GAIA-X initiative: A data infrastructure and federated cloud ecosystem for Europe
November 30 2020
by William Fellows
The GAIA-X initiative, which is proposing a next-generation data infrastructure for Europe, recently held its first summit. Its role will be to act as a depository for data across industries and as a way for organizations to find data and services, as well as the providers that can process the data.
The 451 Take
One view of GAIA-X is that it's an attempt to create the kind of infrastructure powerhouse that Europe has never managed to produce. However, GAIA-X is neither a cloud service nor a cloud management framework. Instead, GAIA-X is getting at something that nations and businesses alike have yet to definitively wrangle, which is the right of a consumer or business to determine which data is stored and where it is processed. GAIA-X is seeking to make it easier to extract value from and monetize that data (without the user losing control of it) within these safeguards. The EU's GDPR legislation and its current posture on competition are the prior art and present mood here, without which GAIA-X's cause would look like a fool's errand. It would also be wrong to view GAIA-X as 'just another EU project' benefitting the usual suspects; however, any measure of success will need to show GAIA-X is more than a device serving its sponsors' needs. Moreover, this is not just the usual suspects: the major hyperscalers have joined GAIA-X, whose explicit requirements include interoperability, sovereign data protection, portability and a reduction to the cost of switching between cloud providers.
GAIA-X was formed in 2019 and held its coming-out party this June, with 22 founding members (11 from Germany and 11 from France) including OVHcloud, BMW, Bosch, Deutsche Telekom, Atos, Siemens, SAP, Orange and EDF. In alignment with the European Commission, it plans to set European standards for data storage, protection and privacy; develop a platform that enables organizations to find data storage providers and applications using them; and facilitate data sharing between businesses in Europe. It will provide compliance and certification for this, and intends to play a regulatory role that it believes will result in a reduction to the cost of switching between cloud service providers, in addition to encouraging data portability and interoperability. It will require that participants adhere to EC standards such as GDPR, the Cybersecurity Act and the Free Flow of Non-Personal Data Regulation.
Despite all of the background noise that's been generated about this project, GAIA-X is not trying to create a cloud service or tools to manage cloud services or providers. It believes current practices, policies and processes are collectively holding back the monetization of data and the adoption of cloud services. It says that, across member states, an average of 26% of processing is done in the cloud, and hopes to help grow this to 50% within five years.
GAIA-X believes its benefits will include better access to data for AI training, a reduction of transaction costs by blurring the distinction between internal and external transactions, and the prevention of captive data markets via an organization of data exchanges across Europe's single digital market. It expects this will reduce the dependencies between customer and sub-contractors, which currently use proprietary electronic data interchanges. The project will get off the ground in early 2021, with first proofs of concept available by the end of 2020. It claims some 150 organizations are seeking to provide infrastructure services via GAIA-X, with over 150 organizations with data looking to participate and use those services.
GAIA-X has been formed as a nonprofit organization under Belgian law. The EC has committed to providing €2bn ($2.38bn) in funding over the next six years to the initiative, expecting member states to contribute a further €2bn and private industry €3bn. As of mid-November, it had 181 members – 75% are in the private sector and 50% of them are SMEs. While most are from Germany, France and Italy, it is open to non-European companies. AWS, Google, IBM, HPE, Cisco and Microsoft are members, and many provided strong expressions of support from their respective cloud leaders. Alibaba and Huawei and service providers from non-EU countries are also members. All members can participate in all of the committees, but only European-headquartered companies will be able to be elected to its board of directors.
If GAIA-X is ostensibly and widely positioned as a European sovereign initiative designed (at least in part) to ease dependence on non-EU service providers, having US, Chinese and other non-European members certainly raises questions. Not admitting them would be simply ignoring the reality of the market, but there are challenges. For example, the US government's CLOUD Act requires its providers to turn over data belonging to their European customers, which certainly goes against GAIA-X principles. Microsoft believes GAIA-X shows that there is a more urgent need for new protection for customers moving data. It suggests that providing a contractual commitment to challenge government requests for data and offering compensation for having to disclose data may be a way forward – even a competitive differentiation for providers. One school of thought opines that GAIA-X rules could also end up being surfaced in model clauses, which are used in the EU as a common, standardized method for transferring personal data to controllers and processors in non-EU countries.
How it works: Federated Services, Data Spaces, Hubs
Data Spaces are the endgame for GAIX-X – effectively networks of data endpoints that follow the same rules. Each domain or use case will have a Data Space that defines the standards, compliance, certifications, ontologies and APIs it requires, which would need to be met by a service provider or data aggregator. Data Spaces will use standards set by The International Data Spaces Association. Data Spaces are expressed to GAIA-X via a network of regional 'Hubs,' which already exist for Germany, France and Finland and are under construction in six other European countries.
As an example, Germany's Hub already has nine different 'domains' – finance, energy, healthcare, agriculture, mobility, smart living, geo-information, public sector and manufacturing. There are 66 use cases proposed with data (and Data Spaces)-seeking provider partners across these domains. In healthcare these use cases include AI for clinical studies; Berlin Health Data Space – AI to beat acute kidney failure; Smart Health Connect, which uses data from wearables; and a surgical platform for AI-based risk identification.
GAIA-X will develop the services used to federate between Data Spaces and infrastructure providers, and will define requirements for Data Spaces and Hubs. The architectural view is that, via a portal, GAIA-X will provide identity and trust (identity management, trust management and federated access), a federated catalog of providers and services (with monitoring, metering, governance, descriptions), compliance (defining the relationship between service providers and consumers, the rights and obligations of participants, plus onboarding and certification), and a sovereign data exchange (policies and usage control for data protection and security). Participants will be able to check how data is used (eventually in real time). As a data integration activity, data won't be physically integrated, but is federated – not using a common schema, but at a sematic level (and with vocabularies such as eCl@ss, IHE and AAS). In addition to a legal framework (now being developed), GAIA-X will use the 'compliance flow' method of managing the compliance of dynamic and complex processes. It doesn't have one in the initial scope, but the creation of a repository for all GAIA-X OSS developments, policy implementation and issuance of digital certification tokens seems inevitable.
One idea floated at the summit is that funding to build GAIA-X could also be provided by participants purchasing GAIA-X tokens that confer a right to use services once they are in operation. French hyperscaler OVHcloud believes it will be first out of the gate with a GAIA-X offering in early 2021, in partnership with T-Systems. Other mechanisms that match users to service providers include HPE's long-established Cloud28+, which was founded in Europe. HPE is a member of GAIA-X, so compatibility between the two systems is inevitable.