Profile Baseline: baseline eligibility criteria matched

~~The~~

This is the entering acceptance level to enable offer visibility and sharing through the DOME ~~certification~~ecosystem. ~~qualification~~To ~~process~~match isthis ~~one~~level the provider must provide visibility (through self-attestationsCompliance Self-attestation form_CSP_DOME March 2025.docx ) of the ~~steps~~implementation of the following mandatory compliance criteria under the following categories:

1- DATA PROTECTION AND MANAGEMENT

Criterion DP-1: The Provider shall offer the ability to establish a written contract under Union or EU/EEA/Member State law and specifically addressing GDPR requirements.

Criterion DP-2 : The Provider shall define in writing the roles and responsibilities attributed to each party in the ~~Product~~offerings.

~~Specification~~

Criterion ~~process~~ DP-3: For each offering, the Provider shall clearly define the technical and ~~needs~~organizational measures in accordance with the roles and responsibilities of the parties, including an adequate level of detail.

Criterion DP-4: The Provider shall not access Customer Data unless authorized by the Customer or when the access is in accordance with applicable laws to bethe ~~completed~~contract.

Criterion DP-5: The Provider offering is compliant with all the ~~"Compliance~~requirements ~~profile~~of ~~step".~~applicable ~~The~~laws ~~product~~and ~~needs~~regulations ~~to be created to be able to edit~~concerning the ~~compliance~~protection ~~profile~~of ~~section.~~

personal

data, and specifically the General Data Protection Regulation (Regulation (EU) 2016/679).

2- CYBERSECURITY

InCriterion ~~order~~CS-1: Organization of information security: Plan, implement, maintain and continuously improve the information security framework within the organisation.

Criterion CS-2: Information Security Policies: Implement adequate and updated information security policies and procedures aligned with the security requirements needed to besupport ~~able~~the Offering operational requirements.

Criterion CS-3: Risk Management: Ensure that risks related to ~~get~~information security are properly identified, assessed, and treated, and that the ~~DOME~~residual ~~compliance~~risk ~~profile~~is acceptable to the ~~product~~Provider.

~~owner~~

Criterion ~~needs~~CS-4: Human Resources: Ensure that employees understand their responsibilities, are aware of their responsibilities with regard to ~~select~~information security, and that the ~~certificates~~organisation’s toassets beare ~~included~~protected in the ~~profile~~event of changes in responsibilities or termination of employment contract.

Criterion CS-5: Asset Management: Identify the organisation’s own assets and ensure an appropriate level of protection throughout their lifecycle.

Criterion CS-6: Physical Security: Prevent unauthorised physical access and protect against theft, damage, loss and outage of operations.

Criterion CS-7: Operational Security: Ensure proper and regular operation, including appropriate measures for planning and monitoring capacity, protection against malware, logging and monitoring events, and dealing with vulnerabilities, malfunctions and failures.

Criterion CS-8: Identity, Authentication and access control management: Limit access to information and information processing facilities.

Criterion CS-9: Cryptography and Key management: Ensure appropriate and effective use of cryptography to protect the confidentiality, authenticity and integrity of information.

Criterion CS-10: Communication Security: Ensure the protection of information in networks and the corresponding information processing systems.

Criterion CS-11: Portability and Interoperability: The provider shall provide a means by which a customer can obtain their stored customer data, and provide documentation on how (where appropriate, through documented API’s) the customer can obtain the stored data at the end of the ~~product~~contractual ~~offering.~~ relationship and shall document how the data will be securely deleted from the provider’s system in what timeframe.

Criterion
CS-12:

~~Once~~Change ~~the~~and ~~certificates~~Configuration ~~have~~Management: ~~been~~Ensure ~~uploaded~~that ~~these~~changes ~~need~~and configuration actions to beinformation ~~verified~~systems bymaintain ~~the~~an ~~provision~~adequate ~~of signed Verified Credentials (VCs)~~security of the ~~certificates.~~ delivered cloud service.

ToCriterion ~~get~~CS-13: Development of Information systems: Ensure information security in the ~~VCs~~development cycle of information the concerned cloud offering.

Criterion CS-14: Procurement Management: Ensure the protection of information that suppliers of the ~~supported~~provider ~~certificates,~~can ~~DOME~~access ~~offers~~and monitor the agreed services and security requirements.

Criterion CS-15: Incident Management: Ensure a ~~validation~~consistent ~~service~~and comprehensive approach to the capture, assessment, communication and escalation of security incidents.

Criterion CS-16: Business Continuity: Plan, implement, maintain and test procedures and measures for business continuity and emergency management.

Criterion CS-17: Compliance: Take positive and affirmative steps to ensure compliance with legal, regulatory, self-imposed or contractual information security and compliance requirements.

Criterion CS-18: Dealing with information requests from government agencies: Ensure appropriate handling of government investigation requests for legal review, information to cloud customers, and limitation of access to or disclosure of Customer Data.

Criterion CS-19: Offering’s security: Provide appropriate mechanisms for cloud customers to enable Offering security. Ensure that ~~generates~~ the ~~VCs~~by-default configuration of the ~~certificates~~offerings byis a ~~DOME Trust Service Provider for Certification.~~ ~~To do so the CSP needs to access the DOME compliance component (currently an email needs to be sent to~~ ~~dome-certification@listas.tecnalia.com~~ ~~with the certificates~~ ~~) to get the related VCs and upload it to the compliance profile (see~~ ~~How to get the VC to the supported certifications~~~~). Until the VCs are uploaded the status of the product with respect to these certifications will be~~ ~~SELF-DECLARED~~secure.

~~Only~~ ~~VCs from authorized entities by DOME will be accepted. The product owners can access the Compliance Module to get the certifications verified and get the related VCs.~~

~~When the VC of the certificate is uploaded to the profile the result of the validation will be updated.~~

~~Also the result of the certification validation will be updated in the portal and the product will be correspondingly classified to one of the the DOME compliance levels (see~~ ~~Dome Certification baseline~~)~~. The service owner will get a notification about the compliance level achieved by the service.~~

~~How to get the VC to the supported certifications:~~

~~After logging (with a valid DOME user) in the Compliance Module the product owner will include the evidence of the supported certifications (i.e. signed certifications in pdf format).~~

~~The pdf for each of the certifications to be qualified needs to be uploaded through the data entry form and submitted.~~

The validation of the certification is a process that might take time. The owner of the product will receive the resulted Verified Credentials to the successful certifications, to be stored in the wallet (through the Credential Issuance component that DOME operates).

~~When the VC from the certification verification is received, the product owner shall enter the product specification, and edit the compliance profile, uploading the provided VC.~~