At Gaia-X Tech-X 2026 in Athens, experts took the stage to tackle one pressing question in European data exchange: how do you make a data exchange genuinely trustworthy, not just technically, but legally and operationally? Benoît Tabutiaux, CTO at IMT Transfert – TeraLab, Frédéric Bellaiche, VP Technology & Research at Dawex, joined Christoph Strnadl, CTO at Gaia-X, and walked attendees through a concrete blueprint mapping the new TDT harmonised European standard to the Gaia-X Framework and the open-source Data Transfer Agent. Here is an overview of their presentation.
As data spaces scale from pilot projects to real-world industrial deployments, one question has moved from theoretical to urgent: what does it actually take to make a data exchange trustworthy, not just technically, but legally and operationally? The new harmonised European standard Trusted Data Transactions answers this question with rigorous precision. And an open-source software component called the Data Transfer Agent (DTA) turns that answer into running code.
The Standard: Trusted Data Transactions (TDT)
The Trusted Data Transactions (TDT) standard, formally EN 18235, is a harmonised European standard developed at the European Commission and CEN/CENELEC level, directly mandated by Article 33 of the European Data Act. TDT defines the trust criteria that any cross-ecosystem data transaction must comply with to be considered genuinely trustworthy.
The standard identifies six phases that every trusted data transaction must satisfy:
- Grant Rights: Traceable delegation records, metadata on allowed users and purposes, provenance and consent for personal data.
- Publication: Verified publication rights, machine-readable catalogue metadata, licence terms, and data quality descriptors.
- Discovery: Access-controlled exposure of data products, with results enabling assessment of relevance and licence terms.
- Negotiation: Provider-evidenced authority to license; contracts recorded in machine-readable, undisputable form.
- Data Sharing/Exchange: Identity verification of the data user, authorisation evaluation, compliance with observability mechanisms.
- Access & Usage: Re-verification of authorisations on each access, ability to revoke supply on breach, observability throughout.
Identity verification, policy and claims reconciliation, and observability apply continuously across every phase, not just at the point of transfer.
- Part 1 of the standard (EN 18235-1:2026) on Terminology, Concepts and Mechanisms, was made available in March 2026, as part of the harmonised European standard.
- Part 2, addressing Trustworthiness Requirements, entered public enquiry in March 2026.
- Part 3, covering Interoperability Requirements, entered public enquiry in May 2026.
Gaia-X Framework: A Solid Foundation for TDT
The Gaia-X Trust Framework already satisfies a significant share of TDT requirements. From identity to continuous compliance, key building blocks are already in place.
- Participant identity (§ 5.2.2): Participant Self-Descriptions signed via eIDAS, combined with W3C Verifiable Credentials, deliver machine-readable, issuer-referenced identity evidence that satisfies TDT’s identification requirements out of the box.
- Claims and evidence model (§ 5.2.3): The Verifiable Credentials plus linked-data graph model provides identifiable issuers, unique identifiers, cryptographic integrity, and built-in validity and revocation handling, precisely what TDT demands from any policy, claim, or evidence artefact.
- Trust anchors and notaries (§ 5.2.5): The Gaia-X Registry lists endorsed issuers and trust anchors, underpinning claims that would otherwise be purely self-declared.
- Continuous compliance (§ 5.2 / general): The Gaia-X Digital Clearing House (GXDCH) automates ongoing validation of credentials across the ecosystem, enabling the continuous compliance posture TDT requires.
- Federated catalogue (§ 5.4 / § 5.5): Self-Descriptions for Service Offerings, combined with a federated catalogue, enable findability, access control, and discovery aligned with TDT’s publication and discovery requirements.
- Extensibility for data spaces (§ 4.10): Federations (i.e. data spaces) can layer additional criteria, select their own trust anchors, and compose trust frameworks on top of Gaia-X, precisely the kind of modular trust framework architecture TDT envisions.
Bridging the Last Mile to TDT Compliance
While Gaia-X covers the trust infrastructure, a focused set of requirements calls for dedicated work and attention:
- Data-product metadata (§ 5.4): Provenance, lineage, and quality descriptors at the data-product level require new ontologies to be introduced into the Data Product Model.
- Machine-readable contracts (§ 5.6): Undisputable, machine-readable data usage contracts for the negotiation phase require dedicated specification work, currently underway in Gaia-X’s Data Exchange Services working group.
- Runtime authorisation and observability (§ 5.7–5.8): Per-transaction identity checks, real-time policy enforcement, and audit trails, the operational heart of TDT, are not yet fully specified in Gaia-X.
- Reconciliation (§ 5.2.4.4): Reconciling policies and claims across participants and intermediaries requires tooling beyond what the Trust Framework alone provides.
- Grant rights phase (§ 5.3): Evidence of delegated rights when the rights holder is not the data provider.
This is precisely where the Data Transfer Agent comes in.
The Data Transfer Agent: Operationalising TDT
The Data Transfer Agent (DTA) is an open-source software component purpose-built to enable trusted data transactions in data spaces, by offering a lightweight, containerised agent that any organisation, regardless of size, can easily deploy and operate with trust.
DTA comes into play once two parties have agreed on a data transaction. Its role is to carry out all the verifications and operational steps needed to execute that transaction in a TDT-compliant way.
Concretely, the DTA handles:
- Participant, data product, and Data Access Contract (DAC) management
- Policy enforcement and access granting
- Data transfer and streaming
- Observability, logging and audit trails for non-repudiation
The component implements the Gaia-X Trust Framework and the OIDC4VC/OIDC4VP OpenID standards, ensuring that every interaction is grounded in verifiable credentials and interoperable identity protocols.
Key characteristics of the Data Transfer Agent include:
- Lightweight and modular: Uncluttered architecture focused exclusively on trusted data transactions, with no unnecessary complexity.
- Standards-compliant: Built in full alignment with Gaia-X specifications, the CEN Trusted Data Transactions harmonised European standard, and the European Data Act.
- Distributed by design: Deployable across cloud, on-premise, edge environments; can run as a managed service alongside any existing component or software
- Open source: Released under Apache-2 license on the Gaia-X GitLab, with transparent governance and no dependency on any single vendor or data space
- Scalable: Capable of supporting thousands of participants across complex industrial supply chains, from large enterprises to SMEs
- Human-in-the-loop ready: Supporting both fully automated machine-to-machine transactions and workflows requiring human consent or validation, a critical capability required in highly regulated sectors
- Built for Agentic AI: Designed to support the evolving pace of automated data interactions, with an extensible architecture that accommodates new communication modes and use cases as they emerge
The Complete Picture: How Gaia-X and the DTA Cover Every TDT Requirement
Combining the Gaia-X Trust Framework with the DTA closes the remaining gaps:
| TDT Requirement | Covered by |
| Participant identity (§ 5.2.2) | Gaia-X (eIDAS + Verifiable Credentials) |
| Claims & evidence model (§ 5.2.3) | Gaia-X (VC + linked-data graph) |
| Trust anchors & notaries (§ 5.2.5) | Gaia-X Registry |
| Continuous compliance | Gaia-X Digital Clearing House |
| Federated catalogue (§ 5.4–5.5) | Gaia-X Self-Descriptions |
| Runtime authorisation & observability (§ 5.7–5.8) | DTA |
| Reconciliation (§ 5.2.4.4) | DTA |
| Machine-readable contracts (§ 5.6) | DTA (pending Gaia-X specification) |
| Data-product metadata / provenance (§ 5.4) | Ongoing Gaia-X work (new ontologies) |
| Grant rights evidence (§ 5.3) | Ongoing Gaia-X work |
Aimed at addressing the realities of industrial data spaces, removing integration complexity and associated deployment costs, DTA is designed from the ground up with a modular, scalable architecture. Ultimately, this translates into concrete operational benefits: easy deployment across on-premise, SaaS, or edge environments; straightforward monitoring and auditability; seamless updates; and the ability to participate in multiple data spaces simultaneously without vendor lock-in.
What Comes Next
The foundation is in place, and the momentum is real. Gaia-X working groups are actively completing the remaining pieces: new ontologies for data products, the Data Access Contract specification, and an observability framework. Each step brings the full vision of TDT-compliant data spaces closer to reality. This is an open, collective effort.
Join the DTA Open Source Community
The DTA source code is available on the Gaia-X GitLab under an Apache 2.0 licence. Organisations across industries are invited to contribute.
Useful links
- Gaia-X Tech-X presentation: https://gaia-x.eu/wp-content/uploads/2026/06/TX26_TrustedDataTransactions_GaiaX-FInal-29-05-2026.pdf
- Gaia-X Trust Framework: https://docs.gaia-x.eu/technical-committee/architecture-document/25.11/trust_framework_architecture/
- Trusted Data Transactions harmonised European Standard – Part 1: https://www.cencenelec.eu/news-events/news/2026/en-in-the-spotlight/2026-04-30-en-18235-1-2026-data/
- DTA repository: https://gitlab.com/gaia-x/gaia-x-community/data-transfer-agent
