This principle clearly demonstrates that following the FAIR guiding principles  is not equal to making all data 'open'. Some digital resources, such as data that have access restrictions based on ethical, legal or contractual constraints, require additional conditions/steps to be accessed. This often pertains to assuring that the access requester is indeed that requester (authentication), that the requester's profile and credentials match the access conditions of the resource (authorization), and that the intended use matches permitted use cases (e.g. for a particular  purpose only) (see also R1.1, where there are requirements to provide explicit documentation about who may use the data, and for what purposes). At the level of technical implementation, an additional authentication and authorization procedure must be specified, if it is not already defined by the protocol (see A1.1). A requester can be a human or a machine agent. In the latter case it is probably a proxy for a human or an organization to which the authentication and authorization protocol should be applied, in which case, the machine should be expected to present the appropriate credentials. The principle requires that a FAIR resource must provide such a protocol, but the protocol itself is not further specified. In practice, an Internet of FAIR Data and Services cannot function without implementing Authentication and Authorization Infrastructure, which includes AAI for machines and should thus be Ontology-based and machine actionable (see also [22]).