Europe is building data spaces. The European Data Strategy names them as the backbone of a digital single market: shared environments where organisations exchange data under clear rules. Healthcare, mobility, agriculture, energy, government — every sector is supposed to get one. The ambition is enormous. But a quiet question sits beneath it all: who actually owns the infrastructure that makes these spaces work?
Gaia-X, the Franco-German initiative launched in 2019, was supposed to answer that question. It promised a federated architecture governed by European values: sovereignty, transparency, interoperability. On paper, the principles are sound. In practice, something different has emerged. The organisations that build the connectors, host the catalogues, and operate the trust frameworks are overwhelmingly large technology vendors — some of them the very companies European sovereignty was meant to counterbalance. The promise was a commons. The reality is trending towards a marketplace where access requires significant investment, technical capacity, and membership fees.
The problem: data spaces that exclude
The International Data Spaces Reference Architecture Model (IDS-RAM) provides a solid conceptual framework for secure, sovereign data exchange. It defines roles clearly: data providers, data consumers, brokers, identity providers, clearing houses. The architecture is well-thought-out. The problem is not the model — it is the implementations.
Building an IDS-compliant connector today typically requires licensing proprietary software or joining consortia with substantial membership fees. The reference implementations are complex, poorly documented, and tightly coupled to specific cloud providers. For a municipality with a small IT team, a research group at a university, or an NGO working on climate data, the barrier to entry is prohibitively high.
This creates a structural paradox. Data spaces are supposed to enable broad participation — to let small organisations share and benefit from data alongside large ones. But the cost and complexity of the infrastructure ensures that only well-funded parties can meaningfully participate. The commons becomes a club.
The fragmentation makes things worse. Each sector builds its own data space with its own connectors, its own identity layer, its own catalogue format. A hospital that participates in the European Health Data Space cannot easily share environmental health data with a research institute in the Green Deal Data Space, because the two spaces use incompatible infrastructure. The vision of cross-sector data exchange remains largely theoretical.
The W3C route: standards that nobody owns
There is an alternative path. The World Wide Web Consortium (W3C) has spent decades developing open standards for exactly the problems that data spaces need to solve: describing datasets, expressing access policies, tracking provenance, and validating data quality. These standards are free to use, free to implement, and governed by an international community rather than a commercial consortium.
The key standards are:
- DCAT 2 (Data Catalogue Vocabulary) — a standard way to describe datasets so they can be discovered across organisations and borders. It is already mandated by the European Commission for public sector data portals.
- ODRL 2.2 (Open Digital Rights Language) — a machine-readable language for expressing what you may and may not do with a dataset. Permissions, prohibitions, and obligations become enforceable code rather than unread legal text.
- PROV-O (Provenance Ontology) — a standard for recording who did what, when, and why. Every data transaction gets an auditable trail.
- SHACL (Shapes Constraint Language) — a way to define and validate the shape of data. If a dataset claims to follow a certain structure, SHACL can verify that claim automatically.
None of these standards require a Gaia-X membership. None of them are owned by a single vendor. They work on any cloud, any server, any programming language. Here is how they map to the services that Gaia-X federation provides:
| Gaia-X Federation Service | W3C Standard | Prisma Component |
|---|---|---|
| Identity & Trust | W3C DID | ANP identity |
| Sovereign Data Exchange | ODRL 2.2 | Federation policies |
| Federated Catalogue | DCAT 2 | SPARQL discovery |
| Compliance | SHACL | Shape validation |
The point is not that Gaia-X is wrong. The architecture it describes is valuable. The point is that you do not need permission — or a budget of hundreds of thousands of euros — to implement it. The W3C standards provide the same capabilities through open, royalty-free specifications that any organisation can adopt.
Prisma as a reference implementation
Prisma implements federated data space capabilities using exclusively W3C standards. It is not a product you buy. It is a reference implementation you can deploy, adapt, and extend.
Discovery works through DCAT 2 catalogues exposed via SPARQL endpoints. Any organisation running a Prisma node automatically publishes a machine-readable catalogue of its datasets. Other nodes can query that catalogue without needing a centralised broker. The federation is genuinely peer-to-peer: no single point of control, no single point of failure.
Access control is handled through ODRL 2.2 policies attached to every resource. When a research institute requests data from a municipality, the ODRL policy engine evaluates the request against the rules the municipality has defined. Can this organisation access this dataset? For what purpose? Under what constraints? The evaluation happens automatically, in milliseconds, with a full provenance record written via PROV-O.
Data quality is enforced through SHACL shapes. Before a dataset enters the federation, it is validated against the shapes defined for its type. If a dataset claims to describe air quality measurements, the SHACL shape verifies that it contains the required fields, in the correct formats, with valid value ranges. Bad data is rejected at the gate, not discovered months later by a frustrated analyst.
The entire stack runs on Scaleway, an EU-owned cloud provider headquartered in France. No data leaves EU jurisdiction. No US court can compel disclosure under the CLOUD Act. The source code is published on Codeberg under the Apache-2.0 licence — anyone can read it, fork it, and deploy it independently.
EU public sector: the Dutch government agrees
Prisma did not develop these architectural choices in isolation. The Dutch government’s EU public sector programme (public sector collaboration — Better Collaboration) arrived at remarkably similar conclusions through an independent process.
The EU public sector target architecture specifies open standards for data exchange across government organisations. It emphasises federated catalogues over centralised ones, machine-readable access policies over manual approval workflows, and provenance tracking as a fundamental requirement rather than an afterthought. The overlap with Prisma’s architecture is not coincidental — it reflects the fact that when you start from the same principles (sovereignty, openness, interoperability), you tend to arrive at the same standards.
Prisma serves as a working implementation of the patterns EU public sector describes. Where EU public sector defines the “what”, Prisma demonstrates the “how”. A municipality evaluating its options for EU public sector compliance can deploy a Prisma node and have a standards-compliant federation endpoint running within hours, not months.
A data space is not a product you purchase from a vendor. It is a set of agreements — technical, legal, and organisational — that enable organisations to share data on equal terms. The infrastructure that enforces those agreements should be a commons: owned by everyone, controlled by no one.
Commons require contributors
A commons only works if people contribute to it. Open standards are necessary but not sufficient. Someone has to write the code, test the interoperability, document the edge cases, and fix the bugs that only appear when real organisations use the software with real data.
Prisma is developed in the open on Codeberg, the EU-based code forge. Every design decision is documented. Every component is modular enough to use independently. You do not need to adopt the entire platform — if you only need ODRL policy enforcement or DCAT 2 catalogue publishing, you can use those components on their own.
The project is supported by NLnet, the Dutch foundation that has funded critical internet infrastructure for over twenty-five years. NLnet’s backing through the NGI (Next Generation Internet) programme ensures that Prisma’s development serves the public interest rather than a commercial roadmap.
We are looking for municipalities, research institutions, NGOs, and public sector organisations that want to participate in federated data exchange without vendor lock-in. Whether you want to deploy a node, contribute code, validate the standards mapping, or simply tell us what your organisation needs — the door is open.
Data spaces will shape how Europe manages information for decades to come. The question is whether they will be built as products, controlled by the few, or as commons, sustained by the many. Prisma is our answer. We hope you will help build yours.
Further reading
- Federation Architecture — technical documentation on Prisma’s federated data exchange
- EU Sovereignty Matrix — how Prisma scores against EU sovereignty criteria
- DCAT 2 specification — the W3C standard for data catalogue interoperability
- ODRL 2.2 specification — the W3C standard for machine-readable access policies
Questions or feedback? Reach us at info@prisma-platform.eu or visit the project on Codeberg.