective Certification (Art. 43 GDPR).

Assessment Process:

BC/L1: legally binding statement towards Gaia-X via the Trust Framework to comply with the Gaia-X Labelling criterion.

L2/L3: In case of a Code of Conduct (Art. 40 GDPR): assessment process as defined by the respective Code of Conduct / accredited monitoring body; In case of a Certification (Art. 43 GDPR): assessment process as defined by the respective Certification / accredited certification body.

Permissible Standards:

• CISPE (GDPR, Infrastructure & IaaS): 4.2
• EU Cloud CoC (GDPR, XaaS): 5.2.A, 5.2.B, 5.2.C

Example Standards: n/a

Criterion P2.2.3: The Provider shall clearly define if and to which extent third country transfer will take place.

Note: Third country transfer to be defined as transfer outside of the CSP contractual country.

Assessing Entity:

BC/L1: Gaia-X Association or mandated entity.

L2: In cases of a Code of Conduct (Art. 40 GDPR): accredited monitoring body for the respective Code of Conduct, Art. 41 GDPR; In case of a Certification (Art. 42 GDPR): accredited Certification Body for the respective Certification (Art. 43 GDPR).

Assessment Process:

BC/L1: legally binding statement towards Gaia-X via the Trust Framework to comply with the Gaia-X Labelling criterion.

L2 In case of a Code of Conduct (Art. 40 GDPR): assessment process as defined by the respective Code of Conduct / accredited monitoring body; In case of a Certification (Art. 43 GDPR): assessment process as defined by the respective Certification / accredited certification body.

Permissible Standards:

• CISPE (GDPR, Infrastructure & IaaS): 4.4
• EU Cloud CoC (GDPR, XaaS): 5.4.A, 5.4.C, 5.4.E

Example Standards:

• CSA CCM: DSP-10, DSP-19 (*)
• SecNumCloud: 5.3.e, 19.1.e
• BSI C5: BC-01
• ISO/IEC 27001: A.5.34

Criterion P2.2.4: The Provider shall clearly define if and to the extent third country transfers will take place, and by which means of Chapter V GDPR these transfers will be protected.

Assessing Entity:

L1: Gaia-X Association or mandated entity.

L2: In cases of a Code of Conduct (Art. 40 GDPR): accredited monitoring body for the respective Code of Conduct, Art. 41 GDPR; In case of a Certification (Art. 42 GDPR): accredited Certification Body for the respective Certification (Art. 43 GDPR).

Assessment Process:

L1: legally binding statement towards Gaia-X via the Trust Framework to comply with the Gaia-X Labelling criterion.

L2 : In case of a Code of Conduct (Art. 40 GDPR): assessment process as defined by the respective Code of Conduct / accredited monitoring body; In case of a Certification (Art. 43 GDPR): assessment process as defined by the respective Certification / accredited certification body.

Permissible Standards:

• CISPE (GDPR, Infrastructure & IaaS): 4.4
• EU Cloud CoC (GDPR, XaaS): 5.4.A, 5.4.C, 5.4.E

Example Standards:

• CSA CCM: DSP-10, DSP-19 (*)
• SecNumCloud: 5.3.e, 19.1.e
• BSI C5: BC-01
• ISO/IEC 27001: A.5.34

Criterion P2.2.5: The Provider shall clearly define if and to which extent sub-processors will be involved.

Assessing Entity:

BC/L1: Gaia-X Association or mandated entity.

L2/L3: In cases of a Code of Conduct (Art. 40 GDPR): accredited monitoring body for the respective Code of Conduct, Art. 41 GDPR; In case of a Certification (Art. 42 GDPR): accredited Certification Body for the respective Certification (Art. 43 GDPR).

Assessment Process:

BC/L1: legally binding statement towards Gaia-X via the Trust Framework to comply with the Gaia-X Labelling criterion.

L2/L3: In case of a Code of Conduct (Art. 40 GDPR): assessment process as defined by the respective Code of Conduct / accredited monitoring body; In case of a Certification (Art. 43 GDPR): assessment process as defined by the respective Certification / accredited certification body.

Permissible Standards:

• SecNumCloud: 15.1
• CISPE (GDPR, Infrastructure & IaaS): 4.5
• EU Cloud CoC (GDPR, XaaS): 5.3.E, 5.3.F, 5.3.G

Example Standards:

• CSA CCM: DSP-13 (*)
• TISAX: 9.2 (*)
• BSI C5: 3.4.4.1, BC-01
• ISO/IEC 27001: A.5.19

Criterion P2.2.6: The Provider shall clearly define if and to the extent sub-processors will be involved, and the measures that are in place regarding sub-processors management.

Assessing Entity:

BC/L1: Gaia-X Association or mandated entity.

L2/L3: In cases of a Code of Conduct (Art. 40 GDPR): accredited monitoring body for the respective Code of Conduct, Art. 41 GDPR; In case of a Certification (Art. 42 GDPR): accredited Certification Body for the respective Certification (Art. 43 GDPR).

Assessment Process:

BC/L1: legally binding statement towards Gaia-X via the Trust Framework to comply with the Gaia-X Labelling criterion.

L2/L3: In case of a Code of Conduct (Art. 40 GDPR): assessment process as defined by the respective Code of Conduct / accredited monitoring body; In case of a Certification (Art. 43 GDPR): assessment process as defined by the respective Certification / accredited certification body.

Permissible Standards:

• SecNumCloud: 15.2, 15.3, 15.4, 15.5
• CISPE (GDPR, Infrastructure & IaaS): 4.5
• EU Cloud CoC (GDPR, XaaS): 5.3.C, 5.3.D

Example Standards:

• SecNumCloud: 15.2, 15.3, 15.4, 15.5 (*)
• CSA CCM: DSP-13, DSP-14, DSP-17, STA-01, STA-09, STA-12, STA-13, STA-14
• BSI C5: 3.4.4.1, SSO-01, SSO-02, SSO-03, SSO-04, SSO-05
• ISO/IEC 27001: A.5.19, A.5.20, A.5.34
• TISAX: 6.1.1

Criterion P2.2.7: The Provider shall define the audit rights for the Customer.

Assessing Entity:

BC/L1: Gaia-X Association or mandated entity.

L2/L3: In cases of a Code of Conduct (Art. 40 GDPR): accredited monitoring body for the respective Code of Conduct, Art. 41 GDPR; In case of a Certification (Art. 42 GDPR): accredited Certification Body for the respective Certification (Art. 43 GDPR).

Assessment Process:

BC/L1: legally binding statement towards Gaia-X via the Trust Framework to comply with the Gaia-X Labelling criterion.

L2/L3: In case of a Code of Conduct (Art. 40 GDPR): assessment process as defined by the respective Code of Conduct / accredited monitoring body; In case of a Certification (Art. 43 GDPR): assessment process as defined by the respective Certification / accredited certification body.

Permissible Standards:

• SecNumCloud: 19.1.q
• CISPE (GDPR, Infrastructure & IaaS): 4.6
• EU Cloud CoC (GDPR, XaaS): 5.5.C, 5.5.D, 5.5.F

Example Standards:

• SecNumCloud: 19.1.q (*)
• BSI C5: COM-02

7.1.3 Cybersecurity

Safeguarding the appropriate security of service offerings and processed elements is a key and state-of-art principle. Therefore, this section applies to any service offering, regardless of its Provider, type, purpose, or processed category of data. It is acknowledged that implementing cybersecurity-related measures may apply in most cases to the Provider’s organisation, rather than the explicit service offering. However, theoretically, measures may deviate between different service offerings. Thus, where measures will be implemented at an organisation-wide level, their inheritance shall suffice for this section. Where measures will be implemented on a per-service offering level, individual evaluation per service offering will be required.

For all the security requirements, the criteria follow as much as possible the current discussions on the European Cloud Scheme (EUCS). When the EUCS is finalized, Gaia-X will adapt these criteria accordingly. Therefore, the terms on the different criteria on this item should be read in the light of EUCS.

Criterion P3.1.1: Organization of information security: Plan, implement, maintain and continuously improve the information security framework within the organisation.

Assessing Entity:

BC: Gaia-X Association or mandated entity.

L1: internal + authorized entity according to the EUCS Level Basic; ad interim: internal + external confirmation that the internal audit followed recognized standards and/or good practices.

L2: Assessing entity authorized according to the respective standards.

L3: Assessing entity authorized according to the respective standards.

Assessment Process:

BC: self-assessment

L1: internal audit; externally confirmed to be following recognized standards and/or good practices.

L2: onsite assessment following assessment process according to the respective standards.

L3: According to process for EUCS Level High ; ad interim: see Label Level 2.

Permissible Standards:

• SecNumCloud: 5.2.a, 5.2.b, 5.2.c, 5.2.d, 5.2.e, 5.3.a
• BSI C5: OIS-01, OIS-02, COM-04
• EU Cloud CoC (GDPR, XaaS): 6.1.C
• CSA CCM: GRC-01, GRC-03, GRC-05, GRC-06
• ISO/IEC 27001: Annex A 5.1, Annex A 5.2, Annex 5.4
• TISAX: 1.2.1, 1.2.2, 1.5.2

Example Standards:

• CISPE (GDPR, Infrastructure & IaaS): 4.3
• CSA CCM: GRC-01, GRC-03, GRC-05, GRC-06
• ISO/IEC 27001: Annex A 5.1, Annex A 5.2, Annex 5.4
• TISAX: 1.2.1, 1.2.2, 1.5.2

Criterion P3.1.2: Information Security Policies: Provide a global information security policy, derived into policies and procedures regarding security requirements and to support business requirements

Assessing Entity:

BC: Gaia-X Association or mandated entity.

L1: internal + authorized entity according to the EUCS Level Basic; ad interim: internal + external confirmation that the internal audit followed recognized standards and/or good practices.

L2: Assessing entity authorized according to the respective standards.

L3: Assessing entity authorized according to the respective standards.

Assessment Process:

BC: self-assessment.

L1: internal audit; externally confirmed to be following recognized standards and/or good practices.

L2: onsite assessment following assessment process according to the respective standards.

L3: According to process for EUCS Level High; ad interim: see Label Level 2.

Permissible Standards:

• SecNumCloud: 5.2
• BSI C5: SP-01, SP-02, OIS-02
• CISPE (GDPR, Infrastructure & IaaS): 4.3
• EU Cloud CoC (GDPR, XaaS): 6.2.A
• ISO/IEC 27001: Annex A 5.1

Example Standards:

• CSA CCM: GRC-01, GRC-03, GRC-05
• TISAX: 1.4.1

Criterion P3.1.3: Risk Management: Ensure that risks related to information security are properly identified, assessed, and treated, and that the residual risk is acceptable to the CSP.

Assessing Entity:

BC: Gaia-X Association or mandated entity.

L1: internal + authorized entity according to the EUCS Level Basic; ad interim: internal + external confirmation that the internal audit followed recognized standards and/or good practices.

L2: Assessing entity authorized according to the respective standards.

L3: Assessing entity authorized according to the respective standards.

Assessment Process:

BC: self-assessment.

L1: internal audit; externally confirmed to be following recognized standards and/or good practices.

L2: onsite assessment following assessment process according to the respective standards.

L3: According to process for EUCS Level High ; ad interim: see Level 2.

Permissible Standards:

• SecNumCloud: 5.3.G, 5.3.H,
• BSI C5: OIS-06, OIS-07
• CISPE (GDPR, Infrastructure & IaaS): 5.4
• EU Cloud CoC (GDPR, XaaS): 6.1.C
• CSA CCM: GRC-02
• ISO/IEC 27001: 6.1.2, 6.1.3, 8.2

Example Standards:

• TISAX: 1.4.1

Criterion P3.1.4: Human Resources: Ensure that employees understand their responsibilities, are aware of their responsibilities with regard to information security, and that the organisation’s assets are protected in the event of changes in responsibilities or termination.

Assessing Entity:

BC: Gaia-X Association or mandated entity.

L1: internal + authorized entity according to the EUCS Level Basic; ad interim: internal+ external confirmation that the internal audit followed recognized standards and/or good practices.

L2: Assessing entity authorized according to the respective standards.

L3: Assessing entity authorized according to the respective standards.

Assessment Process:

BC: self-assessment.

L1: internal audit; externally confirmed to be following recognized standards and/or good practices.

L2: onsite assessment following assessment process according to the respective standards.

L3: According to process for EUCS Level High ; ad interim: see Label Level 2.

Permissible Standards:

• BSI C5: HR-02, HR_03, HR-04, HR-05, HR-06, AM-05, IDM-01, IDM-04
• EU Cloud CoC (GDPR, XaaS): 6.2.C
• SecNumCloud: 7.2, 7.3, 7.4, 7.5
• CISPE (GDPR, Infrastructure & IaaS): 4.3
• ISO/IEC 27001: Annex A 5.2, Annex A 5.11, Annex A 6.2, Annex A 6.3, Annex A 6.6

Example Standards:

• CSA CCM: HRS-02, HRS-03, HRS-04, HRS-06, HRS-07, HRS-08, HRS-09, HRS-10, HRS-11, HRS-13
• TISAX: 2.1.1, 2.1.2

Criterion P3.1.5: Asset Management: Identify the organisation’s own assets and ensure an appropriate level of protection throughout their lifecycle.

Assessing Entity:

BC: Gaia-X Association or mandated entity.

L1: internal + authorized entity according to the EUCS Level Basic; ad interim: internal+ external confirmation that the internal audit followed recognized standards and/or good practices.

L2: Assessing entity authorized according to the respective standards.

L3: Assessing entity authorized according to the respective standards.

Assessment Process:

BC: self-assessment.

L1: internal audit; externally confirmed to be following recognized standards and/or good practices.

L2: onsite assessment following assessment process according to the respective standards.

L3: According to process for EUCS Level High ; ad interim: see Label Level 2.

Permissible Standards:

• SecNumCloud: 8.1, 8.2, 8.3, 8.4, 8.5, 11.8
• BSI C5: AM-01, AM-02, AM-03, AM-04, AM-05, AM-06
• EU Cloud CoC (GDPR, XaaS): 6.2.D, 6.2.E
• CSA CCM: DCS-01, DCS-02, DCS-04, DCS-05, DCS-06, CCC-01, CCC-04, CCC-06, HRS-05, CEK-04
• ISO/IEC 27001: Annex A 5.9, Annex A 5.12, Annex A 5.15, Annex A 8.3
• TISAX:1.3.1, 1.3.2

Example Standards: n/a

Criterion P3.1.6: Physical Security: Prevent unauthorised physical access and protect against theft, damage, loss and outage of operations.

Assessing Entity:

BC: Gaia-X Association or mandated entity.

L1: internal + authorized entity according to the EUCS Level Basic; ad interim: internal+ external confirmation that the internal audit followed recognized standards and/or good practices.

L2: Assessing entity authorized according to the respective standards.

L3: Assessing entity authorized according to the respective standards.

Assessment Process:

BC: self-assessment

L1: internal audit; externally confirmed to be following recognized standards and/or good practices.

L2: onsite assessment following assessment process according to the respective standards.

L3: According to process for EUCS Level High ; ad interim: see Label Level 2.

Permissible Standards:

• SecNumCloud: 11.1, 11.2, 11.3, 11.4, 11.5, 11.6, 11.7, 11.10
• BSI C5: PS-01, PS-02, PS-03, PS-05, OS-07, PS-07
• CISPE (GDPR, Infrastructure & IaaS): 4.3
• EU Cloud CoC (GDPR, XaaS): 6.2.J
• CSA CCM: DCS-07, DCS-09, DCS-10, DCS-12, DCS-13, DCS-14, DCS-15, LOG-12
• ISO/IEC 27001: Annex A 7.1, Annex A 7.2, Annex A 7.3, Annex A 7.4, Annex A 7.5, Annex A 7.6, Annex A 7.7, Annex A 7.8, Annex A 7.9, Annex A 7.10, Annex A 711, Annex A 7.12, Annex A 7.13, Annex A 7.14

Example Standards:

• TISAX: 3.1.1

Criterion P3.1.7: Operational Security: Ensure proper and regular operation, including appropriate measures for planning and monitoring capacity, protection against malware, logging and monitoring events, and dealing with vulnerabilities, malfunctions and failures.

Assessing Entity:

BC: Gaia-X Association or mandated entity.

L1: internal + authorized entity according to the EUCS Level Basic; ad interim: internal + external confirmation that the internal audit followed recognized standards and/or good practices.

L2: Assessing entity authorized according to the respective standards.

L3: Assessing entity authorized according to the respective standards.

Assessment Process:

BC: self-assessment.

L1: internal audit; externally confirmed to be following recognized standards and/or good practices.

L2: onsite assessment following assessment process according to the respective standards.

L3: According to process for EUCS Level High; ad interim: see Label Level 2.

Permissible Standards:

• BSI C5: OPS-01, OPS-02, OPS-03, OPS-04,OPS-05, OPS-10, OPS-11, OPS-12, OPS-13, OPS-14, OPS-15, OPS-16, OPS-17, OPS-18, OPS-19, OPS-20, OPS-22, OPS-23
• EU Cloud CoC (GDPR, XaaS): 6.2.K
• CSA CCM: IVS-02, IVS-03, IVS-09, LOG-01, LOG-03, LOG-05, LOG-07, LOG-08, LOG-13, SEF-01, SEF-02, SEF-05, SEF-07, TVM-01, TVM-02, TVM-07, UEM-09, UEM-10
• ISO/IEC 27001: Annex A 8.6, Annex A 8.7, Annex A 8.8, Annex 8.9, Annex A 8.15, Annex A 8.16
• SecNumCloud: 6.1.a, 12.1, 12.4, 12.6, 12.7, 12.9, 12.10, 12.11, 16.1, 16.3.a, 17.4.a
• CISPE (GDPR, Infrastructure & IaaS): 4.3

Example Standards:

• TISAX: 5.2.3, 5.2.4, 5.2.5

Criterion P3.1.8: Identity, Authentication and access control management: Limit access to information and information processing facilities.

Assessing Entity:

BC: Gaia-X Association or mandated entity.

L1: internal + authorized entity according to the EUCS Level Basic; ad interim: internal+ external confirmation that the internal audit followed recognized standards and/or good practices.

L2: Assessing entity authorized according to the respective standards.

L3: Assessing entity authorized according to the respective standards.

Assessment Process:

BC: self-assessment.

L1: internal audit; externally confirmed to be following recognized standards and/or good practices.

L2: onsite assessment following assessment process according to the respective standards.

L3: According to process for EUCS Level High ; ad interim: see Label Level 2.

Permissible Standards:

• SecNumCloud: 9.1, 9.2, 93. 9.4, 9.7, 11.2
• BSI C5: PS-05, IDM-01, IDM-02, IDM-03, IDM-04, IDM-05, IDM-06, IDM-07
• CISPE (GDPR, Infrastructure & IaaS): 4.8
• EU Cloud CoC (GDPR, XaaS): 6.2.F
• CSA CCM: DCS-07, DCS-09, IAM-01, IAM-04, IAM-05, IAM-06, IAM-07, IAM-08, IAM-09, IAM-10, IAM-11
• ISO/IEC 27001: Annex A 5.15, Annex A 5.16, Annex A 5.17, Annex A 5.18, Annex A 8.2, Annex A 8.3

Example Standards:

• TISAX: 4.1.1, 4.1.2, 4.1.3, 4.2.1

Criterion P3.1.9 : Cryptography and Key management: Ensure appropriate and effective use of cryptography to protect the confidentiality, authenticity or integrity of information.

Assessing Entity:

BC: Gaia-X Association or mandated entity.

L1: internal + authorized entity according to the EUCS Level Basic; ad interim: internal+ external confirmation that the internal audit followed recognized standards and/or good practices.

L2: Assessing entity authorized according to the respective standards.

L3: Assessing entity authorized according to the respective standards.

Assessment Process:

BC: self-assessment.

L1: internal audit; externally confirmed to be following recognized standards and/or good practices.

L2: onsite assessment following assessment process according to the respective standards.

L3: According to process for EUCS Level High ; ad interim: see Label Level 2.

Permissible Standards:

• SecNumCloud: 10.1, 10.2, 10.3, 10.4, 10.5, 10.6
• BSI C5: CRY-01, CRY-02, CRY-03, CRY-04
• EU Cloud CoC (GDPR, XaaS): 6.2.G, 6.2.Hm 6.2.I
• CSA CCM: CEK-01, CEK-02, CEK-03, CEK-04, CEK-05, CEK-06, CEK-07, CEK-08, CEK-09, CEK-10, CEK-11, CEK-12, CEK-13, CEK-14, CEK-15, CEK-16, CEK-17, CEK-18, CEK-19, CEK-20, CEK-21
• ISO/IEC 27001: Annex A 8.24

Example Standards:

• TISAX: 5.1.1, 5.1.2

Criterion P3.1.10: Communication Security: Ensure the protection of information in networks and the corresponding information processing systems.

Assessing Entity:

BC: Gaia-X Association or mandated entity.

L1: internal + authorized entity according to the EUCS Level Basic; ad interim: internal + external confirmation that the internal audit followed recognized standards and/or good practices.

L2: Assessing entity authorized according to the respective standards.

L3: Assessing entity authorized according to the respective standards.

Assessment Process:

BC: self-assessment.

L1: internal audit; externally confirmed to be following recognized standards and/or good practices (EUCS Basic (CKM-03.1, CKM-04.1)).

L2: onsite assessment following assessment process according to the respective standards (EUCS Substantial (CKM-03.2, CKM-03.3, CKM-04.2, CKM-04.4)).

L3: According to process for EUCS Level High ; ad interim: see Label Level 2 (EUCS High(CKM-03.4, CKM-04.3)).

Permissible Standards:

• SecNumCloud: 13.1, 13.2, 13.3
• BSI C5: COS-01, COS-02, COS-03, COS-04, COS-05, COS-06, COS-07, COS-08
• EU Cloud CoC (GDPR, XaaS): 6.2.L
• CSA CCM: IPY-01, IPY-03, IVS-03, IVS-07
• ISO/IEC 27001: Annex A 8.9, Annex A 8.12, Annex A 8.20, Annex A 8.21, Annex A 8.22
• CISPE (GDPR, Infrastructure & IaaS): 4.3

Example Standards:

• TISAX: 5.1.2, 5.2.7

Criterion P3.1.11: Portability and Interoperability: The CSP shall provide a means by which a customer can obtain their stored customer data, and provide documentation on how (where appropriate, through documented API’s) the CSC can obtain the stored data at the end of the contractual relationship and shall document how the data will be securely deleted from the Cloud Service Provider in what timeframe.

Remark: this objective should be understood in the context of cybersecurity. Further portability objectives are defined in criteria P4.1.1 and P4.1.2.

Assessing Entity:

BC: Gaia-X Association or mandated entity.

L1: internal + authorized entity according to the EUCS Level Basic; ad interim: internal+ external confirmation that the internal audit followed recognized standards and/or good practices.

L2: Assessing entity authorized according to the respective standards.

L3: Assessing entity authorized according to the respective standards.

Assessment Process:

BC: self-assessment.

L1: internal audit; externally confirmed to be following recognized standards and/or good practices.

L2: onsite assessment following assessment process according to the respective standards.

L3: According to process for EUCS Level High ; ad interim: see Label Level 2.

Permissible Standards:

• BSI C5: PI-01, PI_02, PI-03
• EU Cloud CoC (GDPR, XaaS): 5.2.A, 5.2.B, 5.2.C, 5.7.A, 5.7.B, 5.10.A, 5.10.B, 5.14.A, 5.14.B
• CSA CCM: IPY-01, IPY-02, IPY-03, IPY-04
• SWIPO IaaS: PR01, PR02, PR03, PR06, PR07, DP01, DP02, DP03, DP05, DP06, DP07, DP08, SCR01, TR02, PLR05
• SecNumCloud: 19.1, 19.4
• CISPE (GDPR, Infrastructure & IaaS): 4.7, 4.10, 5.7

Example Standards: n/a

Criterion P3.1.12: Change and Configuration Management: Ensure that changes and configuration actions to information systems guarantee the security of the delivered cloud service.

Assessing Entity:

BC: Gaia-X Association or mandated entity.

L1: internal + authorized entity according to the EUCS Level Basic; ad interim: internal+ external confirmation that the internal audit followed recognized standards and/or good practices.

L2: Assessing entity authorized according to the respective standards.

L3: Assessing entity authorized according to the respective standards.

Assessment Process:

BC: self-assessment.

L1: internal audit; externally confirmed to be following recognized standards and/or good practices.

L2: onsite assessment following assessment process according to the respective standards.

L3: According to process for EUCS Level High ; ad interim: see Label Level 2.

Permissible Standards:

• BSI C5: DEV-03, DEV-05, DEV-06, DEV-07, DEV-08, DEV-09
• EU Cloud CoC (GDPR, XaaS): 6.2.M
• CSA CCM: CCC-01, CCC-02, CCC-04, CCC-05, CCC-06, CCC-07, CCC-09
• ISO/IEC 27001: Annex A 8.9, Annex 8.32
• SecNumCloud: 12.2, 14.1, 14.2, 14.3, 14.4, 14.6
• TISAX: 5.2.1, 5.2.2

Example Standards: n/a

Criterion P3.1.13: Development of Information systems: Ensure information security in the development cycle of information systems.

Assessing Entity:

BC: Gaia-X Association or mandated entity.

L1: internal + authorized entity according to the EUCS Level Basic; ad interim: internal+ external confirmation that the internal audit followed recognized standards and/or good practices.

L2: Assessing entity authorized according to the respective standards.

L3: Assessing entity authorized according to the respective standards.

Assessment Process:

BC:self-assessment

L1: internal audit; externally confirmed to be following recognized standards and/or good practices.

L2: onsite assessment following assessment process according to the respective standards.

L3: According to process for EUCS Level High ; ad interim: see Label Level 2.

Permissible Standards:

• SecNumCloud: 14.1, 14.2, 14.3, 14.4, 14.5, 14.6, 14.7
• BSI C5: DEV-01, DEV-02, DEV-03, DEV-04, DEV-05, DEV-06, DEV-07, DEV-08, DEV-09
• EU Cloud CoC (GDPR, XaaS): 6.2.M
• CSA CCM: DSP-, DSP-08, AIS-04, AIS-05, AIS-06
• ISO/IEC 27001: Annex A 8.25, Annex 8.26, Annex A 8.27, Annex A 8.28, Annex A 8.29, Annex A 8.30, Annex A 8.31
• TISAX: 5.3.1

Example Standards: n/a

Criterion P3.1.14: Procurement Management: Ensure the protection of information that suppliers of the CSP can access and monitor the agreed services and security requirements.

Assessing Entity:

BC: Gaia-X Association or mandated entity.

L1: internal + authorized entity according to the EUCS Level Basic; ad interim: internal+ external confirmation that the internal audit followed recognized standards and/or good practices.

L2: Assessing entity authorized according to the respective standards.

L3: Assessing entity authorized according to the respective standards.

Assessment Process:

BC: self-assessment.

L1: internal audit; externally confirmed to be following recognized standards and/or good practices.

L2: onsite assessment following assessment process according to the respective standards.

L3: According to process for EUCS Level High ; ad interim: see Label Level 2.

Permissible Standards:

• SecNumCloud: 9.7.d, 15.1, 15.2, 15.3, 15.4
• EU Cloud CoC (GDPR, XaaS): 6.2.N
• CSA CCM: STA-09, STA-10, STA-11, STA-12, DSP-13
• ISO/IEC 27001: Annex A 5.19 Annex A 5.20, Annex A 5.21
• TISAX: 6.1.1, 6.1.2

Example Standards:

• BSI C5: SSO-01, SSI-04

Criterion P3.1.15: Incident Management: Ensure a consistent and comprehensive approach to the capture, assessment, communication and escalation of security incidents.

Assessing Entity:

BC: Gaia-X Association or mandated entity.

L1: internal + authorized entity according to the EUCS Level Basic; ad interim: internal+ external confirmation that the internal audit followed recognized standards and/or good practices.

L2: Assessing entity authorized according to the respective standards.

L3: Assessing entity authorized according to the respective standards.

Assessment Process:

BC: self-assessment.

L1: internal audit; externally confirmed to be following recognized standards and/or good practices.

L2: onsite assessment following assessment process according to the respective standards.

L3: According to process for EUCS Level High ; ad interim: see Label Level 2.

Permissible Standards:

• SecNumCloud: 16.1, 16.2, 16.3, 16.4, 16.5
• BSI C5: SIM-01, SIM-02, SIM-03, SIM-04, SIM-05, OIS-03, OPS-13, OPS-21
• EU Cloud CoC (GDPR, XaaS): 6.2.O, 6.2.P
• CSA CCM: SEF-01, SEF-02, SEF-03, SEF-05, SEF-06, SEF-07, SEF-08, LOG-03, LOG-05
• ISO/IEC 27001: Annex A 5.24, Annex A 5.25, Annex A 5.26, Annex A 5.27
• TISAX: 1.6.1
• CISPE (GDPR, Infrastructure & IaaS): 4.9

Example Standards: n/a

Criterion P3.1.16 : Business Continuity: Plan, implement, maintain and test procedures and measures for business continuity and emergency management.

This criterion is consistent with criterion 60 (chapter European Control), which is more advanced in the case of Label Level 3.

Assessing Entity:

BC: Gaia-X Association or mandated entity.

L1: internal + authorized entity according to the EUCS Level Basic; ad interim: internal+ external confirmation that the internal audit followed recognized standards and/or good practices.

L2: Assessing entity authorized according to the respective standards.

L3: Assessing entity authorized according to the respective standards.

Assessment Process:

BC: self-assessment.

L1: internal audit; externally confirmed to be following recognized standards and/or good practices.

L2: onsite assessment following assessment process according to the respective standards.

L3: According to process for EUCS Level High ; ad interim: see Label Level 2.

Permissible Standards:

• SecNumCloud: 17.1, 17.2, 17.3, 17.4, 17.5, 17.6
• BSI C5: BCM-01, BCM-02, BCM-03,
• EU Cloud CoC (GDPR, XaaS): 6.2.Q
• CSA CCM: BCR-01, BCR-02, BCR-03, BCR-04, BCR-05, BCR-06, BCR-07, BCR-09, BCR-10
• ISO/IEC 27001: Annex A 5.29, Annex A 5.30

Example Standards: n/a

Criterion P3.1.17: Compliance: Avoid non-compliance with legal, regulatory, self-imposed or contractual information security and compliance requirements.

Assessing Entity:

BC: Gaia-X Association or mandated entity.

L1: internal + authorized entity according to the EUCS Level Basic; ad interim: internal+ external confirmation that the internal audit followed recognized standards and/or good practices.

L2: Assessing entity authorized according to the respective standards.

L3: Assessing entity authorized according to the respective standards.

Assessment Process:

BC: self-assessment.

L1: internal audit; externally confirmed to be following recognized standards and/or good practices.

L2: onsite assessment following assessment process according to the respective standards.

L3: According to process for EUCS Level High ; ad interim: see Label Level 2.

Permissible Standards:

• SecNumCloud: 8.3, 18.1, 18.3
• BSI C5: COM-01, COM-03
• EU Cloud CoC (GDPR, XaaS): 6.3.A
• ISO/IEC 27001: Annex A 5.31
• TISAX: 7.1.1

Example Standards:

• CSA CCM: GRC-07, HRS-13, A&A-04

Criterion P3.1.18: User documentation: Provide up-to-date information on the secure configuration and known vulnerabilities of the cloud service for cloud customers.

Assessing Entity:

BC: Gaia-X Association or mandated entity

L1: internal + authorized entity according to the EUCS Level Basic; ad interim: internal+ external confirmation that the internal audit followed recognized standards and/or good practices

L2: Assessing entity authorized according to the respective standards

L3: Assessing entity authorized according to the respective standards

Assessment Process:

BC: self-assessment

L1: internal audit; externally confirmed to be following recognized standards and/or good practices

L2: onsite assessment following assessment process according to the respective standards

L3: According to process for EUCS Level High; ad interim: see Label Level 2

Permissible Standards:

• BSI C5: PSS-01, PSS-03
• EU Cloud CoC (GDPR, XaaS): 6.3.A

Example Standards: n/a

Criterion P3.1.19: Dealing with information requests from government agencies: Ensure appropriate handling of government investigation requests for legal review, information to cloud customers, and limitation of access to or disclosure of Customer Data.

Assessing Entity:

BC: Gaia-X Association or mandated entity.

L1: internal + authorized entity according to the EUCS Level Basic; ad interim: internal+ external confirmation that the internal audit followed recognized standards and/or good practices.

L2: Assessing entity authorized according to the respective standards.

L3: Assessing entity authorized according to the respective standards.

Assessment Process:

BC: self-assessment.

L1: internal audit; externally confirmed to be following recognized standards and/or good practices.

L2: onsite assessment following assessment process according to the respective standards.

L3: According to process for EUCS Level High ; ad interim: see Label Level 2.

Permissible Standards:

• BSI C5: INQ-01, INQ-02, INQ-ß3, INQ-04
• EU Cloud CoC (GDPR, XaaS): 5.11.B, 5.11.C

Example Standards:

• CSA CCM: DSP-12, DSP-18

Criterion P3.1.20: Product security: Provide appropriate mechanisms for cloud customers to enable product security.

Assessing Entity:

BC: Gaia-X Association or mandated entity.

L1: internal + authorized entity according to the EUCS Level Basic; ad interim: internal + external confirmation that the internal audit followed recognized standards and/or good practices.

L2: Assessing entity authorized according to the respective standards.

L3: Assessing entity authorized according to the respective standards.

Assessment Process:

BC: self-assessment.

L1: internal audit; externally confirmed to be following recognized standards and/or good practices.

L2: onsite assessment following assessment process according to the respective standards.

L3: According to process for EUCS Level High ; ad interim: see Label Level 2.

Permissible Standards:

• BSI C5: PSS-01, PSS-04, PSS-05, PSS-06, PSS-08, PSS-10, PSS-11, PSS-12
• CISPE (GDPR, Infrastructure & IaaS): 5.1, 5.3, 4.3
• EU Cloud CoC (GDPR, XaaS): 5.1.C

Example Standards:

• CSA CCM: IAM-11

7.1.4 Portability

The section refers to the application of Art. 6 (1) Free Flow of Data Regulation (FFoDR). It applies to any Service Offering, regardless of its Provider, type, purpose, or processed category of data.

7.1.4.1 Switching and porting of Customer Data

Criterion P4.1.1 : The Provider shall implement practices for facilitating the switching of Providers and the porting of Customer Data in a structured, commonly used and machine-readable format including open standard formats where required or requested by the Customer.

Note: The switching process involves three parties, the Customer, the exiting Provider and the receiving Provider who should all duly co-operate to execute the transfer.

Note: The Customer Data received by the Customer or the importing Provider could include configuration information as well as information about the software systems used for the Service Offering.

Assessing Entity:

BC/L1: Gaia-X Association or mandated entity

L2/L3: to the extent there is no project with / or no mechanism to receive a third-party attestation, a self-declaration shall suffice; once a mechanism/project including third-party statements exists, and such project/mechanisms is mapped by Gaia-X, the third-party attestation becomes mandatory.

Assessment Process:

BC/L1: Gaia-X Self-Declaration

L2/L3: for the time being, for Lvl2 and Lvl3 it must be ensured that at a minimum the self-assessment is formally declared to an independent body as provided by the project - e.g., for SWIPO this is the SWIPO secretariat.

Permissible Standards:

• SecNumCloud: 19.1.g, 19.1.h
• SWIPO IaaS: DP01, DP02, DP03, DP04, DP05, DP08

Example Standards: n/a

Criterion P4.1.2: The Provider shall ensure pre-contractual information exists, with sufficiently detailed, clear and transparent information regarding the processes of Customer Data portability, technical requirements, timeframes and charges that apply in case a professional user wants to switch to another Provider or port Customer Data back to its own IT systems.

Assessing Entity:

BC/L1: Gaia-X Association or mandated entity.

L2/L3: to the extent there is no project with / or no mechanism to receive a third-party attestation, a self-declaration shall suffice; once a mechanism / project including third-party statements exists, and such project / mechanisms is mapped by Gaia-X, the third-party attestation becomes mandatory.

Assessment Process:

BC/L1: Gaia-X Self-Declaration.

L2/L3: for the time being, for Lvl2 and Lvl3 it must be ensured that at a minimum the self-assessment is formally declared to an independent body as provided by the project - e.g., for SWIPO this is the SWIPO secretariat.

Permissible Standards:

• SWIPO IaaS: TR03, PR01, PR02, PR03, PR04, PR06, PR07

Example Standards: n/a

7.1.5 European Control

This section applies to any service offering, regardless of its Provider, type, purpose, or processed category of data. However, requirements shall only apply subject to the indicated labels. This section aims to address the Customer’s or domain-specific needs, e.g., by limiting storage and/or processing to the area of EU/EEA.

Gaia-X distinguishes 3 levels of Labels, starting from Label Level 1 (the lowest), up to Label Level 3 (the highest), which represent different degrees of compliance with regard to the goals of transparency, autonomy, data protection, security, interoperability, flexibility, and European Control. Some of the following requirements are specific to a respective Label Level.

7.1.5.1 Processing and storing of Customer Data in EU/EEA

Criterion P5.1.1: For Label Level 2, the Provider shall provide the option that all Customer Data are processed and stored exclusively in EU/EEA.

Assessing Entity: Gaia-X Association or mandated entity

Assessment Process: self-declaration until an external entity is accredited by the Gaia-X Association

Permissible Standards:

• SecNumCloud: 19.1, 19.2
• CISPE (GDPR, Infrastructure & IaaS): 4.4

Example Standards:

• BSI C5: PSS-12

Criterion P5.1.2: For Label Level 3, the Provider shall process and store all Customer Data exclusively in the EU/EEA.

This criterion is only required for Label Level 3.

Assessing Entity: Gaia-X Association or mandated entity

Assessment Process: self-declaration until an external entity is accredited by the Gaia-X Association

Permissible Standards:

• SecNumCloud: 19.1, 19.2
• CISPE (GDPR, Infrastructure & IaaS): 4.4

Example Standards: n/a

Criterion P5.1.3: For Label Level 3, where the Provider or subcontractor is subject to legal obligations to transmit or disclose Customer Data on the basis of a non-EU/EEA statutory order, the Provider shall have verified safeguards in place to ensure that any access request is compliant with EU/EEA/Member State law.

Note: this is a general principle which is not assessable. The verified safeguards are further specified in subsequent criteria in this section (P5.1.4 - P5.1.7).

Permissible Standards: n/a

Example Standards: n/a

Criterion P5.1.4: For Label Level 3, the Provider’s registered head office, headquarters and main establishment shall be established in a Member State of the EU/EEA.

Assessing Entity: Gaia-X Association or mandated entity

Assessment Process: self-declaration until an external entity is accredited by the Gaia-X Association

Permissible Standards:

• SecNumCloud: 19.6

Example Standards: n/a

Criterion P5.1.5 : For Label Level 3, Shareholders in the Provider, whose registered head office, headquarters and main establishment are not established in a Member State of the EU/EEA shall not, directly or indirectly, individually or jointly, hold control of the CSP. Control is defined as the ability of a natural or legal person to exercise decisive influence directly or indirectly on the CSP through one or more intermediate entities, de jure or de facto. (cf. Council Regulation No 139/2004 and Commission Consolidated Jurisdictional Notice under Council Regulation (EC) No 139/2004 for illustrations of decisive control).

Assessing Entity: Gaia-X Association or mandated entity

Assessment Process: self-declaration until an external entity is accredited by the Gaia-X Association

Permissible Standards: n/a

Example Standards: n/a

Criterion P5.1.6: For Label Level 3, in the event of recourse by the Provider, in the context of the services provided to the Customer, to the services of a third-party company - including a subcontractor - whose registered head office, headquarters and main establishment is outside of the European Union or who is owned or controlled directly or indirectly by another third-party company registered outside the EU/EEA, the third-party company shall have no access over the Customer Data nor access and identity management for the services provided to the Customer. The Provider, including any of its sub-processors, shall push back any request received from non-European authorities to obtain communication of Customer Data relating to European Customers, except if request is made in execution of a court judgment or order that is valid and compliant under Union law and applicable Member States law as provided by Article 48 GDPR.

Assessing Entity: Gaia-X Association or mandated entity

Assessment Process: self-declaration until an external entity is accredited by the Gaia-X Association

Permissible Standards: n/a

Example Standards:

• SecNumCloud: 19.6

Criterion P5.1.7: For Label Level 3, the Provider must maintain continuous operating autonomy for all or part of the services it provides. The concept of operating autonomy shall be understood as the ability to maintain the provision of the cloud computing service by drawing on the provider’s own skills or by using adequate alternatives

Assessing Entity: Gaia-X Association or mandated entity

Assessment Process: self-declaration until an external entity is accredited by the Gaia-X Association

Permissible Standards:

• SecNumCloud: 19.6.d

Example Standards: n/a

7.1.5.2 Access to Customer Data

Criterion P5.2.1: The Provider shall not access Customer Data unless authorized by the Customer or when the access is in accordance with applicable laws in scope of the legally binding act.

Note: in Europe this refers to all applicable EU/EEA/Member State laws.

Assessing Entity: Gaia-X Association or mandated entity

Assessment Process: self-assessment

Permissible Standards:

• CISPE (GDPR, Infrastructure & IaaS): 3
• EU Cloud CoC (GDPR, XaaS): 5.4.A, 5.4.B, 5.4.C, 5.12.C

Example Standards:

• SecNumCloud: 9.7
• BSI C5: IDM-07
• CSA CCM: DSP-15

7.1.6 Sustainability

Criterion P6.1.1: The Provider shall provide transparency on the environmental impact of the Service Offering provided

Note: transparency can be created via a link to an environmental impact report of the Provider. This may be an aggregate statement on a portfolio of services, not necessarily the impact of an individual Service Offering. The report shall describe the consumption of natural resources such as water and energy sources, the carbon footprint, the use of pollutants and other factors.

Assessing Entity: Gaia-X Association or mandated entity

Assessment Process: self-assessment

Criterion P6.1.2: The Provider shall ensure that the Service Offering meets or relies on an infrastructure Services Offering which meets a high standard in energy efficiency, meeting an annual target of PUE of 1.3 in cool climates and 1.4 in warm climates

Note: By January 1, 2025, the metric should be met by any new data centre at full capacity used to provide the Service Offering. Pre-existing data centres will achieve these same targets by January 1, 2030. The targets apply to all data centres larger than 50KW of maximum IT power demand.

Assessing Entity:

• L1: Gaia-X Association or mandated entity

• L2/L3: Accredited Conformity Assessment Body for one of the Permissible Standards

Assessment Process:

• L1: legally binding statement towards Gaia-X via the Trust Framework to comply with the Gaia-X Labelling criterion or public registered adherence to one of the Permissible Standards.

• L2/L3: Assessment process by an accredited Conformity Assessment Body of one of the Permissible Standards

Permissible Standards:

• Climate Neutral Data Centre Pact (CNDCP)

Criterion P6.1.3: The Provider shall ensure that the Service Offering meets or relies on an infrastructure Services Offering for which electricity demand will be matched by 75% renewable energy or hourly carbon-free energy by 31st December 2025, and 100% by 31st December 2030.

Assessing Entity:

• L1: Gaia-X Association or mandated entity

• L2/L3: Accredited Conformity Assessment Body for one of the Permissible Standards

Assessment Process:

• L1: legally binding statement towards Gaia-X via the Trust Framework to comply with the Gaia-X Labelling criterion or public registered adherence to one of the Permissible Standards.

• L2/L3: Assessment process by an accredited Conformity Assessment Body of one of the Permissible Standards.

Permissible Standards:

• Climate Neutral Data Centre Pact (CNDCP)

Criterion P6.1.4: The Provider shall ensure that the Service Offering meets or relies on an infrastructure Services Offering that will meet a high standard for water conservation demonstrated through the application of a location and source sensitive water usage effectiveness (WUE)target of 0.4 L/kWh in areas with water stress

Note: By January 1, 2025 new data centres at full capacity in cool climates that use potable water will be designed to meet a maximum WUE of 0.4 L/kWh in areas with water stress. The limit for WUE can be modified based on climate, stress and water type to encourage the use of sustainable water sources for cooling. By December 31, 2040, existing data centres that replace a cooling system will meet the WUE target applied to new data centres.

Assessing Entity:

• L1: Gaia-X Association or mandated entity

• L2/L3: Accredited Conformity Assessment Body for one of the Permissible Standards

Assessment Process:

• L1: legally binding statement towards Gaia-X via the Trust Framework to comply with the Gaia-X Labelling criterion or public registered adherence to one of the Permissible Standards.

• L2/L3: Assessment process by an accredited Conformity Assessment Body of one of the Permissible Standards

Permissible Standards:

• Climate Neutral Data Centre Pact (CNDCP)