Smart Machines & Factories
Data Security - the battle of GAIA
Published:  16 July, 2020

Smart Machines & Factories investigates a new European initiative aimed at challenging the dominance of a few large American and Chinese data handline companies.

The three pillars of data security cover data at rest, in transit and in use:

• Protecting data at rest - encryption or tokenisation, so that even if data is copied from a server or database, a thief cannot access the information.

• Protecting data in use - tough, because applications need unencrypted data, meaning that malware can access the contents of memory to steal information.

• Protecting data in transit - making sure unauthorised parties cannot see information as it moves between servers and applications.

Cloud computing allows institutions to store their data and run applications on external servers. Instead of owning servers, companies “rent” server space from cloud providers, usually in packages that include other services, such as protection against cyberattacks. Even so, many organisations are reluctant to migrate their most sensitive applications to the cloud because of concerns about data exposure.

Nevertheless, cloud computing has exploded, creating a massive global market worth hundreds of billions of euros. Analysts expect the coronavirus pandemic to accelerate that growth. European firms have watched from the sidelines as a handful of American and Chinese companies, known in the industry as "hyperscalers", have gobbled up the global market. Amazon Web Services accounts for over three quarters of the US tech giant’s operating profits, and remains the biggest player, but Google, Microsoft and the Chinese Alibaba are catching up.

Digital sovereignty

It is not just the prospect of European businesses losing out that has policymakers worried. A growing dependency on foreign tech companies raises perceived security risks. Last year, Germany’s chief data protection watchdog warned that sensitive German police data stored on servers held by Amazon Web Services was at risk from snooping US authorities. The European Securities and Markets Authority has similarly warned about the lack of transparency inherent in outsourcing to the cloud.

Could a scaled up European cloud provider conform to European regulatory norms, and yet stand a real chance of competing in this market?

A European cloud initiative aims to achieve just that. Gaia-X is not a cloud service in itself. Set up as a non-profit, it is conceived as a platform joining up cloud-hosting services from dozens of companies, allowing business to move their data freely with all information protected under Europe's tough data processing rules. It means that individuals, organisations and communities stay in complete control over stored and processed data and who is permitted to have access to it.

The project is led by the International Data Spaces Association (IDSA), a founding member of the GAIA‑X Foundation. IT infrastructure specialist Cloud&Heat is among the pioneers playing a major role in shaping the project and helping to implement it. IDS reference architecture on data sovereignty will be a central element of the GAIA‑X architecture of standards. “The IDS reference architecture serves as an initial impulse for GAIA‑X," said Dr Reinhold Achatz, CTO of ThyssenKrupp and IDSA Board Chairman. "As a basis for an open ecosystem, it enables providers and consumers of data to connect in a secure, interoperable and sovereign way. Combined with highly available storage and efficient processing of data, GAIA‑X has the potential to create a secure and trustworthy data infrastructure based on European values."

Already, over 300 companies and institutions are members, not only from EU countries, but organisations outside Europe, provided they conform to the standards. Intriguingly, the data centre resources of Amazon Web Services and Microsoft Azure are involved, with hardware and services conforming to the European GDPR regulations on data privacy and security.

The 22 founding members from Germany and France range from manufacturing multinationals Bosch and Siemens, to telecoms companies such as Deutsche Telekom and Orange, to cloud companies Atos and OVHcloud, and carmaker BMW. The companies will inject an initial annual €1.5 million to set up the architecture of standards for Gaia-X.

The general openness of Gaia-X is a good fit for the High Performance Computing (HPC) research community, as their resources are often public-funded. The architecture securely bundles resources whenever needed, for scientific workloads or cooperation between industrial and academic partners. It also allows for sector specific clouds, for example processing medical data. Edge clouds are also an integral part of the GAIA-X Infrastructure Ecosystem. These are clouds that are not co-located with other cloud providers in data centres, for example clouds in factories or privately-owned data centres used for the Internet of Things (IoT) and Industry 4.0.

In October 2019, Germany officially unveiled its plans for Gaia-X, with France coming on board in February this year. Jointly, the two governments have published the first architecture paper on Gaia-X, which runs from large AI accelerators and supercomputers to edge computing for the Internet of Things (IoT) and Industry 4.0. Almost simultaneously, the European Commission released its data strategy for Europe, which foresees spending of up to €6 billion to create a European single market for data in which industrial giants will be encouraged to share data via sector-specific "data spaces."

British involvement

There seems to be no British involvement, at least at this stage, but then given the politics involved here this is hardly surprising. As the UK aims to negotiate a trade deal with the US, joining in with an avowedly European project which aims to act as a counterweight to Silicon Valley would not be a good look. Plus, while aiming to extract the UK from the EU, the Government is unlikely to look upon it sympathetically anyway.

Trade is increasingly facilitated by cross-border data flows, with businesses reliant on the ability to transfer personal data about their customers or workforce to offer goods and services, and to run even basic internal processes such as cloud-based email or file storage.

According to a UK Parliamentary report, volumes of data entering and leaving the UK increased 28 times between 2005 and 2015, and three-quarters of these data transfers are with EU countries. Any restriction placed on data flows would act as a barrier to trade, putting UK businesses at a competitive disadvantage.

Data adequacy

During the transition period, the EU will continue to treat the UK as if it were a member state. This means that data will continue to flow between the UK and the EEA. When the transition period ends, the UK will no longer automatically benefit from this free flow of data.

Data adequacy is granted by the European Commission to third countries providing a level of personal data protection comparable to that provided in European law. Thereafter, information can pass freely without further safeguards being required.

The Commission will seek to make an adequacy assessment for the UK before the end of the transition period. Despite the UK’s application of GDPR and implementation of the Law Enforcement Directive under the 2018 Data Protection Act, there is no guarantee it will be awarded an adequacy decision.

The Commission has recognised 11 countries or territories, including Argentina, Israel, New Zealand and most recently Japan, as providing fully adequate data protection. The USA and Canada have been deemed to provide partially adequate protection – EEA data can be transferred, under certain conditions, to some organisations in these countries. The fastest adequacy assessment so far, for Argentina, took 18 months. Other assessments have taken up to five years.

The UK government said that it would allow UK data to flow freely to the continent in an attempt to minimise disruption (although it would keep this policy under review). The Commission made it clear that it would not reciprocate. It would treat the UK as it does any other third country until an adequacy decision has been reached.

The UK has been accused of “deliberate violations and abuse” of the Schengen Information System, which has led several member states, notably the Netherlands, to question whether the UK should be awarded data adequacy after Brexit.

The onward transfer of data from the UK to close security partners such as Australia, which does not have an adequacy agreement with the EU, is another contentious area.


To learn more about GAIA-X and to download the documents that have been published so far, visit

*To find out more about GAIA-X, International Data Spaces is currently holding a series of live sessions.