DIGITALEUROPE’s observations for Gaia-X’s policy rules consultation
DIGITALEUROPE firmly believes in the potential of Gaia-X to become a pioneering initiative to support innovative data exchanges and cloud and edge uptake in Europe via concrete business use cases. We joined Gaia-X among its first day-1 members and plan to contribute to Gaia-X’s deliverables and operations.
Having replied to the consultation organised on the policy rules document (PRD 21.04), we now share the below general comments and recommendations based on our response.
- High-Level Objectives:
We greatly welcome the proposed high-level objectives (HLOs) as a constructive base to develop the Gaia-X ecosystem around workable policy rules. The new format of the HLOs as general, clear, and concise set of rules for all sectors is a much better option than sector-specific rules. If the scope of the HLOs was to be broadened in future versions of the policy rules, we would encourage further consultation of the Gaia-X community, with a reasonable timeline for input.
- Compliance metrics & standardisation:
We soon expect the policy rules to be complemented by related metrics (e.g., standards) that can be used to demonstrate conformance. In that context, it is very positive that Gaia-X seeks to reflect the work and best practices of long-established European and international standards developing organisations. When assessing standardisation needs, we believe that it would benefit all Gaia-X participants if identified and proposed standards and mechanisms are as much as possible internationally recognised and accepted (e.g., ISO/IEC or international fora/consortia like Oasis, IETF etc.).
It is important that Gaia-X adheres to metrics that a) were developed through sufficient due-process-based procedures and safeguards, b) are broadly recognised and accepted by impacted industry players and/or c) were developed with sufficient industry stakeholder participation and support.
- Common rules for IaaS, PaaS, SaaS:
Laying out common objectives for all type of cloud services (IaaS, SaaS and PaaS) simplifies the understanding of related requirements for both providers and users. Avoiding completely different sets of rules is useful as boundaries between different types of cloud offerings are rather blurred and ill-defined. We therefore strongly welcome the design of a framework for a shared responsibilities model, which, if relevant, can define clear responsibilities and tasks for each service.
- Third-party verification:
Preference shall be given to self-declaration or other industry-supported conformance approaches over third-party verifications. Any third-party certification schemes should only be used where appropriate and relevant, as they would represent substantial audit and record-keeping costs to Gaia-X-participating service providers. It is important that the conformity assessment framework of Gaia-X ensures integrity, neutrality and effectiveness and leverages the ISO/IEC CASCO framework and relevant standards.
- Link with the Architecture of Standards:
The Gaia-X policy rules and the architecture of standards are closely connected, but this relationship is not entirely clear yet. With the architecture of standards being also an evolving document, it is important to ensure consistency and consult the community on the links between the two.
- Implementation & scope:
The PRD does not yet detail how the policy rules will be implemented and enforced in practice, and if it will be considered a code of conduct. The structure, purpose/objectives and the level of granularity should be further assessed to indicate which exact framework should be followed in each section and which maturity levels correspond, including a roadmap for getting to higher maturity levels (with justifications). This would make the PRD easier to understand by the wider Gaia-X community.
Without prejudice to the policy rules, it is crucial for Gaia-X to have a sound governance structure supporting its development as well as the review and approval of proposed Gaia-X requirements, policies or programmes (cf. in this regard our governance recommendations from March). This includes having clear and written governance documents that are developed through transparent and inclusive processes, such as by-laws, internal rules, committee/working group procedures, policies, etc. Those documents should address issues such as IPR (patent, copyright and trademark issues), public comment and/or written records processes, competition policy, etc., covering the four different Gaia-X activities, with the opportunity for review and feedback. The absence of some of these procedures and rules creates legal uncertainty and makes it more difficult for stakeholders to engage.
To support a sound governance, Gaia-X should use OSI-recognised open-source licensing to drive relevant Gaia-X activities such as its Federation services. In doing so, Gaia-X will attract the support of the open-source community to collaborate and build out commoditised and modular solutions upon which companies can further differentiate and add value.
Concrete observations & suggestions
- Clarity & alignment of definitions:
The definitions included in the PRD such as ‘asset’ or ‘service offering’ should be more precise and aligned with definitions of the same concepts in other Gaia-X documents (architecture documents). Furthermore, we propose adding a clear clause in the PRD’s introductory section stating that “The current policy rules apply to service offerings offered in the Gaia-X ecosystem”, rather than only mentioning this principle in the recitals.
- Geographical scope:
There is a general vagueness with regards to the PRD’s jurisdictional scope. We recommend clarifying the PRD’s scope, as many Gaia-X participants need to operate globally for both their own facilities and their global supply chains and will therefore also be subject to regulations in non-EU jurisdictions.
Notably, clause B.5.2 of the PRD should not conflict with the legal obligations of any company with ties to a jurisdiction that could compel access to data without customer consent.
- Links with EU legislation:
The PRD contains provisions from selected EU legislation such as the GDPR. Companies are already complying with all EU legislation that entered into force: the PRD should then only refer to applicable legislation when proposing implementation solutions (e.g. third-party certification and use of relevant codes of conducts under the GDPR), and avoid replicating requirements stemming from such legislation.
- Links with standards & codes:
The policy rules should leverage relevant existing standards and codes of conduct to facilitate implementation.
For the cybersecurity section, references to relevant ISO standards should be included rather than creating new similar (yet different) provisions. When there are references to national certification schemes, it is important to clarify how they interrelate and are recognised by other EU countries, and to mention any other EU-wide or international option.
For the portability section, the PRD should only refer to the Free flow of non-personal data regulation and its mechanism for promotion of data flows via data porting. Any data portability implementation details should be delegated to the ecosystem supporting the regulation (such as SWIPO).
- Data spaces:
Relationship with Gaia-X: Beyond the current scope of the policy rules, we recommend to further clarify the relationship between the Gaia-X AISBL, its data spaces activities and its national hubs. For Gaia-X members who want to support and participate in the ecosystem, it is important to fully understand the respective roles and interactions. Furthermore, it is crucial that all Gaia-X initiatives supporting the data spaces are designed in coordination with the Common EU data spaces backed by the European Commission, ensuring alignment and avoiding duplication of initiatives.
Sector-specific rules for data spaces: The policy rules should not elaborate on the data sharing rules and policies within the Gaia-X-supported data spaces. The PRD should thus note that there will be rules and policies specific to each data space, duly considering the singularities and inherent particularities of every sector.
 DIGITALEUROPE’s principles for a successful Gaia-X ecosystem, March 2021, https://www.digitaleurope.org/resources/digitaleuropes-principles-for-a-successful-gaia-x-ecosystem/
 For instance, French (ANSSI SecNumCloud) and German (BSI C5).