EOSC-ENTRUST: How We Assess the Aridhia DRE Against European Standards

What is EOSC-ENTRUST?

EOSC-ENTRUST is an EU funded project which:

It has a number of different strands, but in this blog we will concentrate on the annual TRE survey run by the project. As a company we have spoken on a number of occasions about the lack of clarity on what constitutes a TRE, and how the profusion of acronyms (TRE, SPD, SDE) is a source of further confusion. Given this situation, we have been strong advocates of the DARE UK SATRE project, as it brings some much needed rigour to the definition of TRE, and provides a useful framework for understanding what successful TRE provision looks like.

Much like SATRE the EOSC-ENTRUST survey provides a useful tool for measuring the maturity of a particular TRE, and in this blog we compare its definitions with the existing features of the Aridhia DRE.

Additionally we will be working with our partners to provide assessments for individual instances of the Aridhia DRE for submission.

The EOSC-ENTRUST Survey

The 2026 survey is divided into nine sections, each covering a distinct aspect of TRE provision:

• Organisational details
• Functional Capabilities
• Access mechanisms
• International Accessibility & Accepted Data Types
• Auditing and Security Measures
• Computing and Analysis Services
• User Rights
• Data Discovery, Federated Analysis and Architecture
• EOSC and EHDS alignment

Organisational Details

As a third party TRE provider this is the least directly relevant to the DRE, however it still raises two important considerations for a TRE provider. What is their role under GDPR, a data controller or data processor? What is the financial status of their organisation, and to what extent are they dependent on external funding?

These are primarily questions for our hub owners to answer, but our transparent pricing and usage reporting, and our dedicated information security team can help them understand and manage these requirements.

Functional Capabilities

This section provides a high level description of the TRE, how is it hosted? What sort of data does it hold? What type of use cases does it support? It asks the provider how they define their platform. Is it a TRE, an SPE, a Data Safe Haven, or something else e.g. a UK NHS SDE? Crucially these are not presented as mutually exclusive options, which should help bring some clarity of definition, and at a minimum spark some useful discussion in the community about where these definitions overlap or where they differ.

From our perspective as a third party provider, we certainly consider the Aridhia DRE to meet the SATRE definition of a TRE, the EHDS definition of an SPE, and we provide the platform as an SDE to the Great Ormond Street and Royal Marsden hospitals.

Access Mechanisms

Managing secure data access is a fundamental feature of any TRE, and this short section covers some basic requirements. Does the platform have self service user log-in, does it support two factor authentication, and is single sign-on available?

The DRE provides all of these out of the box to our users.

International Accessibility & Accepted Data Types

As with organisational details, these questions are largely the preserve of our users as they concern questions around who has the right to access the platform e.g. internal users only or EU citizens, and what data types the platform supports. In both respects we offer our hub owners maximum flexibility.

Platform access can be restricted to specific IP addresses, or can be open to external researchers, with administrators applying their own user assessment and approval criteria. Similarly, we support a wide range of data types from structured datasets using an existing data model like OMOP, through genomic data, imaging data and audio files. It is at the platform administrator’s discretion which data types they support.

Auditing and Security Measures

Similar to access mechanisms, audit and security measures are fundamental requirements of good TRE provision. As such this section requires detail on any certifications the platform holds, and what mitigations are in place for data loss or user misuse.

The full list of certifications for the DRE is available here, these include ISO27001, HITRUST, and Cyber Essentials. Additionally, we provide as standard a number of the suggested security mitigations, including data back-ups and snapshots, audit logs, user training and further cyber security activities including regular penetration testing by external experts.

Computing and Analysis Services

This section requires the user to provide a high level overview of the services available within their TRE, what operating systems it supports, any restrictions on available tooling and if HPC or AI services can be provided through the environment.

As per accepted data types, the DRE offers a high degree of flexibility, but it is the hub owner’s decision as to how and how much they consume of these services. AIRA, our AI Research Assistance framework allows users to run offline AI models inside a secure workspace, we offer hybrid access to externally hosted HPC resources, and we place no limits on the tooling users can bring into a workspace.

User Rights

In the context of EOSC-ENTRUST, user rights refer specifically to the rights the user has within the secure environment. Can they bring their own tooling? Can they import their own software libraries and data? What access do they have to storage?

As with the computing and analysis section above, we provide our users with a large degree of flexibility, and our hub owners with the tools to manage this securely. Users can bring their own code and software libraries, but these are scanned automatically by our airlock during ingress, and their activity monitored and audited thereafter. Similarly, we put no limit on the amount of storage available to users, and they only pay for what they require.

Data Discovery, Federated Analysis and Architecture

This penultimate section is fully self explanatory, does the TRE have a discovery service, does it support federated use cases and does it adhere to any existing standards?

FAIR Data Services is the Aridhia DRE’s discovery service. It is a full featured metadata catalogue, that allows users to discover and request access to datasets. As a whole the Aridhia DRE supports a variety of federated use cases as our work with DARE UK, PHEMS and Flower shows.

With regards to existing standards, as noted above we have been strong advocates for the adoption of SATRE by TRE providers, and continue to publicly score ourselves against the specification. Our 2026 results can be viewed here.

EOSC and EHDS alignment

EHDS is undoubtedly a major topic for all TRE/SPE providers at present, clear compliance with EHDS will be necessary for any European TREs going forward and this final section asks the TRE provider to detail their EHDS alignment activities.

Over the next month we’ll be blogging on our current alignment with EHDS, how we see the platform developing, and how it can be used by both health data holders and health data users to ensure that they are managing, accessing, and analysing data in an EHDS compliant manner.