Written by Giulia Lo Bue Oddo

  1. Introduction

This policy paper is the second part of a two-part series which explores the EU’s strategy for digital sovereignty and looks into the pre-existing and proposed EU legislation. Taking its lead from the first paper, which presented an overview of the current situation and explained the EU’s reasons for pushing for digital autonomy, this paper presents the GAIA-X initiative and shows how it could act as a highway to connect the different EU legislations on digitalization and how it could ensure a competitive EU digital economy.

2. The consequences of digitalization

Digitalization is gaining considerable momentum in both critical and non-critical industries with data being increasingly stored and exchanged. While the Digital Acts (Governance and Marketing), the regulations for the free flow of personal and non-personal data (GDPR & FFD) and cybersecurity legislations like NIS & CyberAct lay the legal foundations for a healthy economy – with portability, data reuse and data sharing at the forefront of secure dataspaces – GAIA-X focuses on the data sharing infrastructure to provide trustworthy and secure spaces and services (Bonefeld-Dahl, 2021). 

3. Introducing GAIA-X

The GAIA-X project has been hailed as an Important Project of Common European Interest (IPCEI) on Next Gen Cloud Infrastructure and Service (CIS) – namely a coordinated industrial response to foster European data leadership. It is intended to reduce tech dependencies on foreign hyperscalers (big market players which offer scalable cloud computing services such as GAFAM) and strengthen the value chain of the EU’s digital market, in line with the 2030 Digital Compass Plan. Although details on the technical plan have not fully emerged, GAIA-X should be seen as a framework to securely exchange non-private and private data. As an open data platform based on European standards, it would offer advantages to both critical sectors (e.g. exchanging healthcare data to improve patient care) and non-critical sectors alike (e.g. benefiting from big data to predict the optimal time for maintenance work).

Data-sovereignty and strategic independence in technology can be thought of as securing data in rest (where does it reside?), data in motion (where is it flowing to?), and data in use (where is it being temporarily stored and processed?). As data was digitised (converted to digital), businesses thought to capitalise from the transformation by digitalising (i.e. using technology to collect, analyse and process data). As a result, cloud services emerged to provide scalability and mobility when compared to traditional IT systems. Many businesses have already fully transitioned to the Cloud – with the 2019 Cloud Monitor study showing three out of four German companies relying on cloud services (GTAI, 2021). The digitalization of essential services, however, is more recent (Greens-EFA, 2020). Indeed, while some EU industries and public sector organisations are transitioning to cloud data centres (such as Amazon Web Services (AWS) and Google Azure) to process, compute, and store data, the digitalization of critical sectors (e.g. the digitization and digitalisation of finance, healthcare, and the critical utilities) must occur in a more controlled environment, ruled by legislations and state-of-the-art technology. 

To date, data in use is not fully protected from a legal or technical perspective, with Cloud Providers being able to access it. Indeed, currently, the possibility that hypervisors can access the memory of virtual machines is merely dealt with at an organisational level – with companies stating that administrators are unable to have direct access to such information. Regarding technical solutions, the current landscape offers two of them (Banse, 2021): the first involves having the cloud services run in a trusted execution environment, where the memory of the service is encrypted, and integrity verification checks are performed. Some popular instances of this are Apple Secure Enclave and Arm Trustzone. The second is more ambitious, in that it entails completely protecting virtual machines. Amazon Azure and Google Kubernetes are currently exploring this possibility and have identified denial of services (DoS) and synchronisation issues as potential flaws. Regarding the legal aspect of protecting data in use, some legislative elements (e.g. protecting data in databases) are either pending or are planned to be implemented. Technically, the EU is also lacking proof of concept for a unified technical response. It is therefore obvious that work still has to be done to attest that a cloud service, and therefore the data on the cloud, is secure and constitutes ‘confidential computing’ that is compliant with EU laws and immune from foreign legislation.

4. GAIA-X: The ‘highway’ to digital sovereignty

GAIA-X is a pan-European project, launched in late 2019, and aimed at creating a federated data infrastructure for Europe. On top of the traditional Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) layers for cloud services (e.g. AWS and Microsoft Azure respectively), the project wishes to explore the use of novel techniques such as edge computing (mentioning ‘Distributed Federated Edge Continuum’ and ‘Federated Cloud Management’)  while stressing the importance of security and interoperability (Eggers, 2020).

When coupled with the pre-existing legal foundation for data-sharing and data protection, the multi-provider cloud strategy would provide agility, security, automation, and innovation while contributing to the 2030 Digital Compass plan and fostering innovation and competition. Indeed, in striving to create a legally secure place for data, the GAIA-X projects bring the Digital Markets Act (DMA), NIS Directive & Cybersecurity Act, GDPR and FFD, and the Data Governance Act together.

Regarding the Cybersecurity Act, services placed on the federated platform (GAIA) would have to be certified. Although the details of how this would occur have not been specified, the services on the GAIA platform should be classified according to three levels of assurance, in line with ENISA’s European Union Cybersecurity Certification Scheme on Cloud Service (EUCS). The levels (basic, substantial and high) would offer various security levels, with continuous audits needed to ensure the validity of the “high” certificate with time (ENISA, 2021). The GAIA-X project is seen as the first step in securing data sovereignty. By issuing verification certifications that demonstrate the assurance level of service on the cloud, the project aims to tackle the issue of protecting data against the cloud provider itself. Under this framework, cloud providers would have to submit documents to showcase their compliance with technical and regulatory processes. Criteria include openness, interoperability, transparency and trust. Audits (with verifications including penetration testing) would then evaluate the trustworthiness of the services, thereby providing reassurance to the client.

Regarding the DMA, GAIA-X can be seen as the EU’s response to break through the dependence of EU businesses on GAFA hyperscalers and provide a secure market. Indeed, these concerns are not ill-founded, as investigations (Privacy Company, 2021) consistently show some public cloud providers violating GDPR and FFD requirements in their privacy statement which explicitly state that metadata can be kept or transferred to their facilities (Karlstad, 2021).

Regarding GDPR and FFD, EU documents specify that GAIA-X must be a GDPR and FFD-compliant infrastructure. Lastly, in line with the Data Governance Act and DMA, interoperability is achieved by requiring the software services on the cloud to be transparent, interoperable, and independent from third parties. Moreover, open standards are promoted and open-source software which is certified, compliant with data protection regulations, and compatible with various manufacturers can be marketed on the multi-cloud GAIA solution.

Although the EU could keep control over its data by developing an independent European cloud, it would face steep competition as it fights against well-established giants such as GAFAM. On the other hand, by implementing a cybersecurity certification framework that attests security of the cloud services, the EU would ensure that services on the cloud are immune from non-EU law. This matter is imperative for the critical sectors which deal with special classes of data, such as sensitive personal and non-personal data. By allowing the EU to keep control over tech policy, and ultimately reach strategic autonomy and data sovereignty, cyber-certification would also contribute to the development of the Digital Single Market and the free flow of data regulation, thereby fostering innovation.

Regarding the exchange of data between different services, data should be incorporated within applications that are isolated, integrity-protected and encrypted. An example of this is the International Data Space (IDS) idea, which uses connectors both for interoperability and to allow for mutual authentication between different companies (e.g. using software fingerprinting). It also performs certification verification checks before running the application on the client’s Virtual Machine (Banse, 2021). This idea could be generalised to the transfer of data in cloud computing. More specifically, instead of connectors, remote attestation APIs and protocols would act as a valid security mechanism and detect the presence of untrusted cloud services and guarantee their trustworthiness.

Moving to the implementation details, data which proves the existence and efficiency of the technical means implemented by the cloud service must be collected periodically to assess the validity of the certificate. Looking at the EU, the MEDINA project (part of the Horizon 2020 programme) offers a framework of tools and techniques to support cloud service providers in achieving continuous certification aligned to EUCS by establishing continuous auditing. Evidence from the target service is continuously checked against the security requirements (constraints) of the cloud workloads. If the requirements are fulfilled, the certificate’s validity is confirmed. Data about system hardening, data segregation and integrity verification should be collected to ensure the safety of data in use, while information on transport encryption and the usage and storage of cryptography keys would be evaluated to assess the safety of data in transit. Moreover, edge computing should be used to achieve interoperability (in the form of APIs) and having automated security checks on the cloud which collect information to prove the safety and certification level of data in use or data in transit. 

By establishing the next generation of data infrastructure, the EU initiative Gaia-X aims to promote and develop the digital economy, bringing together people from different companies, research institutions, associations and political parties to form a European cloud provider ecosystem and to build solutions that can be protected by EU law. In making an open, transparent and secure digital ecosystem where data and services can be made available, collated and shared in an environment of trust, GAIA-X is the highway to the EU’s sovereign cloud. Ideally, GAIA-X will be an efficient, highly performant and secure federated ecosystem with fast data connections.

5. Summary and the road ahead

The second part of the two-part series of this policy paper focused on GAIA-X, the orchestrator service which unites the different specialised service providers and legislations, allowing for openness, transparency, interoperability and trust – in line with the long-term strategies of the EU’s digital vision. The EU must consolidate the overarching EU laws and directives to mitigate the risk and dependence of foreign access to critical data. With a strong focus on civil rights and strict data privacy rooted in European culture, dataspaces must fall under EU jurisdiction, which means that the legal frameworks the EU puts in place must collectively counter the validity of foreign laws which conflict with EU values. To ensure GAIA-X’s success, a common certification framework along with the proper technical means must allow for openness, transparency, interoperability and trust. Overall, GAIA-X’s success will pave the way in fulfilling both objectives and long-term strategies in line with the EU’s 2030 Digital Compass vision.


Abdou, M., & Vazquez, T. (2021, November 17). A manifesto for Europe’s next-generation edge cloud – opennebula – open source cloud & edge computing platform. OpenNebula. Retrieved December 22, 2021, from https://opennebula.io/opennebula-manifesto-for-europe-next-generation-edge-cloud/

Altmüller, S. (2020, July 31). Are we experiencing a comeback of the sovereignty concept? Seald. Retrieved January 14, 2022, from https://www.seald.io/blog/are-we-experiencing-a-comeback-of-the-sovereignty-concept

Banse, C. (2021, November 1). Data sovereignty in the cloud – wishful thinking or reality? Data Sovereignty in the Cloud – Wishful Thinking or Reality? | Proceedings of the 2021 on Cloud Computing Security Workshop. Retrieved January 17, 2022, from https://dl.acm.org/doi/abs/10.1145/3474123.3486792

Bertuzzi, L. (2021, October 1). EU countries Green Light New Data Governance Framework. www.euractiv.com. Retrieved December 22, 2021, from https://www.euractiv.com/section/data-protection/news/eu-counties-green-light-new-data-governance-framework/

Bonefeld-Dahl, C. (2021, May 26). My vision for gaia-X: 3 goals to bring Europe’s data economy to the next level. LinkedIn. Retrieved January 17, 2022, from https://www.linkedin.com/pulse/my-vision-gaia-x-3-goals-bring-europes-data-economy-bonefeld-dahl

Bracy, J. (2021, November 18). The future of data protection in the EU’s Digital Market Strategy. The future of data protection in the EU’s digital market strategy. Retrieved December 22, 2021, from https://iapp.org/news/a/the-future-of-data-protection-in-the-eus-digital-market-strategy/

Broadbent, M. (2021). Implications of the digital markets act for transatlantic cooperation. Implications of the Digital Markets Act for Transatlantic Cooperation | Center for Strategic and International Studies. Retrieved December 22, 2021, from https://www.csis.org/analysis/implications-digital-markets-act-transatlantic-cooperation

The Cloud Report (2020, May 19). Gaia-X – a European Hyperscaler. |The Cloud Report News, articles, interviews and tests. Retrieved December 22, 2021, from https://the-report.cloud/gaia-x-a-european-hyperscaler

CMS Law-Now (2021, June 8). European Commission moves ahead with proposed ‘data act’ regulating access to data in B2B and B2g relationships. CMS Law-Now TM. Retrieved January 17, 2022, from https://www.cms-lawnow.com/ealerts/2021/06/european-commission-moves-ahead-with-proposed-data-act-regulating-access-to-data?cc_lang=en

Dowden. (2020, December 9). National Data Strategy. GOV.UK. Retrieved January 17, 2022, from https://www.gov.uk/government/publications/uk-national-data-strategy/national-data-strategy

Eggers, G. et al (2020, June). Gaia-X: Technical architecture – data infrastructure. Retrieved January 17, 2022, from https://www.data-infrastructure.eu/GAIAX/Redaktion/EN/Publications/gaia-x-technical-architecture.pdf?__blob=publicationFile&v=5

EGI. (n.d.). Data and Cloud Federations: EGI, EOSC and gaia-X case studies. Retrieved December 22, 2021, from https://www.egi.eu/about/newsletters/data-and-cloud-federations-the-egi-eosc-and-gaia-x-case-studies/

ENISA. (2021, December 2). Certification schemes and cabs – FAQ. ENISA. Retrieved January 17, 2022, from https://www.enisa.europa.eu/topics/standards/certification/certification-schemes-and-cabs

ENISA. (2021, December 2). EU Cybersecurity Certification Framework. Retrieved December 22, 2021, from https://www.enisa.europa.eu/topics/standards/certification

European Parliament. (2021). Digital Markets Act: Ending Unfair Practices of Big Online Platforms. Digital. Retrieved December 22, 2021, from https://www.europarl.europa.eu/news/it/press-room/20211118IPR17636/digital-markets-act-ending-unfair-practices-of-big-online-platforms

European Parliament (2021) European critical infrastructure – european parliament. Retrieved December 22, 2021, from https://www.europarl.europa.eu/RegData/etudes/BRIE/2021/662604/EPRS_BRI(2021)662604_EN.pdf

European Parliament (2021). Europe’s Digital Decade and autonomy – europarl.europa.eu. Retrieved December 22, 2021, from https://www.europarl.europa.eu/RegData/etudes/STUD/2021/695465/IPOL_STU(2021)695465_EN.pdf

Filipovich,Y . (2021, October 22). What you should know about cloud act, Schrems II and gaia-X? TietoEVRY. Retrieved December 22, 2021, from https://www.tietoevry.com/en/blog/2021/10/time-to-get-updated-on-cloud-act-schrems-ii-gaia-x-and-data-sovereignty-regulations/

GlobalNews. (2021, July 18). The ideological debate on EU Industrial Strategy Heats up – euractiv.com. injuredly. Retrieved January 17, 2022, from https://injuredly.com/the-ideological-debate-on-eu-industrial-strategy-heats-up-euractiv-com/

Grüll, P. (2021, January 14). German law aims to tackle the market power of Digital Giants. www.euractiv.com. Retrieved December 22, 2021, from https://www.euractiv.com/section/digital/news/new-german-amendment-aims-to-tackle-the-market-power-of-digital-giants/

GTAI (n.d.) Software industry. Invest – Investment in Germany. (n.d.). Retrieved January 17, 2022, from https://www.gtai.de/gtai-en/invest/industries/digital-economy/software

Hessel, S. (2021, November 3). The EU’s new data and Cybersecurity Law. reuschlaw Legal Consultants. Retrieved December 22, 2021, from https://www.reuschlaw.de/en/news/the-eus-new-data-and-cybersecurity-law/

Internationaldataspaces.org. (2021). European Data Summit 2021. Retrieved December 22, 2021, from https://internationaldataspaces.org/events/european-data-summit-2021/

IONOS (2021). The controversial CLOUD Act. [White Paper] https://www.itpro.co.uk/cloud/360423/the-controversial-cloud-act
Karlstad, W. (2021, November 9). Sovereign cloud – a necessary addition in your multi-cloud strategy. TietoEVRY. Retrieved December 22, 2021, from https://www.tietoevry.com/en/blog/2021/11/why-sovereign-cloud-is-a-hot-topic

Laird, J. (2021, April 26). Overview of the GDPR law. Privacy Policies. Retrieved December 22, 2021, from https://www.privacypolicies.com/blog/gdpr-overview/#:~:text=The%20EU’s%20General%20Data%20Protection,personal%20data%20for%20commercial%20purposes.

Leibfried, M. (2021, August 16). A Primer on Digital Sovereignty & Open Source. Open Sourcerers. Retrieved December 22, 2021, from https://www.opensourcerers.org/2021/08/16/a-primer-on-digital-sovereignty-open-source/

Medina. (n.d.) Medina-Project. Retrieved December 22, 2021, from https://medina-project.eu/

Myra. (2021, May 14)European Data Platform: GAIA-X: Myra Security. Retrieved December 22, 2021, from https://www.myrasecurity.com/en/why-gaia-x-is-important/

O’Donoghue, C., and Brooks, E. (2019) The European Parliament adopts first stance to proposed EU cybersecurity act. Technology Law Dispatch. Retrieved December 22, 2021, from https://www.technologylawdispatch.com/2019/03/privacy-data-protection/the-european-parliament-adopts-first-stance-to-proposed-eu-cybersecurity-act/

O’Donoghue, C., and McCluskey, C. (2018, August 1). EU to create a cybersecurity certification framework. Technology Law Dispatch. Retrieved December 22, 2021, from https://www.technologylawdispatch.com/2018/08/big-data/eu-to-create-a-cybersecurity-certification-framework/

Papakonstantinou, V. (2021, January 25). The “act-ification” of Eu Law: The (long-overdue) move towards “eponymous” Eu legislation. European Law Blog. Retrieved January 17, 2022, from https://europeanlawblog.eu/2021/01/26/the-act-ification-of-eu-law-the-long-overdue-move-towards-eponymous-eu-legislation/

Plusserver. (n.d.). Gaia-X: The Sovereign and open European cloud model. Retrieved December 22, 2021, from https://www.plusserver.com/en/perspectives/gaia-x

Privacy Company. (2021). New EU Code of Conduct for Cloud Providers: Not a GDPR Party. Retrieved January 17, 2022, from https://www.privacycompany.eu/blogpost-en/new-eucode-of-conduct-for-cloud-providers-not-a-gdpr-party

Protect our future – greens-EFA. (n.d.). Retrieved January 17, 2022, from https://extranet.greens-efa.eu/public/media/file/1/6494

Rauer, N., and Cameron, S. (2021, March 11). The EUS data governance act just part data sharing puzzle. Pinsent Masons. Retrieved December 22, 2021, from https://www.pinsentmasons.com/out-law/analysis/the-eus-data-governance-act-just-part-data-sharing-puzzle

Sahin, K., & Barker, T. (2020, December 7). Europe’s capacity to act in the global tech race. DGAP. Retrieved January 17, 2022, from https://dgap.org/en/research/publications/europes-capacity-act-global-tech-race

Sajfert, J. (2020, October 26). Bulk Data Interception/retention judgments of the CJEU – a victory and a defeat for privacy. European Law Blog. Retrieved December 22, 2021, from https://europeanlawblog.eu/2020/10/26/bulk-data-interception-retention-judgments-of-the-cjeu-a-victory-and-a-defeat-for-privacy/

Scott, M. (2018, January 28). Europe’s highest court sides with Facebook in privacy class-action lawsuit. POLITICO. Retrieved December 22, 2021, from https://www.politico.eu/article/facebook-ecj-european-court-justice-max-schrems-austria-lawsuit-classaction-privacy-data-protection-max-schrems/

Sharp Cookie Advisors (2020, November 26). Schrems II a summary – all you need to know. GDPR Summary. Retrieved December 22, 2021, from https://www.gdprsummary.com/schrems-ii/

Stolton, S. (2019, September 12). Altmaier’s cloud initiative and the pursuit of European Digital Sovereignty. www.euractiv.com. Retrieved January 17, 2022, from https://www.euractiv.com/section/data-protection/news/altmaiers-cloud-initiative-and-the-pursuit-of-european-digital-sovereignty/ 

Thomas Olsen, & Simonsen Vogt Wiig. (2021, November 1). Schrems II: The implications for data transfers and SCC. Lawyer Monthly | Legal News Magazine. Retrieved January 17, 2022, from https://www.lawyer-monthly.com/2021/11/schrems-ii-implications-for-data-transfers-and-scc/

Witte, C. (2021, July 12). Digitalpolitik: Wie sich die Parteien zu Gaia-X, DMA, it-förderung und Produkthaftung Stellen. VOICE e.V. Retrieved December 22, 2021, from https://voice-ev.org/digitalpolitik-wie-sich-die-parteien-zu-gaia-x-dma-it-foerderung-und-produkthaftung-stellen/ 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may also like