TANGO Work Package Leaders Interview Series – WP2 Requirements, Specifications and Reference Architecture

In this final installment of our interview series, we take a closer look at TANGO’s work package 2 (WP2). Apostolos Apostolaras, head of WP2, shares insights into the design of TANGO’s modular reference architecture, which enables secure, interoperable, and trustworthy data sharing across domains. We explore how this architecture addresses key challenges such as data fragmentation and governance, laying the groundwork for a decentralised, federated TANGO data space.

How would you describe the purpose of WP2 in one sentence?  

To design and validate a modular, Reference Architecture that underpins TANGO’s components, interfaces, and policies for interoperable, trustworthy data management.

What is the vision behind the TANGO platform, and what real-world challenges does it aim to solve?

TANGO envisions a federated “data space”, in which organisations securely share and process data under mutual trust, addressing challenges of non-harmonised datasets, lack of cross-domain interoperability, and unclear governance in sectors like smart manufacturing, hospitality, autonomous vehicles, public administration, banking and retail trade.

Can you briefly explain the three-layer TANGO architecture and how these layers interact? 

The placement of TANGO’s technical components within the architecture reflects administration its modular and layered design, ensuring scalability and flexibility across deployment scenarios. Core functionalities are distributed into three layers: the Trust Layer, the Management Layer, and the User Layer. 

The Trust Layer includes components such as the Self-Sovereign Identity (SSI) Verifier for identity validation, CP-ABE encryption modules for policy-driven data protection, and Usage Control for enforcing XACML-based access policies. The Management Layer incorporates the Deployment Orchestrator and the Configuration Manager for dynamic service orchestration. 

The User Layer hosts technology offerings such as MLOps, Federated Learning, and Privacy Enhancing Components for end-user interactions. 

These containerised microservices are instantiated within TANGO Connectors, which act as secure entry points for both providers and consumers, although there is a clear distinction regarding what components and how they are deployed on each side. The architecture ensures that individual components can operate independently, while interacting seamlessly to enable trustworthy and decentralised data exchanges across the ecosystem.

Why is decentralisation so important in TANGO, and how is it technically achieved?

Decentralisation prevents single points of failure, avoids vendor lock-in, and preserves each participant’s autonomy. Technically, TANGO uses the FIWARE Connector,a modular and extensible platform that supports decentralised data storage. This enables providers to maintain control over their data until it is shared with trusted consumers.

How does TANGO ensure data sovereignty and trust across multiple participants?

The distinction between providers and consumers is a central aspect of the TANGO Reference architecture, ensuring that data usage remains subject to the provider's defined policies, while enabling consumers to access and process data securely through authorised channels. By integrating SSI for decentralised authentication and XACML-based access control for fine-grained data governance, the TANGO Reference architecture provides a cohesive framework for trusted, secure, and policy-driven interactions between providers and consumers.

How do the TANGO Connectors and the Management Connector work together to enable secure, dynamic deployments?

TANGO incorporates the connector concept into its architecture, which provides a secure and isolated environment, in which data and services can be hosted. This concept also includes all the necessary functionalities for authenticating and authorising users before granting them access to data. The TANGO Connector serves as the primary entry point to the data ecosystem, facilitating secure and seamless integration. The TANGO Connector is essentially a container management system (Docker, Kubernetes) that enables communication with other Connectors and their relevant services. The TANGO Management Connector, meanwhile, is equipped with all the necessary services and modules to ensure the reliable management of the TANGO ecosystem and its transactions. It is responsible for hosting the TANGO Management and Trust Services, as well as for interacting with and configuring the TANGO Connectors.

How does the modular design of TANGO support diverse sectors and technical environments?

Data core services and data applications are decoupled into microservices with well-defined APIs. Moreover, by leveraging the connector concept, which provides a secure and isolated environment for hosting data and services, TANGO allows participants to select and configure only the components they need, regardless of whether these are installed on-premises, hosted in the cloud or distributed across industry verticals and IT landscapes.