← Back to all briefings
Data Strategy 6 min read Published Updated Credibility 40/100

Data Strategy Briefing — November 25, 2020

In-depth briefing on the now-applicable EU Data Governance Act, covering neutrality rules for data intermediaries, safeguards for protected public-sector data re-use, data altruism obligations, and operational timelines for data-space participants.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
3 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: On 25 November 2020 the European Commission tabled the Data Governance Act proposal (COM(2020)767), setting the operational backbone for common European data spaces by creating trusted data intermediaries, clarifying re-use of protected public-sector information, and introducing EU-wide data altruism status. The legislation has since been adopted as Regulation (EU) 2022/868 and is now in application, meaning organisations need mature governance models, contractual controls, and audit-ready safeguards to participate in cross-border data sharing.

Background and legislative context

The Data Governance Act (DGA) is the first horizontal pillar of the EU data strategy, complementing the Open Data Directive and paving the way for the Data Act. It establishes rules that encourage data availability while protecting legitimate interests such as trade secrets, intellectual property, and personal data. The final regulation came into force in June 2022 and has applied since 24 September 2023, with Member States designating competent authorities to supervise data intermediation services and voluntary data altruism organisations.

For public-sector bodies, the DGA sets a framework for granting access to data that are subject to rights of others (for example, commercially confidential information, personal data, or data protected by statistical confidentiality). It obliges Member States to support secure processing environments, imposes non-discrimination in terms of conditions for re-use, and allows reasonable compensation that reflects the cost of making data available. At EU level, the European Data Innovation Board (EDIB) issues guidance to promote harmonised practices and interoperability across sectoral data spaces, including health, mobility, energy, finance, and the green transition.

Private actors considering roles in data spaces must weigh how the DGA interacts with GDPR, ePrivacy, competition law, and sector-specific rules. The neutrality obligations for intermediaries and the transparency duties for data altruism bodies are designed to foster trust, prevent lock-in, and ensure that data holders and users can switch providers without undue friction.

Data intermediaries and neutrality rules

The DGA recognises several types of data intermediation services: bilateral or multilateral data exchange platforms, data cooperatives that empower individuals or SMEs, and providers enabling data subjects to exercise GDPR rights. To operate, providers must notify their competent authority, display a compliance logo, and adhere to strict neutrality principles. They cannot use the data they intermediate for their own purposes, must separate ancillary commercial activities, and must implement clear mechanisms for dispute resolution and audit.

Practically, organisations exploring registration should map technical and contractual controls that demonstrate independence. This includes functional separation of IT systems, transparent fee structures, and governance policies that document how consent, permissions, and contractual conditions are enforced. Providers should also prepare customer-facing disclosures detailing the standard terms for onward transfers, data retention periods, and the level of security required from receiving parties. Under Article 12, intermediaries must facilitate portability to competing services, making robust APIs and interoperability testing essential workstreams.

Sectoral consortia running industrial, mobility, or energy data spaces can rely on the DGA’s trust framework to define roles and liabilities. By adopting certification or code-of-conduct approaches aligned with EDIB guidance, these consortia can reassure participants that shared data will remain under transparent governance, with auditable access logs and clear termination rights.

Safeguards for public-sector data re-use

Public-sector bodies covered by the Open Data Directive face special duties when the requested data contain protected elements. The DGA requires them to implement secure processing environments—logical or physical arrangements that allow data analysis without transferring raw datasets—and to ensure that re-users comply with confidentiality and data protection obligations. Where necessary, anonymisation, pseudonymisation, or aggregation must be applied before disclosure, and re-users may need to perform impact assessments or sign standard licensing terms.

For sensitive data such as health, transport safety, or critical infrastructure records, authorities can impose proportionate conditions, including restrictions on geographic access, staff vetting, or prohibition of re-identification attempts. They must, however, process requests within reasonable timeframes and maintain an electronic register of permissions to support transparency. Organisations seeking access should be prepared to articulate legitimate interest, outline the intended use, and describe how outputs will avoid harming rights holders.

International transfers add another layer of complexity. The DGA mandates notification of transfers to third countries and allows competent authorities to suspend or prohibit access if a foreign legal order could compromise EU or Member State security, public policy, or fundamental rights. Contracts should therefore include clauses requiring the re-user to contest disproportionate disclosure requests and to notify the data provider promptly.

Data altruism and trust frameworks

The act creates a voluntary “data altruism” status for organisations that collect data based on consent or permission for objectives of general interest, such as public health, scientific research, environmental protection, or improving public services. To obtain EU-wide recognition, an organisation must be non-profit or legally independent from for-profit entities, maintain detailed records of data donations, and provide easy-to-understand consent forms.

Trusted data altruism organisations (DAOs) must register with a national authority and will appear on a public EU register. They need to implement technical and organisational measures to safeguard data subjects’ rights, including withdrawal mechanisms, ethical review processes, and controls for limiting use to stated purposes. Annual transparency reports must summarise processing activities, recipients, and safeguards. For researchers and public authorities, partnering with a recognised DAO can streamline access to diverse datasets while reducing legal uncertainty.

Compliance impacts and operational timelines

With the DGA now applicable, organisations should prioritise implementation in three waves. First, perform a gap assessment against neutrality, security, and transparency requirements, noting overlaps with GDPR accountability, ISO 27001 controls, and sector-specific standards such as ENISA cloud security guidance. Second, design operating models: establish a compliance function for intermediation services, create data-sharing playbooks, and define procedures for responding to user rights requests and portability demands. Third, prepare evidence for supervision—documentation of risk assessments, contract templates, audit trails, and business continuity plans for processing environments.

Timelines also hinge on emerging secondary legislation and guidance. Delegated acts will clarify the use of interoperability specifications and the format of compliance logos. EDIB recommendations will influence how data spaces apply role-based access, identity management, and logging. Stakeholders should therefore allocate resources for ongoing monitoring, participation in industry testbeds, and updating technical interfaces as standards mature.

The DGA’s safeguards extend to algorithmic transparency and cybersecurity expectations. Providers should implement zero-trust principles for processing environments, ensuring minimal privilege, network segmentation, and robust key management. Periodic penetration testing, vulnerability disclosure programmes, and incident notification channels aligned with NIS2 obligations will strengthen defensibility when interacting with supervisory authorities.

Strategic outlook for data-space participation

Businesses that act early can position themselves as trusted nodes in European data spaces. Industrial manufacturers can leverage intermediation services to share machine data for predictive maintenance while protecting trade secrets through access controls and contractual assurances. Mobility operators can combine traffic, vehicle, and infrastructure data to optimise routes and reduce emissions, provided they observe neutrality and transparency rules. Energy companies can support demand-response models by sharing consumption data via certified intermediaries, balancing grid stability with consumer privacy.

To capture these opportunities, organisations should embed data-space readiness into procurement and architecture decisions. Selecting platforms that support audit logging, consent orchestration, and portability-by-design will reduce retrofitting costs. Cross-functional training for legal, security, and product teams will help translate DGA obligations into day-to-day processes, from API governance to incident playbooks. Finally, aligning metrics—such as time to fulfil access requests, number of datasets available for re-use, and compliance exceptions closed—will allow leadership to track progress and demonstrate trustworthiness to partners and regulators.

Sources

Zeph Tech helps organisations operationalise the Data Governance Act by aligning governance models, processing environments, and contractual safeguards with EU requirements, enabling confident participation in emerging sectoral data spaces.

Timeline plotting source publication cadence sized by credibility.
3 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • EU data spaces
  • Data governance
  • European Union
Back to curated briefings