Admission

This part of the iSHARE Trust Framework is considered normative and is therefore compliant with RFC 2119.

This admission process describes the steps that all parties MUST take to be admitted to the iSHARE network. For Certified Parties including Participant Registry, additional steps are required and are described below. The process is the responsibility of, and facilitated by, the Participant Registry (or the Scheme Owner). The process of onboarding and admission can be delegated to a Participant administrator.

Admission of prospective iSHARE participant includes:

A potential Adhering Party wants to start fulfilling one or more adhering role(s) in the network.
A potential Certified Party wants to start fulfilling one or more certified roles(s) in the network.
An already Adhering and/or Certified Party wants to expand its current role(s) by one or more role(s) in the network.

This process is for admission to production environments. For development and testing admission to the test network is required. Refer to the getting started section for more information.

Goal

The goal of the admission process is to let prospective participants join the iSHARE Network in a simple and controlled way. A controlled admission process is important to warrant trust in the iSHARE Trust Framework. It provides assurance that all parties signing an accession agreement fulfil the scheme's accession criteria.

Admission criteria

To be admitted to the iSHARE network as a full participant (Service Provider or Service Consumer), prospective participants MUST comply with several criteria*:

Provide a signed iSHARE accession agreement including Terms of Use;
Provide a valid Party Identifier;
Irrespectively, an party identifier compliant to the iSHARE DID method MUST be automatically derived from the identification credential (PKI certificate or Signed token);
Provide an eIDAS Advanced or Qualified Electronic Seal (eSEAL) digital certificate (public key) or onboard using an iSHARE certified Identity Provider where allowed;
Provide a successful test report of iSHARE conformance test tool.

* Data spaces MAY require additional admission criteria (consult Data Space Governing Body).

Role/Requirement

Adhering party

Certified party

Participant Registry

Valid party identifier

X (only for Service providers)

Advanced / Qualified eSeal

X (only for Service Providers or Service Consumers that use machine to machine communication)

X (for Service Consumers or Entitled Parties without Qualified eSeal)

Onboarded by

Participant Registry*

Scheme Owner

Assessment framework**

The above table shows the Onboarding/ Admission criteria and the Onboarding parties involved.

X = required.

* The onboarding procedures can be delegated to one/multiple Participant Administrators.

** The assessment framework is available below. Data space may apply their own assessment framework for adhering parties and extend the iSHARE Assessment Framework for certified parties

Assessment framework

The following file holds the assessment framework for Certified Parties.

Responsibilities

Several parties have responsibilities and tasks in the admission process:

The Participant Registry MUST facilitate the onboarding process while safeguarding the integrity and trust;
The Participant Registry MAY delegate its onboarding responsibilities to another party if required, however it still remains responsible and contact for its participants and the Scheme Owner as it is the certified party for onboarding;
The Scheme Owner MUST onboard/admit the participants playing the role of a Participant Registry. The Scheme Owner MAY admit other participants in the iSHARE network until further notice.
The prospective participant MUST implement what is necessary for complying and maintaining compliance with the relevant admission criteria of being participant in specified role(s).

Sequence

An authorised representative of the prospective participant registers with a Participant Registry and provides the Participant Registry with:
1. Primary contact details: name, role, e-mail;
2. Description of the intended activities for participating and onboarding in this data space/ecosystem and use of iSHARE framework;
3. At least one acceptable valid legal entity identifier as required by the Participant Registry (nationally or internationally recognised unique identifier which can be verified).
The Participant Registry checks whether there are potential impediments that could block the completion of the admission process for the prospective participant:
1. E.g. previous exclusions from a Data space/iSHARE network in the recent past.
The Participant Registry MUST facilitate testing and certification of the prospective participant.
1. The Participant Registry MAY provide testing material and documentation on the test environment: certificates, keys, SDKs, etc.;
2. For prospective Certified Parties it MUST include role-specific non-technical requirements.
The prospective participant formally requests admission to the particular data space by providing:
1. An iSHARE accession agreement signed by an authorised representative of the prospective participant;
2. The eSEAL digital certificate (public key) that will be used (if applicable, see table above);
3. An iSHARE conformance test tool report;
4. Any other requirements for admission to the particular data space (such as for instance a signed NDA);
5. For a prospective Certified Party: The level of assurance for which the prospective Certified Party wants to be certified, accompanied by a filled in Assessment Framework (and related evidence) to prove that the operational processes of the prospective Certified Party comply with the indicated level of assurance.
6. For prospective Certified Parties additional verification may be required.
  1. The prospective Certified Party can request a signed NDA from the Participant Registry before providing the Assessment Framework and related evidence.
The Participant Registry verifies the acceptance of the prospective participant's admission request and its conformance with the admission criteria;
1. For prospective Adhering Parties the Participant Registry has 5 working days, unless otherwise stated/agreed, to verify the acceptance of the prospective participant’s admission request and its conformance with the admission criteria;
2. For prospective Certified Parties the Participant Registry has 30 days, unless otherwise stated/agreed, to verify the acceptance of the prospective participant's admission request and its conformance with the admission criteria, but aims to respond as soon as possible.
The Participant Registry records the participant’s status in the Participant Registry.
Once the participant has been accepted, the Participant Registry communicates the verified acceptance to the new Participant.

Levels of participation

This section is under review through an RFC. Following this section is currently not recommended.

In order to lower initial barriers for participation, a prospective participant may join the data space/iSHARE network without meeting all criteria. A possible situation could occur where a party wishes to join as a participant, but is not able to meet all technical requirements for data exchange. Instead, the participant will delegate this to an intermediary party (for example, a data hub) that will provide technical data exchange services.

Identity verification level

Verified according to publicly available trusted resources

The identity of the party can be verified (eg. to an internationally verifiable source)

Verified by Participant Registry

Although this option is not generally recommended, this denotes that the participant is explicitly trusted by the Participant Registry that recorded the participants admission.

Legal adherence

Legal adherence

The Participant has signed an Accession Agreement and Terms of Use

No legal adherence

The Participant is trusted by the Participant Registry. Note that this indication MAY limit the available options for data sharing for this participant within the data space/iSHARE network due to a lower level of legal assurance.

Technical compliance

Full technical compliance

Technical compliance was verified by providing a successful test report of iSHARE certification tool.

No technical compliance

Technical Compliance has not been verified. Note that this indication will limit the available options for data sharing for this participant within the iSHARE network, because the participant must use another (compliant) participant to handle exchanges on his behalf.

PreviousOperational processes NextWithdrawal or Downgrade

Last updated 25 days ago

Admission

This part of the iSHARE Trust Framework is considered normative and is therefore compliant with RFC 2119.

Admission of prospective iSHARE participant includes:

A potential Adhering Party wants to start fulfilling one or more adhering role(s) in the network.
A potential Certified Party wants to start fulfilling one or more certified roles(s) in the network.
An already Adhering and/or Certified Party wants to expand its current role(s) by one or more role(s) in the network.

This process is for admission to production environments. For development and testing admission to the test network is required. Refer to the getting started section for more information.

Goal

Admission criteria

To be admitted to the iSHARE network as a full participant (Service Provider or Service Consumer), prospective participants MUST comply with several criteria*:

Provide a signed iSHARE accession agreement including Terms of Use;
Provide a valid Party Identifier;
Irrespectively, an party identifier compliant to the iSHARE DID method MUST be automatically derived from the identification credential (PKI certificate or Signed token);
Provide an eIDAS Advanced or Qualified Electronic Seal (eSEAL) digital certificate (public key) or onboard using an iSHARE certified Identity Provider where allowed;
Provide a successful test report of iSHARE conformance test tool.

* Data spaces MAY require additional admission criteria (consult Data Space Governing Body).

Role/Requirement

Adhering party

Certified party

Participant Registry

Valid party identifier

Successful test report of

X (only for Service providers)

Signed

Advanced / Qualified eSeal

X (only for Service Providers or Service Consumers that use machine to machine communication)

X (for Service Consumers or Entitled Parties without Qualified eSeal)

Onboarded by

Participant Registry*

Scheme Owner

Assessment framework**

The above table shows the Onboarding/ Admission criteria and the Onboarding parties involved.

X = required.

* The onboarding procedures can be delegated to one/multiple Participant Administrators.

** The assessment framework is available below. Data space may apply their own assessment framework for adhering parties and extend the iSHARE Assessment Framework for certified parties

Assessment framework

The following file holds the assessment framework for Certified Parties.

Responsibilities

Several parties have responsibilities and tasks in the admission process:

The Participant Registry MUST facilitate the onboarding process while safeguarding the integrity and trust;
The Participant Registry MAY delegate its onboarding responsibilities to another party if required, however it still remains responsible and contact for its participants and the Scheme Owner as it is the certified party for onboarding;
The Scheme Owner MUST onboard/admit the participants playing the role of a Participant Registry. The Scheme Owner MAY admit other participants in the iSHARE network until further notice.
The prospective participant MUST implement what is necessary for complying and maintaining compliance with the relevant admission criteria of being participant in specified role(s).

Sequence

An authorised representative of the prospective participant registers with a Participant Registry and provides the Participant Registry with:
1. Primary contact details: name, role, e-mail;
2. Description of the intended activities for participating and onboarding in this data space/ecosystem and use of iSHARE framework;
3. At least one acceptable valid legal entity identifier as required by the Participant Registry (nationally or internationally recognised unique identifier which can be verified).
The Participant Registry checks whether there are potential impediments that could block the completion of the admission process for the prospective participant:
1. E.g. previous exclusions from a Data space/iSHARE network in the recent past.
The Participant Registry MUST facilitate testing and certification of the prospective participant.
1. The Participant Registry MAY provide testing material and documentation on the test environment: certificates, keys, SDKs, etc.;
2. For prospective Certified Parties it MUST include role-specific non-technical requirements.
The prospective participant formally requests admission to the particular data space by providing:
1. An iSHARE accession agreement signed by an authorised representative of the prospective participant;
2. The eSEAL digital certificate (public key) that will be used (if applicable, see table above);
3. An iSHARE conformance test tool report;
4. Any other requirements for admission to the particular data space (such as for instance a signed NDA);
5. For a prospective Certified Party: The level of assurance for which the prospective Certified Party wants to be certified, accompanied by a filled in Assessment Framework (and related evidence) to prove that the operational processes of the prospective Certified Party comply with the indicated level of assurance.
6. For prospective Certified Parties additional verification may be required.
  1. The prospective Certified Party can request a signed NDA from the Participant Registry before providing the Assessment Framework and related evidence.
The Participant Registry verifies the acceptance of the prospective participant's admission request and its conformance with the admission criteria;
1. For prospective Adhering Parties the Participant Registry has 5 working days, unless otherwise stated/agreed, to verify the acceptance of the prospective participant’s admission request and its conformance with the admission criteria;
2. For prospective Certified Parties the Participant Registry has 30 days, unless otherwise stated/agreed, to verify the acceptance of the prospective participant's admission request and its conformance with the admission criteria, but aims to respond as soon as possible.
The Participant Registry records the participant’s status in the Participant Registry.
Once the participant has been accepted, the Participant Registry communicates the verified acceptance to the new Participant.

Levels of participation

This section is under review through an RFC. Following this section is currently not recommended.

Identity verification level

Verified according to publicly available trusted resources

The identity of the party can be verified (eg. to an internationally verifiable source)

Verified by Participant Registry

Although this option is not generally recommended, this denotes that the participant is explicitly trusted by the Participant Registry that recorded the participants admission.

Legal adherence

Legal adherence

The Participant has signed an Accession Agreement and Terms of Use

No legal adherence

Technical compliance

Full technical compliance

Technical compliance was verified by providing a successful test report of iSHARE certification tool.

No technical compliance

PreviousOperational processes NextWithdrawal or Downgrade

Last updated 25 days ago