Key Components of the DOME Compliance framework:

The DOME compliance framework is structured around three fundamental pillars, which have collectively shaped its foundation and definition

1. Self-assessment: Providers are required to issue a declaration attesting their compliance with the reference quality criteria after they have assessed themselves that they comply with them. This process encourages providers to take ownership of their compliance and ensures transparency.
2. Certification Overlay: Providers can supplement their self-declarations with official certifications that automatically assess compliance with specific subsets of the reference criteria. Multiple certifications can collectively cover the full range of requirements, reinforcing the validity of the compliance claims.
3. Compliance Categorization: Based on the level of compliance with the reference criteria, DOME assigns a Compliance Category to each offering. This categorization reflects the provider's adherence to the quality standards and is essential for the offering's visibility and status within the catalogue.

COMPLIANCE LEVELS

Currently, DOME has established three distinct compliance profile levels. These levels serve a dual purpose: (1) they set the minimum requirements for offers to be published in the DOME catalogue and (2) they establish a trust framework for providers, enabling them to transparently display their compliance posture, and allowing customers to make informed decisions when selecting cloud services that meet their trust requirements. To this end, DOME compliance levels have been defined as follows: 

• Baseline Compliance Level : Offerings with self-assessed compliance that lacks formal certification are eligible for this level. They can be published in the catalogue with a baseline status, indicating a foundational level of compliance.
  
• Professional and Professional + Compliance Levels : Offerings with certified compliance evidence (valid certifications) are eligible for these levels. These levels signify a higher degree of compliance and trustworthiness, enhancing the offering's standing within the catalogue. Based on the type and number of valid certifications Professional or Professional + level can be achieved. 
  
• Non-Compliant Classification : Offerings that fail to meet one or more mandatory compliance criteria, as determined through self-attestation or certification, are classified as non-compliant. Such offerings are excluded from the official catalogue, ensuring that only compliant services are presented to users.
  

CONTRACTUAL AND LEGAL IMPLICATIONS

The compliance self-attestation made by a provider is both legally and contractually binding with the DOME organization and is also a representation issued to potential buyers of the services. Any false or misleading declaration will result in immediate reclassification to a Non-Compliant status, disqualifying the provider and related offerings from catalogue visibility. From a legal perspective, this would amount to a misrepresentation that would expose the provider to potential legal claims from customers. This measure upholds the integrity of the compliance process and maintains the trustworthiness of the catalogue. The self-attestation mechanism is offering-specific, meaning that the declarations must be filled in from the perspective of each specific offering, not from the standpoint of the whole company. For instance, a cloud offering of a cloud service provider can provide portability and interoperability while another offering from the same provider does not. In that case the former would be eligible for publication in the DOME catalogue, while the latter would not.

The availability of one or more official certifications, issued by an official Certification Body, stating the profile of compliance with the defined criteria. Providers must provide such visibility (uploading the related documents or digital credentials of the documents) during the offering publishing process.

All the certification documents must clearly state:

• The legal entity owning the certification
• The Certification Authority that issued the certification
• The validity period of the certification
• A statement allowing the capability to understand if the published service is covered by such certification or not (also known as “the scope” of the certification).

The lack of one or more of the above requirements may classify that evidence as unacceptable.