Standardizing Cloud Compliance: The Integration of SECA in the EMERALD Project

Standardizing Cloud Compliance: The Integration of SECA in the EMERALD Project

by Julius Holderer (IONOS) at 29 May, 2026

Automating compliance for cybersecurity certifications like BSI C5 or the upcoming EUCS is a critical step toward establishing sovereign European cloud solutions. EMERALD addresses this challenge by developing a continuous “Compliance-as-a-Service” (CaaS) framework. To ensure broad applicability and reduce market fragmentation, the project emphasizes the standardization of technical interfaces, particularly through the open Sovereign European Cloud API (SECA) standard.

IONOS as the Connecting Link
In this context, IONOS serves as a central link between infrastructure development and automated compliance. The company is a founding partner of the SECA API standard and simultaneously leads EMERALD’s Pilot 1, which focuses on automating compliance for Public Infrastructure-as-a-Service (IaaS). This dual role allows project partners to align open infrastructure standards directly with automated compliance auditing requirements.

Relevance of SECA for Clouditor-Discovery
A key technical component within the EMERALD framework is Clouditor-Discovery, a tool designed to automatically extract security-relevant runtime configurations from cloud environments. Currently, this tool relies on a direct integration with the proprietary IONOS Cloud-API. Within the scope of the EMERALD project, partners are actively evaluating transitioning this interface to the open SECA API standard.
Shifting the Clouditor-Discovery interface to SECA provides several distinct operational advantages:
Broad Interoperability: Because SECA is a provider-independent standard, EMERALD’s assessment tools can function out-of-the-box across any European cloud provider that supports the standard.
Avoiding Isolated Tools: Integrating a unified standard prevents the creation of isolated parallel tools, resolving a common operational challenge where non-security teams struggle to adopt fragmented compliance software.
Mitigating Vendor Lock-in: Open infrastructure standards ensure that compliance testing mechanisms are not tied to a single platform, thereby supporting European digital sovereignty.

Synergy with Open Formats
The combination of SECA and OSCAL (Open Security Controls Assessment Language) establishes a future-proof architecture for multi-cloud environments. While SECA standardizes the automated extraction of technical infrastructure metrics, EMERALD leverages OSCAL to translate these data points into formal certification controls. This collaborative approach demonstrates how a scalable, automated solution for continuous cloud compliance can advance European digital sovereignty.

seca_emerald

Figure: Conceptual workflow of the EMERALD Continuous Compliance-as-a-Service (CaaS) Framework with SECA integration.

(Source: Conceptual rendering generated via AI, based on EMERALD project technical documentation and the SECA API standard.)

[ TECHNICAL ADVANCEMENTS ]