16 Mar 2021

DIGITALEUROPE’s principles for a successful GAIA-X ecosystem

Key messages

DIGITALEUROPE strongly believes in the potential of GAIA-X to become a game-changing initiative to support innovative data exchanges and cloud and edge uptake in Europe. Pursuing our commitment to the GAIA-X project, after applying as day-1 member, we now propose recommendations to improve GAIA-X’s operations and deliverables:

  • Consolidate the governance structure. Further work is still needed to develop and enhance internal rules and procedures, particularly to best integrate newer members to the GAIA-X community.
  • Consult the wider community. Given the expected impact of GAIA-X, which will likely exceed the scope of its initial membership, any review and approval processes of major deliverables should be as inclusive as possible, ensure sufficient discussion among interested parties, to achieve maximum consensus.
  • Bring added value and flexibility. GAIA-X’s policy rules and architecture of standards (PRAAS) should only focus on principles needed to create the ecosystem and allow for different means of compliance while ensuring transparency on any variations and providing federated services respecting shared values and global standards.

Introduction

DIGITALEUROPE is a strong supporter of the GAIA-X project, more particularly its overarching goal to develop and foster an innovative and trusted data-driven ecosystem in Europe. We are convinced that GAIA-X can support innovation in Europe by enabling a decentralised infrastructure and architecture based on shared values, which would encourage data sharing and cloud and edge take-up by European companies, while advancing EU policy and standardisation discussions. DIGITALEUROPE has therefore decided to become a GAIA-X day-1 member and wishes to constructively contribute to this important European project.

Now that the GAIA-X AISBL has been formally established, DIGITALEUROPE considers it important to formulate, on behalf of its members, a set of views, questions and recommendations to enhance the operations of GAIA-X. Achieving an optimal functioning organisation is essential for GAIA-X to succeed in its ambitions to unlock Europe’s digital and data potential. Our observations can be broken down into 4 different aspects:

  • General observations on governance, transparency and processes of GAIA-X.
  • Observations on the process of defining policy rules and architecture of standards (PRAAS).
  • Observations on PRAAS content.
  • Observations on the governance and implementation of data spaces.

 


General remarks on governance, transparency & process

To help ensure that GAIA-X effectively accomplishes its overall objectives, we believe that it is of key importance for GAIA-X to establish a credible, transparent, fair and efficient governance structure with appropriate and adequate safeguards. We recommend to fully implement such governance framework before taking substantive and duly considered decisions on behalf of the broader community of GAIA-X members.

Therefore, it is crucial that GAIA-X continues its work in improving its governance structure, including its internal rules, policies and procedures, to make them more transparent, inclusive and fair. Concretely, now that the GAIA-X high-level “Articles of Association” have come into effect, each GAIA-X governance body (including the Board of Directors and each of the technical and policy committees and working groups), should operate under clear and comprehensive due process-based procedures and policies governing its work and decision-making processes. To ensure that decisions taken by those bodies are fair, transparent, trustworthy, effective, proportionate, non-discriminatory, and achieve maximum consensus, such procedures and policies should include details on how proposals are made, documented, discussed (including comments from impacted stakeholders who may not have a seat on the specific committee), finalised and approved.

We believe that the above proposals would provide more clarity on how GAIA-X day-1 members (which are not expected to be formally approved as “members” until mid-March at the earliest) and subsequent members can have a meaningful voice in the activities, decisions and outputs of GAIA-X.

Given its bold and ambitious mission, GAIA-X will be successful if it is able to represent its membership and community. This is a particularly important goal to work in the current transitional phase and towards formation of the AISBL’s secretariat, which should pave the way for an inclusive and effective sustainable governance.

Several members of DIGITALEUROPE have found it difficult to engage in GAIA-X activities. It is of utmost importance that GAIA-X establishes a single point of contact for its members, and that GAIA-X uses a consistent set of contact points, such as those stated in the letters of intent to become members. Building enough capacity and resources in the GAIA-X association’s secretariat will be key to successfully support the onboarding of its many new members.

We ask GAIA-X to urgently develop its by-laws, IPR policy and other governance documents (such as Committee rules of procedure, public comment policy, competition policy, written records policy, appeal processes, etc.) covering the different GAIA-X activities, with the opportunity for review and feedback. The absence of such procedures and rules makes it more difficult for stakeholders like DIGITALEUROPE and several of its members to potentially engage – as they may be committing to a project whose rules they may ultimately find insufficient and/or disagree with substantively.

The establishment of a clear IPR policy (that addresses, among other things, the requirements regarding the disclosure of possibly implicated IPR of all types and establishing required disclosure obligations and licensing commitments) would notably minimise the risk that GAIA-X deliverables would include stakeholders’ proprietary IPR without any up-front understanding or agreement as to the parameters of any related licensing programme. Without such disclosure and related licensing commitment, the IPR holder arguably can seek to exploit its IPR against the GAIA-X stakeholder community in ways that could undermine the GAIA-X project and/or unfairly or commercially benefit individual stakeholders, which goes against the GAIA-X principles of openness and transparency.


Observations on the PRAAS process

DIGITALEUROPE welcomes the objective of the PRAAS (Policy Rules and Architecture of Standards) to build a coherent policy framework within the GAIA-X ecosystem, to ensure the secure exchange and usage of data based on European values. The process of identifying the appropriate norms, recommendations and standards is of utmost importance to the success of GAIA-X and hence extremely relevant for its members.

At the same time, the PRAAS likely will identify certain requirements for a broad range of GAIA-X stakeholders that could impact market access. Therefore, DIGITALEUROPE believes that work on the revision of the PRAAS should be accompanied by in-depth internal consultation and defined feedback processes, allowing all GAIA-X members to constructively contribute to this milestone project. Ultimately, this will ensure that this set of rules is proportionate, non-discriminatory, and reflects a broad and workable consensus of both cloud users and service providers, and other stakeholders.

As has been recognised by Board Chair of GAIA-X Hubert Tardieu during a DIGITALEUROPE event on 3 February[1], standard-setting processes can take several years. In this specific context, GAIA-X seeks to adopt the PRAAS in a much faster pace to build on the momentum of its creation. While we understand the ambitions to make quick progress, DIGITALEUROPE supports a thorough process leading to a high-quality and consensus-based outcome that will further enable GAIA-X’s overall effectiveness and success.

Many DIGITALEUROPE members have intensely discussed the first draft version of the PRAAS (V1.1) published on 4 June 2020[2] and submitted concrete feedback for its future development during the Autumn 2020, as part of the formal GAIA-X consultation process[3]. To date, the comments sent have not been openly addressed and the exact process by which these comments are to be considered and consolidated into a PRAAS V2.0 has not yet been defined.

Specifically, part of the feedback from the community identified fundamental inconsistencies and raised significant questions regarding the PRAAS draft version 1.1. Therefore, for GAIA-X to succeed, we believe that the comments from the community must be addressed prior to any adoption of the PRAAS by the AISBL. This review of comments should be open, transparent, and consensus-based in the interest of establishing a consensual foundation for the GAIA-X policy rules in the short and medium terms and, in the long term, an appropriate basis for the work of the European Commission for its future Cloud Rulebook. We believe that upholding the processes outlined above would ensure adequate consultation and would support continued successful project design and stakeholder engagement within GAIA-X.

Members also wish to actively participate in the GAIA-X governance groups that are currently working on the next release of the Policy Rules, of the Technical Architecture, and of the Architecture of Standards documents to help shaping and finalising PRAAS V2.0. Unfortunately, this has been challenging in the absence of clear processes for onboarding, and without real meaningful involvement of the broad group of day-1 members. It is important to improve the current working arrangements and to determine clear, approved processes and good governance rules, to ensure transparency, openness and inclusiveness (especially of all impacted stakeholders).

Thus, we strongly recommend that a second open and meaningful consultation process takes place before the next release of the PRAAS is formally adopted.

Additionally, it is important that version 2 of the PRAAS is not considered adopted without a formal approval process being held in the GAIA-X AISBL. Given the importance of the document for the development of the GAIA-X ecosystem, we believe that adoption of the PRAAS would have to be carried at both Board of Directors and General Assembly levels.

Regarding the future development of PRAAS, DIGITALEUROPE recommends clarity about the frequency of the review and evaluation of the document. To that end, a regular, inclusive, consensus-based and transparent feedback and review process should be introduced.


Observations on PRAAS content

The PRAAS (Policy Rules and Architecture of Standards) is currently conceived as a long list of detailed requirements contained in a spreadsheet. We believe that in order to be easy to use and efficiently implemented, the PRAAS should go beyond being a compilation of a vast number of rules, and rather seek to focus on the rules and standards deemed most crucial. The ultimate goal of such norms should always be to stimulate secure and innovative data-driven models and cloud usage. Thus, a clearer set of requirements and explanations about the rationale used for choosing the rules should be included in the PRAAS document, for instance in the form of a summary outlining the essence of these rules and the principles used to design them.

As stated by GAIA-X, the policy rules and the architecture of standards are closely connected. Therefore, we suggest to ensure close coordination between these two workstreams.

The distinction between mandatory policies and optional standards should be clarified, including by providing a concrete and precise definition of “mandatory”. The PRAAS document must clearly demonstrate when compliance with GAIA-X requires one specific policy and when it can be achieved by a selection from various existing standards. We recommend differentiating between high-level requirements and specific standards that can be used to ensure compliance with the high-level requirements. In addition, GAIA-X could allow alternative approaches to meet requirements (and avoid requiring the use of or adherence to an arguably proprietary solution) to the fullest extent possible. The use of alternatives should appear in service providers’ self-description and GAIA-X catalogue features, for users to be informed about key aspects of each service proposed.

DIGITALEUROPE underlines that the PRAAS should not selectively refer to existing legal acts or provisions. Compliance with applicable legal requirements is an obvious pre-requisite and does not depend on whether the rules are quoted in the PRAAS or not. Rather, referring to certain legal provisions can give the impression that some legal provisions are more important than others and thereby cause legal uncertainty. Additionally, partially quoting provisions can in practice lead to interpretation, potentially deviating from the legally binding rules.

Given that native cloud architecture has evolved to include a range of “as a Service” offerings that go beyond “IaaS”, “SaaS”, etc., and that the boundaries between them are ill-defined, the PRAAS should focus on establishing a single, comprehensive basic requirements framework that applies equally to all such services. This could further help customers to compare different cloud services offerings more effectively and efficiently. 

It is essential that the PRAAS refers as much as possible to established European or international standards, and only when they are recognised as finalised standards. If a specific goal can be achieved by complying with various equivalent standards, certificates and/or codes of conducts, providers should be able to choose how they specifically will meet any compliance requirements, while displaying the alternative chosen in the GAIA-X service discovery. Requiring adherence to a single selected standard should be avoided unless essential for interoperability or portability. In that regard, an exclusive focus in the PRAAS V1.1 on the CISPE Code of Conduct is inappropriate and contradicts the goal of an open and competitive ecosystem.

Furthermore, we believe that to ensure the sound functioning of the GAIA-X ecosystem, it is crucial that any compliance requirements mandated in the PRAAS do not require additional membership in other organisations, nor should any GAIAX AISBL member be mandated to provide any GAIA-X-compliant services. Conversely, membership of the GAIA-X AISBL should not be required for an organisation to be able to offer PRAAS-compliant services in the GAIA-X federated ecosystem.

We understand that GAIA-X wants to identify internationally recognised standards guaranteeing data sovereignty, data protection, data portability, information security, etc. From this perspective, questions arise about some of the rules proposed in the PRAAS V1.1 regarding location of data storage and processing, and the applicability of non-European extraterritorial regulation. While we support further transparency on the location of data storage and processing, we do not think that such requirements should go beyond applicable EU rules. In all circumstances, it is important not to create additional confusion for users and providers.


Relationship with data spaces

 

Governance of data spaces

Developing and supporting the data spaces is one of the core objectives of the GAIA-X project. In this context, we understand that the GAIA-X AISBL is currently working on one or several documents that would outline policy rules for certain data spaces.

Given the importance of the data spaces within GAIA-X, and more generally, as future drivers of the European data economy, it is important to ensure ample consultation and transparency on documents defining their framework. This would allow interested GAIA-X members to have the opportunity to express their views and to provide input and expertise on a topic which will be an important output and policy contribution of the association.

Transparency and inclusion of impacted stakeholders and GAIA-X members in the data spaces governance process is important, particularly in relation to the work that is also being done in the GAIA-X national hubs.

In general, we recommend more clarity on the relationship between the GAIA-X AISBL, its data spaces and its national hubs. For GAIA-X members who want to support and participate in the ecosystem, it is important to understand the respective roles and interactions.

In addition, it is crucial that the GAIA-X data spaces are designed in coordination with the Common European data spaces supported by the European Commission. Ensuring alignment and avoiding duplication of initiatives is crucial to create fit-for-purpose data spaces benefitting the European economy and society.

All developments – be it for infrastructure, marketplaces or data spaces – should be ‘use case oriented’ and satisfy business and societal needs. We recommend use cases to be ecosystem-based and (when relevant) cross-sectorial, with impact, speed, and value creation as key drivers.

 

Technical implementation of data spaces

GAIA-X strongly builds on the work of the International Data Spaces Association (IDSA) for the development of GAIA-X data spaces. More particularly, GAIA-X recommends the International Data Spaces standard (IDS), which aims to enable open, transparent and self-determined data exchange. We hope that GAIA-X will channel the strengths of the IDSA model but also accommodate its limitations.

In practice it appears that each participant to the International Data Spaces must undergo certification by IDSA-approved certification and evaluation facilities. It is important that such an arrangement would not affect the adoption of the IDS, particularly for smaller businesses. Additionally, it is unclear if, which, and to what extent certification requirements would apply to the components of the IDS ecosystem and/or participating organisations.

Questions also arise regarding the compatibility of the unitary static IDSA trust model with the interests of many large companies in Europe, which are likely to prefer a decentralised trust model where they get to define who provides trust for their respective communities. The current proposal for data spaces appears to only enable direct peer-to-peer data exchange between two companies and lack a design to enable multi-party data spaces.

Additionally, the IDSA standards do not specify how to deal with multi-jurisdiction scenarios and seem to require IDS participants to develop a separate solution for the data stored outside of the EU. This would complicate the efficient operations of user companies which operate globally.

The IDSA standards also do not define any metering and billing, and leave this to the participants, which may have negative consequences for smaller companies with less negotiation power.

Finally, it is not entirely clear if the open-source implementation of the IDSA connector is free from third-party intellectual property, hence it is not clear how the connector can be adopted within GAIA-X.


References:

[1] Speaking at DIGITALEUROPE’s ‘Masters of Digital’ event. Recording: youtu.be/9NzgwnT9zUM

[2] GAIA-X, PRAAS V1.1, https://www.data-infrastructure.eu/GAIAX/Redaktion/EN/Publications/gaia-x-policy-rules-and-architecture-of-standards.html

[3] We understand that around 800 comments were received by the GAIA-X founders.


For more information, please contact:
Julien Chasserieau
Associate Director for AI & Data Policy
Back to Digital Health
View the complete Policy Paper
PDF
Our resources on Digital Health
20 Nov 2024 Policy Paper
Legitimate interest: One of six legal bases to process personal data
20 Nov 2024 Policy Paper
Copyright and AI: For effective implementation of existing rules
14 Nov 2024 The Download
The Download - Taming the cyber storm whilst empowering European businesses to thrive
Hit enter to search or ESC to close
This website uses cookies
We use cookies and similar techonologies to adjust your preferences, analyze traffic and measure the effectiveness of campaigns. You consent to the use of our cookies by continuing to browse this website.
Decline
Accept