← Back to all briefings
Data Strategy 5 min read Published Updated Credibility 40/100

Data Strategy Briefing — June 3, 2022

With the EU Data Governance Act published on 3 June 2022 and applying from September 2023, organisations must prepare for new rules on public-sector data re-use, data intermediation notifications, and data altruism governance.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: The EU Data Governance Act (DGA) was published in the Official Journal on 3 June 2022, entering into force on 23 June 2022 with application from 24 September 2023. The regulation establishes frameworks for re-use of public-sector data, data altruism, and data intermediation services, aiming to foster a trusted European data economy. Organisations must prepare for new notification and compliance requirements if they operate as data intermediaries or data altruism organisations, and public-sector bodies must enable secure data re-use while protecting confidentiality and intellectual property.

Key pillars

The DGA introduces four major pillars: (1) re-use of protected public-sector data (beyond the Open Data Directive); (2) data intermediation services that facilitate sharing between data holders and users; (3) data altruism frameworks enabling voluntary data sharing for the public good; and (4) the European Data Innovation Board to coordinate harmonised practices. The regulation applies across the EU and covers data subject to rights of others, including trade secrets, personal data, and intellectual property.

Re-use of public-sector data

Public-sector bodies must establish procedures to grant access to protected data for re-use, subject to safeguards such as anonymisation, pseudonymisation, or secure processing environments. They must respond to requests within set deadlines, justify refusals, and ensure non-discriminatory conditions. Fees must be transparent and limited to cost recovery. Confidentiality obligations require secure access environments, on-site or remote, with monitoring and audit controls. Businesses seeking re-use must submit detailed requests outlining purpose, security measures, and compliance with rights holders.

Member States must designate competent bodies to support public-sector entities in applying safeguards, including anonymisation expertise and security certification. Organisations requesting access should prepare compliance documentation—data protection impact assessments, trade secret handling plans, and contractual commitments. Track national implementing measures specifying request formats, fee schedules, and appeal mechanisms.

Data intermediation services

Entities providing data sharing platforms that connect data holders with users—such as marketplaces, cooperative data spaces, or industrial data exchanges—must notify the competent authority to be listed in an EU register. Requirements include legal separation from other services, transparency about terms, neutrality in matching, and safeguards against conflicts of interest. Intermediaries cannot use shared data for their own benefit and must maintain robust security, access control, and audit mechanisms. They must provide tools for users to exercise data protection rights and withdraw consent.

Service providers should assess whether their offerings qualify. If so, develop compliance programmes covering governance structures, security controls, contractual terms, and incident reporting. Implement transparency dashboards showing data sources, usage terms, and accreditation status. Prepare for supervisory inspections and reporting obligations, including annual summaries of activities.

Data altruism organisations

The DGA establishes a voluntary registration regime for organisations that collect data on altruistic grounds for specific purposes (research, healthcare, climate). Registered data altruism organisations must be non-profit, carry out activities for general interest, and comply with strict transparency and consent requirements. They must implement technical and organisational measures to protect data subjects and business confidentiality, maintain data inventories, and provide annual activity reports. The European Data Innovation Board will develop a common European data altruism consent form.

Organisations planning to collect data altruistically should evaluate eligibility, governance, and funding models. Establish independent oversight boards, adopt privacy-by-design controls, and ensure clear communication to donors about purposes and withdrawal rights. Coordinate with ethics committees and data protection authorities to align consent forms and safeguards.

Cross-border data sharing and third-country access

The DGA introduces measures to prevent unlawful third-country access to non-personal data. Data intermediation services and public-sector bodies must ensure that access complies with EU or Member State law, and third-country government requests are subject to notification and review. Contracts should include clauses requiring data recipients to challenge unlawful requests and inform authorities. Organisations should update data transfer risk assessments and incorporate contractual safeguards similar to those under GDPR.

European Data Innovation Board

The Board will coordinate national authorities, issue guidelines on interoperability, standardisation, and best practices for secure processing environments. Organisations should monitor Board recommendations, which may influence technical requirements (APIs, metadata standards) and certification schemes. Participation in sectoral data spaces (health, energy, mobility) will likely hinge on adherence to these guidelines.

Implementation roadmap

2022–early 2023: Public-sector bodies should inventory protected datasets, assess legal constraints, and design secure access environments. Data intermediaries must evaluate whether notification is required and begin designing compliance programmes. Organisations interested in data altruism should develop governance structures and draft consent materials.

Mid-2023: Submit notifications to national authorities for data intermediation services, prepare documentation for inclusion in the EU register, and establish customer onboarding processes. Public-sector bodies should finalise procedures for handling re-use requests, including training staff and publishing guidance. Test secure processing environments and audit trails.

September 2023 onwards: Ensure operational readiness for the DGA’s application date. Monitor enforcement actions and Board guidance, adapt contractual templates, and maintain compliance evidence. Track interactions with other EU data initiatives, such as the Data Act and sector-specific data spaces.

Interaction with GDPR and other laws

The DGA complements the GDPR, the Open Data Directive, and sectoral regulations. Personal data sharing still requires a lawful basis under GDPR; the DGA facilitates mechanisms (e.g., data altruism consent) but does not override privacy laws. Organisations must conduct data protection impact assessments, update records of processing, and ensure cross-border transfers comply with GDPR Chapter V. For trade secrets, align with the Trade Secrets Directive’s confidentiality obligations.

Governance and compliance structures

Establish cross-functional teams involving legal, privacy, security, and business units to oversee DGA compliance. Develop policies for handling re-use requests, vetting data recipients, managing consent, and responding to third-country orders. Implement logging, monitoring, and access controls for secure processing environments. Maintain registers of data requests, approvals, fees, and safeguards applied.

Incorporate DGA requirements into vendor contracts and data sharing agreements. For data intermediation services, ensure neutrality obligations are codified, and include liability clauses addressing misuse. For data altruism, document risk assessments, oversight board decisions, and impact evaluations.

Stakeholder engagement

Engage with national authorities, industry associations, and standardisation bodies to influence implementing guidance. Participate in European data space initiatives to understand interoperability expectations and certification schemes. Communicate with partners and customers about DGA implications, highlighting transparency measures and opportunities for data-driven innovation.

The DGA’s publication sets a clear timeline for new obligations in Europe’s data economy. Organisations that invest early in governance, secure data sharing infrastructures, and transparent consent models will be better positioned to leverage cross-sector data collaborations while meeting regulatory expectations.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • EU data strategy
  • Data governance
  • Data intermediation
Back to curated briefings