Turning Infrastructure Events into Compliance Evidence: the OpenNebula Add-on Behind Pilot 4

Turning Infrastructure Events into Compliance Evidence: the OpenNebula Add-on Behind Pilot 4

EMERALD Pilot 4, “Hybrid Cloud-Edge Environments”, tackles continuous certification in the complex infrastructures of the financial sector, where security, sovereignty and regulatory readiness (DORA, EUCS) are non-negotiable. The pilot is led technically by OpenNebula Systems, with CaixaBank as use-case owner, bringing together multi-cloud resources from IONOS and CloudFerro alongside CaixaBank’s own infrastructure under a single control plane. For a highly regulated environment, the challenge is not only running workloads across providers, but proving, continuously and automatically, that they stay compliant wherever they run.

The OpenNebula Front-End as Evidence Collection Gateway

At the core of the pilot, the OpenNebula Front-End acts as the Evidence Collection Gateway. Its native hook system reacts to infrastructure events (virtual-machine state changes, network-interface attach and detach, image readiness, virtual-network creation) and invokes a purpose-built add-on. The add-on reads the relevant configuration, maps each event to the ontology provided by the project (the shared EMERALD evidence model), and submits it over an authenticated (OAuth 2.0) channel to the Evidence Store. The Confirmate engine, the successor to Clouditor, then assesses that evidence against the selected controls and surfaces the results in the EMERALD UI.

A milestone reached

In this reporting round the integration has been completed and validated end-to-end. The collector, migrated to Confirmate, was first exercised on OpenNebula Systems engineering environments and then against the live Pilot 4 environment, where evidence was accepted and materialised as resources against the production Target of Evaluation. In practice, this closes the loop from a change in the hybrid infrastructure to a piece of verifiable compliance evidence, with no manual collection in between, so potential non-compliance can be surfaced far sooner and evidence trails stay consistent regardless of where a workload runs.

Putting it to the test

To validate the approach in realistic conditions, Pilot 4 also went through a first informal, end-to-end audit rehearsal together with the project’s independent auditor, DNV. Run directly in the EMERALD UI on a reduced scope of controls, it combined organisational evidence extracted from policy documents with technical checks on the virtual machines. Beyond confirming the overall workflow, the exercise was a valuable dry-run ahead of the first formal EMERALD audits planned for autumn 2026, and it fed concrete improvements back to the component teams.
This is the shift EMERALD set out to demonstrate: from periodic, manual audit snapshots to continuous, automated assurance. With the core integration proven, Pilot 4 now moves on to broadening the set of controls and metrics under continuous assessment during the project’s final months.

[ TECHNICAL ADVANCEMENTS ]