The DOME compliance policy

EUBeing ~~Cloud~~the ~~Rulebook~~DOME scope to create a framework supporting the market requirements, the definition of the policy starts from the definition of a baseline, defining the minimum compliance level to ensure acceptability by the majority of the market sectors. This definition is excluding by design any vertical requirement of a market sector or any enhanced qualification. Those second-level qualifications will ~~comprise~~be ~~different~~used ~~types~~to furtherly raise the qualification level of ~~schemes,~~the ~~regulations~~offering but not to exclude something from the listing.

The scope is to ensure a reasonable level of compliance while minimizing the exclusions.

Aligning with the market the minimum compliance level is defined by Customers, while Providers have to commit to reach such compliance. The role of the DOME organization in this process is to balance the requirements of the Customer Base with the sustainability of the Providers. Too high requirements will land in poor offering because the Providers will not be able to sustain the costs related to the acquisition and ~~standards.~~the maintenance of such high compliance levels.

On the other side several other organizations are already working on the definition of a compliance level for cloud offering, and DOME will try to keep as much compatibility as possible with most of them in order to create the conditions for a future sharing of such visibilities between organizations.

In line with other established initiatives (i.e., Gaia-X) the DOME compliance ~~model~~policy ~~will~~is ~~focus on certification schemes and standards which cover~~mapping the ~~most~~different ~~relevant~~criteria ~~schemes~~in ~~and~~different ~~frameworks~~compliance levels according to the evidence provided by the offering vendor during or after the onboarding process.

Being DOME not committed to assess the delivery platform of every provider claiming to be ~~included~~listed inon the EUDOME ~~Cloud~~catalogue, ~~Rulebook.~~the ~~The~~compliance ~~approach to be followed in DOME~~policy is ~~incremental~~relying ~~starting~~on bycomplying ~~supporting~~with the ~~certification~~criteria ~~compliance~~that ~~assessment~~have tobeen ~~widely~~selected ~~adopted schemes (ISO based in~~as the ~~first~~main ~~version)~~relevant ~~and~~ones ~~incrementally supporting~~for the ~~rest~~trustability of the ~~schemes~~services in DOME.

Thus, the DOME compliance approach is designed to beensure that service providers meet rigorous quality standards, encompassing regulatory respect, data security, and service management best practices. This framework is based on a set of reference quality criteria that serve as the foundation for evaluating compliance.¹

¹ The DOME Compliance criteria has been defined in the Cloud Rule book. The objective of is to automate as much as possible the compliance assessment process so that no "human" intervention is needed. Nevertheless, and due to a number of limitationsbased on the ~~CABs and other stakeholders to support the automation of some parts~~analysis of the ~~process~~Gaia-X ~~(i.e.~~Compliance ~~lack~~criteria ~~of available APIs to check~~https://docs.gaia-x.eu/policy-rules-committee/compliance-document/24.11/criteria_cloud_services/#assessment-procedures and assess the existence and correctness of the certificates in a form of automatically exposed Register of Adherence, lack of support to verifiable credentials approach from the certificates issuers, etc) DOME foresees to implement different levels of supportadapted to the ~~automatic checking~~needs of ~~the certificates.~~DOME

~~The main objectives of the compliance support in DOME are:~~

~~Develop a formal process to verify the compliance against reference standards.~~

~~Develop a methodological framework supported by tools to verify the compliance against reference standards during the on-boarding process.~~

~~Develop tools to automatically monitor the validity of the certificates.~~

~~Develop tools to continuously monitor that security requirements are being fulfilled through the continuous assessment of the validity of the certificates.~~

To this end, DOME will guarantee that services in the platform are certified checking the validity of the related certificates. It is worthy to note, that DOME won't certify services, but will rely on valid certificates from official certificates issuers.