Written by Giulia Lo Bue Oddo
This policy paper is the second part of a two-part series which explores the EU’s strategy for digital sovereignty and looks into the pre-existing and proposed EU legislation. Taking its lead from the first paper, which presented an overview of the current situation and explained the EU’s reasons for pushing for digital autonomy, this paper presents the GAIA-X initiative and shows how it could act as a highway to connect the different EU legislations on digitalization and how it could ensure a competitive EU digital economy.
2. The consequences of digitalization
Digitalization is gaining considerable momentum in both critical and non-critical industries with data being increasingly stored and exchanged. While the Digital Acts (Governance and Marketing), the regulations for the free flow of personal and non-personal data (GDPR & FFD) and cybersecurity legislations like NIS & CyberAct lay the legal foundations for a healthy economy – with portability, data reuse and data sharing at the forefront of secure dataspaces – GAIA-X focuses on the data sharing infrastructure to provide trustworthy and secure spaces and services (Bonefeld-Dahl, 2021).
3. Introducing GAIA-X
The GAIA-X project has been hailed as an Important Project of Common European Interest (IPCEI) on Next Gen Cloud Infrastructure and Service (CIS) – namely a coordinated industrial response to foster European data leadership. It is intended to reduce tech dependencies on foreign hyperscalers (big market players which offer scalable cloud computing services such as GAFAM) and strengthen the value chain of the EU’s digital market, in line with the 2030 Digital Compass Plan. Although details on the technical plan have not fully emerged, GAIA-X should be seen as a framework to securely exchange non-private and private data. As an open data platform based on European standards, it would offer advantages to both critical sectors (e.g. exchanging healthcare data to improve patient care) and non-critical sectors alike (e.g. benefiting from big data to predict the optimal time for maintenance work).
Data-sovereignty and strategic independence in technology can be thought of as securing data in rest (where does it reside?), data in motion (where is it flowing to?), and data in use (where is it being temporarily stored and processed?). As data was digitised (converted to digital), businesses thought to capitalise from the transformation by digitalising (i.e. using technology to collect, analyse and process data). As a result, cloud services emerged to provide scalability and mobility when compared to traditional IT systems. Many businesses have already fully transitioned to the Cloud – with the 2019 Cloud Monitor study showing three out of four German companies relying on cloud services (GTAI, 2021). The digitalization of essential services, however, is more recent (Greens-EFA, 2020). Indeed, while some EU industries and public sector organisations are transitioning to cloud data centres (such as Amazon Web Services (AWS) and Google Azure) to process, compute, and store data, the digitalization of critical sectors (e.g. the digitization and digitalisation of finance, healthcare, and the critical utilities) must occur in a more controlled environment, ruled by legislations and state-of-the-art technology.
To date, data in use is not fully protected from a legal or technical perspective, with Cloud Providers being able to access it. Indeed, currently, the possibility that hypervisors can access the memory of virtual machines is merely dealt with at an organisational level – with companies stating that administrators are unable to have direct access to such information. Regarding technical solutions, the current landscape offers two of them (Banse, 2021): the first involves having the cloud services run in a trusted execution environment, where the memory of the service is encrypted, and integrity verification checks are performed. Some popular instances of this are Apple Secure Enclave and Arm Trustzone. The second is more ambitious, in that it entails completely protecting virtual machines. Amazon Azure and Google Kubernetes are currently exploring this possibility and have identified denial of services (DoS) and synchronisation issues as potential flaws. Regarding the legal aspect of protecting data in use, some legislative elements (e.g. protecting data in databases) are either pending or are planned to be implemented. Technically, the EU is also lacking proof of concept for a unified technical response. It is therefore obvious that work still has to be done to attest that a cloud service, and therefore the data on the cloud, is secure and constitutes ‘confidential computing’ that is compliant with EU laws and immune from foreign legislation.
4. GAIA-X: The ‘highway’ to digital sovereignty
GAIA-X is a pan-European project, launched in late 2019, and aimed at creating a federated data infrastructure for Europe. On top of the traditional Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) layers for cloud services (e.g. AWS and Microsoft Azure respectively), the project wishes to explore the use of novel techniques such as edge computing (mentioning ‘Distributed Federated Edge Continuum’ and ‘Federated Cloud Management’) while stressing the importance of security and interoperability (Eggers, 2020).
When coupled with the pre-existing legal foundation for data-sharing and data protection, the multi-provider cloud strategy would provide agility, security, automation, and innovation while contributing to the 2030 Digital Compass plan and fostering innovation and competition. Indeed, in striving to create a legally secure place for data, the GAIA-X projects bring the Digital Markets Act (DMA), NIS Directive & Cybersecurity Act, GDPR and FFD, and the Data Governance Act together.
Regarding the Cybersecurity Act, services placed on the federated platform (GAIA) would have to be certified. Although the details of how this would occur have not been specified, the services on the GAIA platform should be classified according to three levels of assurance, in line with ENISA’s European Union Cybersecurity Certification Scheme on Cloud Service (EUCS). The levels (basic, substantial and high) would offer various security levels, with continuous audits needed to ensure the validity of the “high” certificate with time (ENISA, 2021). The GAIA-X project is seen as the first step in securing data sovereignty. By issuing verification certifications that demonstrate the assurance level of service on the cloud, the project aims to tackle the issue of protecting data against the cloud provider itself. Under this framework, cloud providers would have to submit documents to showcase their compliance with technical and regulatory processes. Criteria include openness, interoperability, transparency and trust. Audits (with verifications including penetration testing) would then evaluate the trustworthiness of the services, thereby providing reassurance to the client.
Regarding the DMA, GAIA-X can be seen as the EU’s response to break through the dependence of EU businesses on GAFA hyperscalers and provide a secure market. Indeed, these concerns are not ill-founded, as investigations (Privacy Company, 2021) consistently show some public cloud providers violating GDPR and FFD requirements in their privacy statement which explicitly state that metadata can be kept or transferred to their facilities (Karlstad, 2021).
Regarding GDPR and FFD, EU documents specify that GAIA-X must be a GDPR and FFD-compliant infrastructure. Lastly, in line with the Data Governance Act and DMA, interoperability is achieved by requiring the software services on the cloud to be transparent, interoperable, and independent from third parties. Moreover, open standards are promoted and open-source software which is certified, compliant with data protection regulations, and compatible with various manufacturers can be marketed on the multi-cloud GAIA solution.
Although the EU could keep control over its data by developing an independent European cloud, it would face steep competition as it fights against well-established giants such as GAFAM. On the other hand, by implementing a cybersecurity certification framework that attests security of the cloud services, the EU would ensure that services on the cloud are immune from non-EU law. This matter is imperative for the critical sectors which deal with special classes of data, such as sensitive personal and non-personal data. By allowing the EU to keep control over tech policy, and ultimately reach strategic autonomy and data sovereignty, cyber-certification would also contribute to the development of the Digital Single Market and the free flow of data regulation, thereby fostering innovation.
Regarding the exchange of data between different services, data should be incorporated within applications that are isolated, integrity-protected and encrypted. An example of this is the International Data Space (IDS) idea, which uses connectors both for interoperability and to allow for mutual authentication between different companies (e.g. using software fingerprinting). It also performs certification verification checks before running the application on the client’s Virtual Machine (Banse, 2021). This idea could be generalised to the transfer of data in cloud computing. More specifically, instead of connectors, remote attestation APIs and protocols would act as a valid security mechanism and detect the presence of untrusted cloud services and guarantee their trustworthiness.
Moving to the implementation details, data which proves the existence and efficiency of the technical means implemented by the cloud service must be collected periodically to assess the validity of the certificate. Looking at the EU, the MEDINA project (part of the Horizon 2020 programme) offers a framework of tools and techniques to support cloud service providers in achieving continuous certification aligned to EUCS by establishing continuous auditing. Evidence from the target service is continuously checked against the security requirements (constraints) of the cloud workloads. If the requirements are fulfilled, the certificate’s validity is confirmed. Data about system hardening, data segregation and integrity verification should be collected to ensure the safety of data in use, while information on transport encryption and the usage and storage of cryptography keys would be evaluated to assess the safety of data in transit. Moreover, edge computing should be used to achieve interoperability (in the form of APIs) and having automated security checks on the cloud which collect information to prove the safety and certification level of data in use or data in transit.
By establishing the next generation of data infrastructure, the EU initiative Gaia-X aims to promote and develop the digital economy, bringing together people from different companies, research institutions, associations and political parties to form a European cloud provider ecosystem and to build solutions that can be protected by EU law. In making an open, transparent and secure digital ecosystem where data and services can be made available, collated and shared in an environment of trust, GAIA-X is the highway to the EU’s sovereign cloud. Ideally, GAIA-X will be an efficient, highly performant and secure federated ecosystem with fast data connections.
5. Summary and the road ahead
The second part of the two-part series of this policy paper focused on GAIA-X, the orchestrator service which unites the different specialised service providers and legislations, allowing for openness, transparency, interoperability and trust – in line with the long-term strategies of the EU’s digital vision. The EU must consolidate the overarching EU laws and directives to mitigate the risk and dependence of foreign access to critical data. With a strong focus on civil rights and strict data privacy rooted in European culture, dataspaces must fall under EU jurisdiction, which means that the legal frameworks the EU puts in place must collectively counter the validity of foreign laws which conflict with EU values. To ensure GAIA-X’s success, a common certification framework along with the proper technical means must allow for openness, transparency, interoperability and trust. Overall, GAIA-X’s success will pave the way in fulfilling both objectives and long-term strategies in line with the EU’s 2030 Digital Compass vision.