> For the complete documentation index, see [llms.txt](https://frameworks.greendealdata.eu/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://frameworks.greendealdata.eu/governnace-frameworks/gdds-rulebook/conformity-framework-and-governance-enforcement/1.-certification-and-conformity.md).

# 1. Certification & Conformity

This part establishes how the GDDS verifies that an actor or service meets the requirements necessary to participate, both at admission and for the duration of participation. The depth of verification is proportionate to the trust-criticality of the role.&#x20;

## 1.1. Tiered conformity model&#x20;

Consistent with the iSHARE Trust Framework, the GDDS applies a two-tier conformity model that distinguishes participants according to the trust-criticality of their role:&#x20;

* Adhering Participants demonstrate conformity through self-declaration against the requirements of this Rulebook and the agreements they sign on admission (Rulebook, DSLA, and DPA, where applicable). No independent certification is required to participate. In the GDDS role taxonomy, this tier covers the Data Provider, Data Recipient, Data Rights Holder, and Service Provider roles (iSHARE equivalents: Service Consumer, Service Provider, Entitled Party).&#x20;
* Certified Participants undergo an independent conformity assessment before they may operate, because their role involves managing identity, authorisation, or registry trust on behalf of others. In the GDDS role taxonomy, this tier covers the Intermediary role and its functions —the Participant Registry (PR), Identity Provider (IdP), and Authorisation Registry (AR) (iSHARE certified roles: Identity Provider, Identity Broker, Authorisation Registry, Participant Registry).&#x20;

{% hint style="warning" %}
*Note: To confirm whether the binary Adhering / Certified split is sufficient for MVP2, or whether selected Adhering roles (e.g. providers of high-sensitivity datasets) should be subject to a lightweight conformity check.*&#x20;
{% endhint %}

***

## 1.2. Conformity assessment methods&#x20;

The depth of assessment is proportionate to the tier:&#x20;

* Self-declaration — for Adhering Participants, a documented declaration of conformity with the applicable Rulebook requirements.&#x20;
* Documentary review — verification of supporting evidence (e.g. policies, certificates, technical documentation) by the designated conformity authority.&#x20;
* Independent certification — for Certified Participants, conformity attested through recognised third-party certification or an equivalent independent assessment.&#x20;

{% hint style="warning" %}
*Note: Confirm who performs or recognises conformity assessment — a dedicated GDDS conformity function, an accredited external Conformity Assessment Body, or recognition of existing valid certifications. Default assumption: the GDDS recognises valid existing certifications and, where a fresh assessment is required, it is carried out by the designated GDDS conformity authority.*&#x20;
{% endhint %}

***

## 1.3. Recognised standards and references&#x20;

Conformity is assessed against recognised standards appropriate to the role, which may include:&#x20;

* information security management — ISO/IEC 27001;&#x20;
* assurance and control reporting — ISAE 3402 or SOC 2;&#x20;
* identity assurance — eIDAS 2.0 Levels of Assurance;&#x20;
* domain- or sector-specific standards relevant to the data being shared.&#x20;

Additionally set applies to all participants; additional, role-specific requirements apply to Certified roles.&#x20;

{% hint style="warning" %}
*Note: To confirm the baseline standard set and any role-specific additions for MVP2.*&#x20;
{% endhint %}

***

## 1.4. Certification lifecycle&#x20;

Certification is not a one-off event. For Certified Participants:&#x20;

* certification is issued upon successful conformity assessment;&#x20;
* it remains valid for a defined period, after which re-certification is required;&#x20;
* re-assessment may also be triggered by material changes to the participant’s systems, by incidents, or by findings from compliance monitoring (see Section Compliance Monitoring below).

For roles that operate shared trust services (Certified roles: Participant Registry, Identity Provider, Authorisation Registry), the recognised standard set also includes the federated-infrastructure security baselines identified by Working Group 3 in D3.1: Sirtfi for incident response, the WISE Baseline AUP, and the AARC-G084 Security Operational Baseline. Conformity with the applicable requirements and the Level of Assurance associated with a role may be evidenced through recognised certifications or carried as machine-verifiable Verifiable Credentials (for example, a Credential referencing Rulebook acceptance, or a Role/Assurance credential carrying the role and its LoA), supporting selective disclosure and revocation checks.&#x20;

*Source: D3.1 GDDS first version report (WP3), §2.3.3–2.3.4. The security baselines and the Verifiable-Credential attestation option are documented by Working Group 3; the assurance mechanisms they rely on are specified in the Technical Framework (Data Sovereignty & Trust).* &#x20;

{% hint style="warning" %}
*Note: To confirm the validity period and renewal cadence (e.g. annual or biennial) and the events that trigger early re-assessment.*&#x20;
{% endhint %}

***

## 1.5.  Non-conformity and corrective action&#x20;

Where a participant, service, or component no longer meets the applicable requirements, corrective action is taken in accordance with the governance enforcement procedures defined in the [Monitoring Compliance Section](/governnace-frameworks/gdds-rulebook/conformity-framework-and-governance-enforcement/2.-compliance-monitoring-and-governance-enforcement.md). Corrective actions range from remediation, through temporary suspension of participation rights, to revocation of credentials or certifications.&#x20;
