← Back to all briefings
Data Strategy 8 min read Published Updated Credibility 40/100

Data Strategy Briefing — November 30, 2021

Expanded briefing on the provisional Data Governance Act agreement with governance, neutrality, and board oversight steps anchored in primary EU sources.

Zeph Tech Research Lead

Research lead, Zeph Tech

Single-point timeline showing the publication date sized by credibility score.
Publication date and credibility emphasis for this briefing. Source data (JSON)

Executive briefing: On 30 November 2021 the Council of the European Union and the European Parliament reached a provisional agreement on the Data Governance Act (DGA), the first legislative pillar of the EU’s European strategy for data.1 The compromise clarifies conditions for re-use of protected public-sector data, sets an EU-wide notification regime for data intermediation services, and recognises data altruism organisations under a formal registration scheme.1 Leadership teams that exchange, broker, or analyse European data must convert the deal into concrete governance, contractual, and technical controls well before the regulation’s application date in September 2023.3

Legislative snapshot

The agreement keeps the Commission’s 2020 blueprint but folds in Parliament-backed safeguards on transparency and trust.2 Member States must designate single information points to coordinate requests for re-use of protected public-sector data, apply transparent fee schedules, and implement security measures proportionate to the dataset’s sensitivity.1 Exclusive arrangements for accessing public data may last no longer than 12 months (extendable to 30 months in duly justified cases) and must be published for scrutiny.2 Data intermediation providers—such as data marketplaces and data-sharing platforms—have to notify their national supervisory authority, comply with neutrality rules that prohibit monetising data for their own benefit, and be subject to coordinated guidance issued by a new European Data Innovation Board (EDIB).1 Recognised data altruism organisations must register in a public EU database, provide standard consent forms, and report annually on their operations.4

What changed in the provisional agreement

The co-legislators tightened safeguards for high-risk data and intermediaries. Parliament secured a narrower definition of “data intermediation services” to exclude ancillary analytics tools while keeping marketplaces and data-sharing cooperatives in scope.2 The compromise reinforced functional separation: intermediaries must structurally segregate intermediation from any processing that monetises data, and any conflict of interest triggers supervisory scrutiny.1 Member States gained flexibility to require processing within secure processing environments for particularly sensitive public-sector datasets, provided protections stay proportionate and do not hinder innovation.3 To address international transfers, the text mandates contractual clauses that prevent public-sector datasets from being accessed by third-country authorities in ways that conflict with EU or Member State law, aligning the regime with GDPR and Schrems II risk assessments.3

Negotiators also clarified the EDIB’s composition and influence. The Board will include representatives from national authorities, the European Data Protection Board, ENISA, and standardisation bodies, giving it power to issue consistent templates and best practices. Although the Board cannot adopt binding rules, its guidelines will shape how authorities interpret neutrality, data altruism transparency, and security controls—creating a de facto harmonisation baseline that companies should anticipate when designing compliance programmes.1

Strategic impact

The DGA underpins the EU’s plan to create common European data spaces in sectors such as health, energy, mobility, and finance, with public investment from the Digital Europe Programme and Horizon Europe partnerships.3 The Commission expects the EU data economy to grow from €301 billion in 2018 to €829 billion by 2025 as trust and cross-border availability increase.3 The regulation complements existing frameworks—GDPR, the Free Flow of Non-Personal Data Regulation, the Open Data Directive—and prepares the ground for future measures, including the Data Act and sector-specific data-space regulations.3 Organisations that adapt early gain influence over EDIB standards, codes of conduct, and certification schemes that will govern access to emerging data ecosystems.

Boards should treat the DGA as a strategic enabler rather than a narrow compliance task. It creates a trusted legal environment for sharing industrial data, strengthening research partnerships, and unlocking new digital services, while demanding demonstrable neutrality, security, and ethics safeguards.2 Failing to comply risks suspension from national registers, fines under national implementing laws, and reputational damage that can exclude firms from EU-funded data collaborations.

Core obligations and controls

  • Public-sector data reuse. Implement intake workflows that verify requester credentials, evaluate lawful re-use purposes, and enforce confidentiality requirements set by data-holding authorities. Maintain catalogues of protected datasets (trade secrets, personal data, critical infrastructure information) and document anonymisation or pseudonymisation techniques applied prior to disclosure.1
  • Data intermediation neutrality. Establish structural separation between intermediation business units and analytics or product teams, and prohibit contract clauses that allow profiling, cross-use, or resale of customer data. Deploy access controls, encryption, and logging to evidence compliance during supervisory inspections.2
  • Data altruism governance. Create transparent consent notices that explain altruistic purposes, beneficiaries, and withdrawal rights; maintain donor registries; and convene independent ethics panels to review sensitive projects, particularly in health or social services contexts.4
  • Third-country safeguards. Document assessments of third-country legal regimes when transferring non-personal data received from public-sector bodies or altruism donors, apply contractual clauses that prohibit surveillance-driven access, and notify data holders of any foreign access requests.3

Implementation roadmap

  1. Baseline assessment. Inventory data marketplaces, B2B sharing agreements, and analytics partnerships. Map data categories, processing purposes, and contractual terms against DGA neutrality, transparency, and security requirements.
  2. Governance design. Appoint a DGA compliance owner who coordinates legal, privacy, information security, and business stakeholders. Define decision forums for approving reuse requests, data altruism projects, and third-country transfers.
  3. Process engineering. Standardise intake forms, consent templates, and risk assessments. Align approval checkpoints with GDPR legitimate-interest tests, sectoral secrecy laws, and intellectual property protections.
  4. Technology enablement. Deploy secure processing environments or privacy-enhancing technologies (PETs) such as differential privacy, federated learning, or trusted execution environments for high-risk datasets. Automate audit trails that capture who accessed which datasets, on what legal basis, and under which contractual constraints.
  5. Supervisory engagement. Identify competent authorities in each Member State of operation, collect beneficial ownership documentation, and draft notification packages covering governance structures and technical safeguards. Track EDIB guidance to adapt to harmonised EU practices.
  6. Training and change management. Educate business development and data science teams on neutrality obligations, acceptable monetisation models, and escalation triggers. Incorporate DGA compliance into vendor onboarding and partnership review processes.

Readiness timeline and milestones

  • November 2021: Political agreement reached, signalling supervisory expectations and giving organisations a nine- to twelve-month window to align governance models before legal text adoption.1
  • June 2022: Regulation (EU) 2022/868 published in the Official Journal and entered into force on 23 June 2022, triggering deadlines for the Commission to develop consent templates and for Member States to designate competent authorities.3
  • September 2023: Core DGA obligations apply from 24 September 2023, including notification of intermediation services, registration of data altruism organisations, and availability of public-sector single information points.3
  • Ongoing: Delegated acts on common consent forms and technical specifications for secure processing environments may add operational detail; organisations should monitor EDIB guidance and national authority consultations.

Controls and metrics

  • Control inventory. Maintain a register of DGA-mandated controls mapped to owners, evidence repositories, testing cadences, and dependencies on GDPR or NIS 2 control frameworks.
  • Key risk indicators. Track the percentage of reuse requests processed within statutory timelines, the number of high-risk third-country transfers requiring additional contractual clauses, and any supervisory queries on neutrality or consent management.
  • Key performance indicators. Measure growth in compliant data-sharing partnerships, reuse projects that progressed from pilot to production, and participation in EDIB-approved codes of conduct or certification schemes.
  • Assurance routines. Conduct semi-annual audits covering structural separation, consent lifecycle management, incident response, and compliance with public-sector confidentiality obligations. Align findings with ISO/IEC 27701, ISO/IEC 27001, and EU Cloud Code of Conduct mappings.

Interplay with existing frameworks

Organisations must integrate DGA requirements into existing privacy, security, and digital operational resilience programmes. The DGA complements GDPR’s personal data protections by providing lawful pathways to re-use anonymised or pseudonymised public data while preventing re-identification.2 It also interacts with the NIS 2 Directive proposal, which will impose cybersecurity and incident reporting duties on essential and important entities. Aligning DGA audit logs, encryption standards, and incident response timelines with NIS 2 expectations reduces duplication. Finally, the DGA’s trust framework anticipates the Data Act, which will address business-to-business and business-to-government data sharing in more detail.3

Sector-specific playbooks

  • Healthcare and life sciences. Prepare for the European Health Data Space by cataloguing clinical and research datasets, applying PETs for secondary use, and engaging ethics committees on altruistic data donation schemes.3
  • Energy and utilities. Map smart meter and grid data flows, ensure interoperability with national data hubs, and define neutral governance models for cross-border balancing services.
  • Manufacturing and mobility. Establish industrial data spaces leveraging open standards (IDS, Gaia-X) and ensure intermediation services provide equal treatment to SMEs and large enterprises.
  • Financial services. Align DGA neutrality with PSD2 open banking principles and upcoming EU open finance frameworks, preventing conflicts of interest in data brokerage for payments or insurance ecosystems.

Board oversight questions

  • Do our data-sharing business models rely on monetising information we intermediate, and how will we demonstrate the structural separation and neutrality that supervisors expect?1
  • Which public-sector datasets or data altruism partnerships will require secure processing environments, and can we evidence proportionality if challenged by authorities?3
  • How will we detect and manage third-country access requests, and what contractual levers and technical controls (e.g., encryption key escrow within the EU) will we deploy to prevent unlawful disclosure?3
  • Where can we co-create sectoral standards or codes of conduct with industry peers to influence EDIB guidance and accelerate approvals?

Forward look

The DGA entered into force on 23 June 2022, with most provisions applying from 24 September 2023.3 Organisations should budget for compliance projects across 2022–2023, align procurement and staffing timelines with supervisory notification windows, and plan for integration with the Commission’s Data Act proposal announced in February 2022.3 Early adopters that demonstrate trustworthy governance stand to benefit from Digital Europe and Recovery and Resilience Facility funding streams that prioritise cross-border data infrastructure.

Sources

Zeph Tech supports DGA readiness by aligning data governance, privacy engineering, and sectoral data-space participation across regulated industries.

Single-point timeline showing the publication date sized by credibility score.
Publication date and credibility emphasis for this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • EU data strategy
  • Data governance
  • Data intermediation
  • Regulatory compliance
Back to curated briefings