Dear colleagues from PRC and PRD, as discussions on the introduction of a new notion of "basic conformity" have been ongoing for some weeks now, we'd like to share once again our view on this development - and its interplay with the policy rules and labels - as it is our feeling that a lot of things are getting mixed up in the debate. To start with, here's our view on what we tried so far - for the past 2 years - to achieve with the policy rules (last formal version for reference: https://docs.gaia-x.eu/policy-rules-committee/policy-rules-labelling/) 1. As the preamble says, the aim of the rules is to have clear controls in place demonstrate European values of Gaia-X. 2. We have then also made clear that each (!) offering by a Cloud Service Provider under Gaia-X needs to comply with all (!) of the objectives defined in the document. * What should be noted: except for Chapter 5, all remaining rules stipulate (=) Label Level 1. This was always common understanding within Gaiax, level 1 being the basic level to comply with, that's why we didn't even mention "label level 1" anywhere in those rules (except for under chapter 5 in the intro). * What should also be noted: if a CSP choses to offer its services also in levels 2 and/or 3 - then the rules laid down in Chapter 5 are compulsory (!) to the CSP, and not optional. What is optional is naturally the decision of a CSP to offer services under label levels 2 and 3. Long story short: if I as CSP don't pitch in levels 2 and 3, the rules for 2 and 3 obviously don't apply to me when following the Gaia rules - and the other way around if I pitch. With this understanding (of which I hope all of you agree with), lets move to the new idea to introduce a new concept in Gaia-X and into the policy rules, called "basic conformity". We understand from the supporters of this concept that this introduction should aim for the following: while basic conformity sticks to and describes the values (e.g. transparency, interoperability etc) that Gaia wants to stand for, it strips away any special reference to the EU, as this is intended for services from CSPs that are offered outside of the EU (e.g. Japan). This means e.g. excluding the reference to "contract under Union or EU/EEA law" and excluding references to the GDPR. If we were to follow through with the introduction of such concept, we fundamentally disagree that in consequence, "label level 1" and as such (as described above) all rules except chapter 5 of the PRD, should become OPTIONAL. This is in so far already difficult to explain, as a CSP, who wants to offer its services in the EU, is subject to the EU legislative acquis and as such, needs to anyways observe e.g. the GDPR. You cannot make legal compliance "optional". Should the concept of basic conformity be introduced, this means we have essentially two options to decide upon: 1. Complete deletion of Label Level 1 and replace it with "basic conformity" for all services offered under Gaia, no matter from where (outside EU, inside EU) - as the specific requirements of the GDPR need to be observed in any way (preamble: "In general, full adherence to applicable EU/EEA legislation (e.g., in areas such as data protection and security) is a prerequisite and thus not waived or affected by the following policies and rules.") 2. Label Level 1 and its references to GDPR/EU are maintained as is, but it is made clear that this is NOT an OPTIONAL Label, but rather defines the baseline/basic requirements of services when offered within the EU. And yes, this would lead in consequence to two requirements for a CSP who offers services in and outside EU (basic conformity, label level 1). But please don't shoot the messenger, DT didn't introduce the new idea for Gaia transforming into a global and not anymore a European initiative..... * Our clear proposition: Keep Option 2, as GaiaX was always set-up with the aim to reflect European (!) values (just read through the website, label framework etc for reference...) and as such, make adherence to European legislation more transparent through demonstrated compliance (such as through CoCs). Stripping of references to e.g., European contracts would mean getting rid of what Gaia essentially stands for. * As for the additional concept of basic conformity, if the majority of members wants to keep this introduced, then it should be made clear at minimum that this is solely to reflect service offerings provided outside the EU. And by that, here's a last observation. The idea of introducing basic conformity for outside EU services is what we consider an add-on to the GaiaX initiative which is and will be based on European values - not the other way around. Thus, we don't consider deleting references to "European" in the PRD the right way forward. Following the above, I think it becomes clearer why we propose a merge request to an - in our view - otherwise flawed Preamble, which ultimately, DT would no longer be willing to stand for and support. Change proposal: The intent of the policy rules is to identify clear controls to demonstrate the core European values of Gaia-X: openness, transparency, data protection, security, and portability. Basic conformity defines the minimal set of requirements to be able to participate in a Gaia-X conformant ecosystem. Its use is intended exclusively for services offered outside of the EU/EEA. For Gaia-X compliant services offered within the EU/EEA, the optional Label levels define additional relevant criteria and additional conformance ensuring measures such as certificates, to achieve additional levels of assurance and trust, with focus on European values and based on EU/EEA legislation. These initial Labels can be extended, and additional Labels can be added in the future, to accommodate for sectorial or geographical needs. I unfortunately won't be able to join tomorrow's PRC call from the beginning, that's why I considered it important to make these points transparent to all of you, in light of forthcoming meetings. Looking forward to discuss! Best regards Jakob Dr. Jakob Greiner Deutsche Telekom AG Group Headquarters Vice President European Affairs Public and Regulatory Affairs Friedrich-Ebert-Allee 140, 53113 Bonn, Germany phone: +49 228 181-99220 mobile: +49 151 72941410 E-Mail: jakob.greiner@telekom.demailto:jakob.greiner@telekom.de www.telekom.com/public-and-regulatory-affairshttp://www.telekom.com/public-and-regulatory-affairs Life is for sharing. You can find the obligatory information on www.telekom.com/compulsory-statementhttp://www.telekom.com/compulsory-statement Big changes start small - conserve resources by not printing every e-mail.