Data StrategyEU data strategy
With the EU Data Governance Act published on 3 June 2022 and applying from September 2023, teams must prepare for new rules on public-sector data re-use, data intermediation notifications, and data altruism governance.
Fact-checked and reviewed — Kodi C.
The EU Data Governance Act (DGA) was published in the Official Journal on 3 June 2022, entering into force on 23 June 2022 with application from 24 September 2023. The regulation establishes frameworks for re-use of public-sector data, data altruism, and data intermediation services, aiming to foster a trusted European data economy. Teams must prepare for new notification and compliance requirements if they operate as data intermediaries or data altruism teams, and public-sector bodies must enable secure data re-use while protecting confidentiality and intellectual property.
Key pillars
The DGA introduces four major pillars: (1) re-use of protected public-sector data (beyond the Open Data Directive); (2) data intermediation services that help sharing between data holders and users; (3) data altruism frameworks enabling voluntary data sharing for the public good; and (4) the European Data Innovation Board to coordinate harmonized practices. The regulation applies across the EU and covers data subject to rights of others, including trade secrets, personal data, and intellectual property.
Re-use of public-sector data
Public-sector bodies must establish procedures to grant access to protected data for re-use, subject to safeguards such as anonymization, pseudonymization, or secure processing environments. They must respond to requests within set deadlines, justify refusals, and ensure non-discriminatory conditions. Fees must be transparent and limited to cost recovery. Confidentiality obligations require secure access environments, on-site or remote, with monitoring and audit controls. Businesses seeking re-use must submit detailed requests outlining purpose, security measures, and compliance with rights holders.
Member States must designate competent bodies to support public-sector entities in applying safeguards, including anonymization expertise and security certification. Teams requesting access should prepare compliance documentation—data protection impact assessments, trade secret handling plans, and contractual commitments. Track national implementing measures specifying request formats, fee schedules, and appeal mechanisms.
Data intermediation services
Entities providing data sharing platforms that connect data holders with users—such as marketplaces, cooperative data spaces, or industrial data exchanges—must notify the competent authority to be listed in an EU register. Requirements include legal separation from other services, transparency about terms, neutrality in matching, and safeguards against conflicts of interest. Intermediaries cannot use shared data for their own benefit and must maintain strong security, access control, and audit mechanisms. They must provide tools for users to exercise data protection rights and withdraw consent.
Service providers should assess whether their offerings qualify. If so, develop compliance programs covering governance structures, security controls, contractual terms, and incident reporting. Implement transparency dashboards showing data sources, usage terms, and accreditation status. Prepare for supervisory inspections and reporting obligations, including annual summaries of activities.
Data altruism teams
The DGA sets up a voluntary registration regime for teams that collect data on altruistic grounds for specific purposes (research, healthcare, climate). Registered data altruism teams must be non-profit, carry out activities for general interest, and comply with strict transparency and consent requirements. They must implement technical and organizational measures to protect data subjects and business confidentiality, maintain data inventories, and provide annual activity reports. The European Data Innovation Board will develop a common European data altruism consent form.
Teams planning to collect data altruistically should evaluate eligibility, governance, and funding models. Establish independent oversight boards, adopt privacy-by-design controls, and ensure clear communication to donors about purposes and withdrawal rights. Coordinate with ethics committees and data protection authorities to align consent forms and safeguards.
Cross-border data sharing and third-country access
The DGA introduces measures to prevent unlawful third-country access to non-personal data. Data intermediation services and public-sector bodies must ensure that access complies with EU or Member State law, and third-country government requests are subject to notification and review. Contracts should include clauses requiring data recipients to challenge unlawful requests and inform authorities. Teams should update data transfer risk assessments and incorporate contractual safeguards similar to those under GDPR.
European Data Innovation Board
The Board will coordinate national authorities, issue guidelines on interoperability, standardization, and good practices for secure processing environments. Teams should monitor Board recommendations, which may influence technical requirements (APIs, metadata standards) and certification schemes. Participation in sectoral data spaces (health, energy, mobility) will probably hinge on adherence to these guidelines.
How to implement this
2022–early 2023: Public-sector bodies should inventory protected datasets, assess legal constraints, and design secure access environments. Data intermediaries must evaluate whether notification is required and begin designing compliance programs. Teams interested in data altruism should develop governance structures and draft consent materials.
Mid-2023: Submit notifications to national authorities for data intermediation services, prepare documentation for inclusion in the EU register, and establish customer onboarding processes. Public-sector bodies should finalize procedures for handling re-use requests, including training staff and publishing guidance. Test secure processing environments and audit trails.
September 2023 onwards: Ensure operational readiness for the DGA’s application date. Monitor enforcement actions and Board guidance, adapt contractual templates, and maintain compliance evidence. Track interactions with other EU data initiatives, such as the Data Act and sector-specific data spaces.
Interaction with GDPR and other laws
The DGA complements the GDPR, the Open Data Directive, and sectoral regulations. Personal data sharing still requires a lawful basis under GDPR; the DGA helps mechanisms (for example, data altruism consent) but does not override privacy laws. Teams must conduct data protection impact assessments, update records of processing, and ensure cross-border transfers comply with GDPR Chapter V. For trade secrets, align with the Trade Secrets Directive’s confidentiality obligations.
Governance and compliance structures
Establish cross-functional teams involving legal, privacy, security, and business units to oversee DGA compliance. Develop policies for handling re-use requests, vetting data recipients, managing consent, and responding to third-country orders. Implement logging, monitoring, and access controls for secure processing environments. Maintain registers of data requests, approvals, fees, and safeguards applied.
Incorporate DGA requirements into vendor contracts and data sharing agreements. For data intermediation services, ensure neutrality obligations are codified, and include liability clauses addressing misuse. For data altruism, document risk assessments, oversight board decisions, and impact evaluations.
Stakeholder management
Engage with national authorities, industry associations, and standardization bodies to influence implementing guidance. Participate in European data space initiatives to understand interoperability expectations and certification schemes. Communicate with partners and customers about DGA implications, highlighting transparency measures and opportunities for data-driven innovation.
The DGA’s publication sets a clear timeline for new obligations in Europe’s data economy. Teams that invest early in governance, secure data sharing infrastructures, and transparent consent models will be better positioned to use cross-sector data collaborations while meeting regulatory expectations.
Continue in the Data Strategy pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Data Strategy Operating Model Guide
Design a data strategy operating model that satisfies the EU Data Act, EU Data Governance Act, U.S. Evidence Act, and Singapore Digital Government policies with measurable…
-
Data Interoperability Engineering Guide
Engineer interoperable data exchanges that satisfy the EU Data Act, Data Governance Act, European Interoperability Framework, and ISO/IEC 19941 portability requirements.
-
Data Stewardship Operating Model Guide
Establish accountable data stewardship programmes that meet U.S. Evidence Act mandates, Canada’s Directive on Service and Digital, and OECD data governance principles while…
Coverage intelligence
- Published
- Coverage pillar
- Data Strategy
- Source credibility
- 73/100 — medium confidence
- Topics
- EU data strategy · Data governance · Data intermediation
- Sources cited
- 3 sources (eur-lex.europa.eu, digital-strategy.ec.europa.eu, iso.org)
- Reading time
- 6 min
Source material
- Regulation (EU) 2022/868 of the European Parliament and of the Council — Official Journal of the European Union
- Data Governance Act — European Commission
- ISO 8000-2:2022 — Data Quality Management — International Organization for Standardization
Comments
Community
We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.
No approved comments yet. Add the first perspective.