Indeed, launching a collective project is far from being an easy task, but that precise challenge is also making the whole interest of it! At OVHcloud, and because our DNA is to focus on collective progress, our core challenge is to embark as many as possible on this long race to lead data revolution and master our digital future. Therefore, being part of Gaia-X was not even a question: it made – and still makes – pure sense.  

Aligning hundreds of players on labelling criteria is possible, and it will help the entire European market in its decision-making when it comes to cloud

When joining Gaia-X’s board, back in 2021, the very heart of the debates has been beating upon the organization’s labelling framework. Hence, even if Europe is often described as the most complex market in terms of regulations it is still surprisingly not the case when it comes to the very foundations of our digital future: the cloud. Across many codes of conducts, and self-regulations efforts, the core challenge has been to define a clear Trust Framework, backed up with strong Policy Rules that would nurture an ambitious labelling structure. And as these efforts are paying off, the full architecture of Gaia-X labels has been adopted as soon as last spring. They now guide the definition of a federated services catalogue that will be core to the Gaia-X value proposition.   

Where are these labels rooted?

They originate from the Policy Rules Document (now Policy Rules and Labelling Document) which sets a series of high-level objectives to be achieved by cloud services providers’ offerings. The labelling framework is also set on Gaia-X Trust framework which is the set of rules that define the minimum baseline to be part of the Gaia-X ecosystem. Those rules ensure a common governance and the basic levels of interoperability across individual ecosystems while letting the users in full control of their choices.

And what’s in it ?

The labels’ main objective is to provide cloud services users with transparent and trusted information to allow them to make informed choices and select the most appropriate services according to their needs. To that extent the labelling framework is composed of 62 criteria regarding contractual governance, transparency, data protection, security, portability and European control. 3 levels of labellization are offered with the highest (level 3) offering users the guarantee that the services they chose are located in the EEA but most importantly that they are protected against access from extraterritorial authorities.

Such a framework usually takes decades to define, but collectively, we did it! And guess what, we’ll do much more than setting the rules of our cloud game.

Gaia-X will not be an “Airbus-like” cloud, and we know how and why

Building on this huge milestone of Gaia-X labeling framework, dozens of developers, security experts and data scientists are already working on a dynamic catalogue, dedicated to the sorting and security stamps that each offering listed across the European market could claim.

And the first demos are already working! Because Gaia-X will never be a new cloud offering among others, but a clear decision-making support to help EU seize the full potential of its data revolution.

As such, we embarked Gaia-X federated services project: a consortium 6 of the 11 French founding members of Gaia-X including Atos, 3DS Outscale, Docaposte, OVHcloud, Institut Mines Telecom, as well as CISPE, BYO Networks, and Dawex. By working together on a project to accelerate the definition and development of Gaia-X federated services within Gaia-X governance, we all pushed so hard to pool it and lay the groundwork for an integrated Gaia-X catalogue that will stay true to Gaia-X value, all the while benefitting cloud users. In an open and completely transparent manner, the fruits of this collaboration will include documentation, specifications, architecture documents and source code.

More concretely, this catalogue will allow users to search, find and select cloud services by criteria and label levels, including data protection, cybersecurity and portability, that’s why it is so important to bring our contribution to it. The so-called GXFS-FR is the first building blocks for users to experiment and sort out services with a complete overview of the offerings they can leverage to evolve their data strategy.

Operationalization of Gaia-X is underway, and it shall come sooner than you expected

Satisfecit? Fine! But what’s next? A well-known futurist, Joel Arthur Barker, once said “a vision without action is merely a dream” so here we are, trying to change our digital future and the good news is that time for action has come.

The catalog, of which OVHcloud has been a major artisan through GXFS-FR project already encompasses more than 170 services whose compliance to Gaia-X Trust framework has been technically assessed.  As a founding member of Gaia-X, it was even more than our duty to be -once again- among the very first to bring our contribution, but this time in an operational mindset, declaring 30 of our main services that are all susceptible to be, at least, awarded a label level 1, thus providing users with the assurance that the services used comply with European regulations, and first and foremost the GDPR. We are also on track with 3 of our services which are likely to be certified at level 3 as expected based on our SecNumCloud certification, providing users with the guarantee that their data benefit from the highest level of protection, against cyber threats and access by extraterritorial authorities.

With these first building blocks for users to experiment and sort out services thanks to the complete overview enabled through Gaia-X Federated services catalogue. IT decision makers across Europe will now see clearly the offerings they can leverage to adapt their data strategy. Gaia-X is now on the way of its operationalization, and it is only the beginning so stay tuned! The best is yet to come.

C5: supporting decision makers in Germany in the selection process

In Germany there are five ‘Cs’ for the corresponding requirements: The criteria catalog C5 (Cloud Computing Compliance Criteria Catalog) of the Federal Office for Information Security (BSI) that specifies the minimum requirements for secure cloud computing and is aimed equally at cloud providers and their customers.

A selected few number of companies have already been able to secure the C5 certification – among them OVHcloud, one of the leading providers in this area. The certification not only stands for the proove that the respective provider is well positioned. It is also and above all a guide for companies and organizations when it comes to choosing a suitable cloud provider – highly relevant, not least for public tenders.

BSI’s C5 set of rules primarily consists of a list of security control mechanisms that were developed by the federal authority. First published in 2016 and revised in 2019, the catalog of requirements has now enjoys a high level of acceptance – more than a dozen attestations have been issued to date and thus ensure reliable compliance with safety-relevant standards. C5 was developed and implemented as an alternative or successor to a large number of different sets of rules that were supposed to ensure the security of the cloud beforehand. This included the ISO regulations 27001, 27002 and 27017 as well as the Cloud Control Matrix (CCM) of the Cloud Security Alliance (CSA).

With C5, a uniform compendium of the relevant safety requirements has been available for five years – one that is becoming increasingly relevant. In view of the fact that in 2020 the overwhelming majority of companies will use the cloud (over 80 percent) and half of them will spend an average of more than one million euros on corresponding services each year, the question of maximum security and data protection is one of the most urgent. C5 gives the answers. Those who are C5 certified can present themselves here with a clear conscience as a secure and data-discrete company. C5 offers customers the option of their own qualified risk management when selecting cloud providers.

And in France: SecNumCloud is the local answer

For internationally active companies in particular, however, the different regulations in the individual countries can be a problem. C5 certification in Germany is difficult to use as a selection argument for customers abroad. What about in Italy or France, for example? Or even in a non-EU country like Great Britain?

In France, the SecNumCloud regulation of the Agence nationale de la sécurité des systèmes d’information (ANSSI) applies accordingly. Those who comply with these rules demonstrate their compliance with IaaS (Infrastructure-as-a-Service), PaaS (Platform-as-a-Service) and SaaS (Software-as-a-Service). The SecNumCloud certification stands for security through resilience and the ability to ward off even sophisticated cyber-attacks, as well as for trust through long-term data protection compliance. The regulation is aimed at public corporations, essential suppliers, and providers of digital services – and of course at the corresponding software / SaaS providers and system integrators.

Not to forget Italy: AGID-Compliance as proof of resilience

In Italy, the provisions of the Agenzia per l’Italia Digitale (AGID), the national IT supervisory authority, focus primarily on two types of requirements: company-specific and otherwise specified. The company or organization-specific conditions include the proven ability to master critical situations confidently, efficient quality management, 24/7 customer service and the adaptation of defined processes – including in the areas of change, configuration and incident management – and maximum transparency when concluding contracts.

The otherwise specified requirements of the Italian regulation include security and data protection rules, conditions for performance and scalability, a service quality guarantee over the entire life cycle as well as interoperability and portability.

And finally the United Kingdom: G-Cloud mainly for public sector customers

Finally, in Great Britain there is the government initiative G-Cloud, in which the ‘G’ stands for ‘Government’. This is aimed primarily at authorities and governmental institutions. It applies to four core areas: “Data in Transit Protection”, “Asset Protection and Resilience”, “Separation between Consumers” and “Governance Framework”. Through these core areas, the set of rules covers the essential security aspects when adapting cloud solutions by public institutions – with the aim of promoting this nationwide and making cloud computing the standard for the authorities. The regulations were revised and adapted in 2014 – together with a simplified classification into three instead of the previous six categories: ‘Official’, ‘Secret’ and ‘Top Secret’.

In summary

In summary each of these sets of rules contains its own characteristics, focal points and detailed solutions, so that in the pan-European plan view there is more of a patchwork quilt than a cross-border minimum standard. For providers, this means that what is decisive in one country does not necessarily have to be in another – so that in many cases complex adaptation measures are required in order to obtain the relevant certifications in the various markets. It is of course a great advantage if a company itself has high requirements for its cloud offering. As long as there is no European standard that internationally active customers can rely on, when choosing a provider they must ensure that the cloud solutions used have certifications in all relevant markets. This is the only way to ensure that compliance and security are guaranteed everywhere