The report fundamentally assumes that service providers evaluate each other (sender A and receiver B of a transfer of personal data of some user) on a peer-to-peer basis: A evaluates B, B evaluates A, using a template they provide in the appendix of the report, and on that basis, A decides whether to send data to B, and B whether to accept it. Trust is needed in both directions.
/cc @DTinitiative
The report does not cover the case where a third party -- say dtinit :-) -- were to have a conformance program that A and B go through, and where they accept anybody certified as a partner in a data exchange because they have the certification.
I'm bringing this up because doing this mutual evaluation is not just an N*2 cost problem, but it also doubtful that an individual service provider has the ability to actually ascertain other service providers practices.
/cc @DTinitiative