Key Components of the DOME Compliance framework:

The DOME compliance framework is structured around three fundamental pillars, which have collectively shaped its foundation and definition

  1. Self-assessment: Providers are required to issue a declaration attesting their compliance with the reference quality criteria after they have assessed themselves that they comply with them. This process encourages providers to take ownership of their compliance and ensures transparency.
  2. Certification Overlay: Providers can supplement their self-declarations with official certifications that automatically assess compliance with specific subsets of the reference criteria. Multiple certifications can collectively cover the full range of requirements, reinforcing the validity of the compliance claims.
  3. Compliance Categorization: Based on the level of compliance with the reference criteria, DOME assigns a Compliance Category to each offering. This categorization reflects the provider's adherence to the quality standards and is essential for the offering's visibility and status within the catalogue.

COMPLIANCE LEVELS

Currently, DOME has established three distinct compliance profile levels. These levels serve a dual purpose: (1) they set the minimum requirements for offers to be published in the DOME catalogue and (2) they establish a trust framework for providers, enabling them to transparently display their compliance posture, and allowing customers to make informed decisions when selecting cloud services that meet their trust requirements. To this end, DOME compliance levels have been defined as follows: 

CONTRACTUAL AND LEGAL IMPLICATIONS

The compliance self-attestation made by a provider is both legally and contractually binding with the DOME organization and is also a representation issued to potential buyers of the services. Any false or misleading declaration will result in immediate reclassification to a Non-Compliant status, disqualifying the provider and related offerings from catalogue visibility. From a legal perspective, this would amount to a misrepresentation that would expose the provider to potential legal claims from customers. This measure upholds the integrity of the compliance process and maintains the trustworthiness of the catalogue. The self-attestation mechanism is offering-specific, meaning that the declarations must be filled in from the perspective of each specific offering, not from the standpoint of the whole company. For instance, a cloud offering of a cloud service provider can provide portability and interoperability while another offering from the same provider does not. In that case the former would be eligible for publication in the DOME catalogue, while the latter would not.

The availability of one or more official certifications, issued by an official Certification Body, stating the profile of compliance with the defined criteria. Providers must provide such visibility (uploading the related documents or digital credentials of the documents) during the offering publishing process.

All the certification documents must clearly state:

The lack of one or more of the above requirements may classify that evidence as unacceptable.


Revision #13
Created 4 June 2024 13:30:26
Updated 5 May 2025 14:25:42 by Juncal Alonso