Gaia-X: Europe's fight for digital sovereignty

Organizations of all sizes are working to modernize their IT infrastructure to remain competitive. They know: nothing works without the cloud. The cloud computing market in Europe is expected to grow from its current value of 63 billion euros in 2021 to 560 billion euros by 2023.
The majority of businesses rely on one of the big three – Amazon Web Services, Microsoft Azure, and Google Cloud. These global players control 66 percent of the European market – while the market share of European service providers fell to less than 16 percent in the second quarter of 2021, despite rising revenues. With 2 percent market share in Europe, Deutsche Telekom is market leader among the European cloud providers. (Source)

The problem: Hyperscalers from the United States dominate but they do not comply with European standards and regulations regarding data protection. In a 2021 survey among key experts working on European technology and digital policy in government, nearly 93 percent of respondents believed that the European Union depends too much on the United States in the area of cloud computing. (Source)

Data security has become more and more important to organizations and society in general. The fact that most of the data is stored in data centers in the US and thus falls under US regulations (notably the CLOUD Act which allows the US government to access data stored by US cloud providers – even if the data centers are located in Europe) raises concern in the EU. (Source)

Microsoft has added to the pressure in the office software market by announcing that it will only support a cloud-based version of Office beginning in 2025. This means that, despite the issues with data security, public administration would be forced to use Microsoft’s cloud offerings.

Digital sovereignty

Ideally, organizations and individuals should be able to exchange data as they see fit while maintaining complete control over what happens to their data and who has access to it. Decentralized cloud computing could contribute to more independence and sovereignty.

The Gaia-X project: a European Cloud?

The goal of Gaia-X is to create a common European “data infrastructure”. Based on standardized interfaces, cloud services and data from many different companies will be connected and made available to users. Thus, Gaia-X is not a cloud or provider, but rather an ecosystem.

What makes the idea special is a couple of things:

• Decentralized and open source: Gaia-X is based on openness, transparency and trust.
• Trustworthy and secure: Gaia-X allows to share data within and between industries in secure data spaces. It creates a network of trust where data can be shared while retaining sovereignty. This encourages data-driven innovation.
• Transparent and comparable: Gaia-X will provide a catalog of services available in the ecosystem (i.e. certified and adhering to the common specifications). Users will be able to compare various offerings based on common standards and select the ones that best meet their requirements (at the moment, this is difficult and many services are not compatible due to a lack of standardized interfaces). This allows them to find local alternatives to the large hyperscalers. (Source)

Organization: the three pillars of Gaia-X

Three bodies comprise the Gaia-X organizational structure: the Gaia-X Association, the national Gaia-X Hubs and the Gaia-X Community.
The Gaia-X Accociation was founded in 2019 by 22 companies fom Germany and France. As of today, it consists of more than 340 members, 15 hubs and 14 data spaces. (Source)
The Gaia-X Hubs are contact points for all interested parties and users in a participating country. In line with the bottom-up approach, national approaches are bundled here and the conception of new use cases is supported. (Source)
The Gaia-X Community is made up of all businesses and organizations that create operational services based on the infrastructure and specifications.

Architecture: decentralized and open source

In today’s most common cloud scenarios, data is stored in the data centers of only a few large corporations. Gaia-X relies on decentralized cloud infrastructures to enable digital sovereignty: data is stored in multiple locations without a central intermediary and exchanged directly between organizations via secure channels that adhere to common specifications. This enables secure sharing of data with only the peers that you want to have access and opens up new possibilities for innovation. (Source)

Several subprojects are currently developing the technical infrastructure using open source components. These layers serve as the foundation for implementing the initial use case projects.

Infrastructure layer: Sovereign Cloud Stack (SCS)

The Sovereign Cloud Stack is a cloud stack that serves as the foundation for Gaia-X. It is implemented as an open source project by combining several open source building blocks. This enables users to switch providers, preventing vendor lock-in and promoting competition.
Recently, the third version of the SCS has been made available. It is being tested by an increasing number of organizations, and three public cloud providers will soon be using it in productive environments. (Source)
The project is funded by the German Federal Ministry of Economics and Climate Protection (BMWK).

Federation layer: Gaia-X Federation Services (GXFS)

The Gaia-X Federation Services are a set of tools for establishing and operating self-managed, interoperable cloud infrastructures. The GFXS, like the SCS, are created with open source code and allow the community to build on them. (Source)

Data layer: International Data Spaces (IDS)

The concept of decentrality really comes into play at the data layer. To maintain data sovereignty of all participating organizations, the data is kept solely by each organization without an intermediary partner or storage.
As the International Data Spaces Association (IDSA) has pointed out, this is a significant distinction between data lakes on the one hand and decentralized networks lacking common standards on the other. (Source)
Endpoints are technically realized through IDS Connectors that adhere to the specifications of the reference architecture model (RAM) and certification criteria.
The IDS architecture was developed by Fraunhofer in cooperation with companies from different industries. (Source)

Criticism and status: the struggle for digital sovereignty

Since the kickoff in 2019, there has been quite some attention in the media, followed by a phase of disillusionment. Several sides criticize the too slow and hesitant implementation in practice. (Source 1, Source 2, Source 3, Source 4)
In addition, the entry of large companies as members of the Gaia-X Association caused concern. Although companies such as Google, Microsoft, Amazon and Palantir do not sit on the board, the question remains whether the participation of companies from which distance is to be gained makes precisely this goal unattainable.
At least the association decided to rely on Nextcloud for internal collaboration and host it at IONOS, Europe’s largest cloud provider. (Source)

In May, the German government approved an increase in funding to a total of 51 million euros. The most important projects to be funded with this are:

• Center for Digital Sovereignty (ZenDiS): Is to act as an interface for the implementation of more open source solutions in administrations
• Open CoDe: Repository for open source code for federal, state and local governments
• Sovereign Workplace: Is intended to provide open source alternatives to proprietary office software and help administrations become independent of proprietary software and its providers
• Sovereign Tech Fund: Is intended to promote open source projects and communities (Source)

In addition, testing for both SCS and GXFS will begin this summer.

First products to be launched in 2022

While no products are currently available for users, companies can already develop solutions based on the existing specifications and reference architecture, resulting in “Gaia-X ready” products that can be deployed once the infrastructure is in place.

Additionally, the first products are scheduled to hit the market in 2022. Dataport is working on a major project called dataPhoenixSuite, which is a digital workplace for public administration. Everything that was previously done with Outlook, Teams, and other similar applications will now be done with open source modules. (Source)

Reactions of small and large businesses differ

Bitkom Research recently polled German businesses with more than 20 employees to see if they could see themselves using Gaia-X services in the future. 46 percent said yes (14 percent already have plans, 32 percent consider it possible). Gaia-X is currently irrelevant to 43 percent of businesses. Companies with more than 100 employees are more interested than those with fewer than 100 employees. (Source)

According to respondents, the most important criteria are compliance and legal certainty in data protection (55 percent), high standards for IT security (51 percent), and confident and trustworthy data exchange (46 percent). This is followed, at a distance, by a set of functions comparable to market leaders (30 percent).

In general, Gaia-X provides opportunities for both large and small to medium-sized enterprises (SMEs). Smaller businesses that lack infrastructure can participate and innovate using modern technologies. Common standards and interfaces enable cloud and edge service collaboration to run more smoothly, removing barriers for SMEs.

Conclusion

Gaia-X is an ambitious large-scale project. A lot of preliminary work has already been done – now it’s time to deliver: Only when the infrastructure is in place use cases can be implemented and tested.

It may take some time before the feature set of the well-known hyperscalers is reached – after all, they have a big head start. But this seems to play a minor role compared to the criteria that Gaia-X was intended to fulfill – and that are rated highest among companies: compliance, security, trust.

What does that mean for you? Finally, as always, it comes down to weighing options: what is the best fit for your specific needs? What opportunities and risks can be expected if you opt for a European solution?