Policy Briefing — EU Data Governance Act Takes Effect

Executive briefing: Regulation (EU) 2022/868—the Data Governance Act (DGA)—entered into force on 23 June 2022, launching a 15-month countdown to application on 24 September 2023. The regulation establishes registration regimes for neutral data intermediation services, voluntary certification for recognised data altruism organisations, and harmonised conditions for re-using protected public-sector data. Enterprises offering data marketplaces, industrial data-sharing platforms, or analytics services in the EU must now design compliance programmes that meet neutrality, security, and transparency requirements while Member States stand up supervisory authorities and single information points.

The DGA complements the EU Data Strategy, building infrastructure to increase the volume of data available for innovation while safeguarding fundamental rights, trade secrets, intellectual property, and public interests. It sits alongside the forthcoming Data Act, European Health Data Space (EHDS), and sectoral data spaces (mobility, energy, manufacturing, finance). Organisations should consider the DGA a foundational regulation that sets the governance baseline for cross-sector data sharing and future obligations on business-to-business (B2B) and business-to-government (B2G) data access.

Scope and key obligations

Data intermediation services (Articles 10–17). Providers facilitating data sharing between data subjects or holders and data users must notify the competent authority in the Member State where they are established. They must remain structurally separated from other business lines, ensuring neutrality and preventing conflicts of interest. Providers have to implement technical and organisational measures to ensure that data are processed only for the purposes authorised by users, maintain audit trails, provide transparency dashboards, and allow users to port data easily. Additional obligations include:

• Appointing a legal representative in the EU if established outside the Union (Article 11).
• Maintaining records of data-sharing agreements and keeping data secure through appropriate cybersecurity measures (Article 12).
• Submitting to audits, cooperating with competent authorities, and complying with suspension or prohibition orders when breaches occur (Article 13).
• Displaying a common EU logo once registered to signal compliance (Article 23).

Public-sector data reuse (Articles 3–9). Member States must enable reuse of protected public-sector data—such as data subject to commercial confidentiality, statistical confidentiality, intellectual property rights, or personal data—under harmonised conditions. Obligations include:

• Establishing single information points where applicants can request access and receive standard licences (Article 8).
• Setting up secure processing environments and, where necessary, employing pseudonymisation or other technical measures before allowing reuse (Article 5).
• Ensuring fees are transparent and proportionate to the cost of handling requests (Article 6).
• Notifying the European Commission of categories of data that cannot be reused due to public interest considerations.

Data altruism (Articles 18–22). Organisations can voluntarily register as “data altruism organisations recognised in the Union” to facilitate data donations for objectives of general interest (e.g., healthcare research, climate action). Requirements include:

• Non-profit legal status and operations in the EU or appointment of a legal representative.
• Maintaining a public register of data altruism activities, consent management, and data use policies.
• Implementing tools for individuals and companies to give, monitor, and withdraw consent.
• Submitting annual activity reports to the competent authority and adhering to the European data altruism consent form.

The DGA also creates the European Data Innovation Board (EDIB), a multi-stakeholder expert group that will issue guidelines on interoperability, sectoral data spaces, and best practices for data altruism. Companies should monitor EDIB publications to anticipate evolving expectations.

Governance implications for enterprises

Organisations planning to provide data intermediation services must update corporate governance frameworks. Boards should approve neutrality commitments, ensure structural separation (e.g., separate legal entities or ring-fenced business units), and appoint responsible officers to interface with regulators. Risk committees should receive quarterly reports on registration status, audits, security incidents, and complaints received through dispute resolution mechanisms.

Firms offering analytics or data monetisation products should reassess business models to confirm whether they fall within the DGA definition of “data intermediation service.” Purely internal data processing or bilateral data-sharing agreements may be out of scope, but marketplaces serving multiple data holders and users will typically qualify. Legal teams must map contractual arrangements, revenue-sharing models, and governance structures to the DGA criteria.

Operational roadmap for compliance

• Gap analysis. Conduct a cross-functional assessment comparing existing data-sharing operations with DGA requirements. Document data flows, participant roles, consent mechanisms, data security controls, and dispute handling. Identify where neutrality could be compromised (e.g., offering analytics services that compete with participants) and propose organisational changes.
• Regulatory notification preparation. Develop notification dossiers containing company details, service descriptions, governance models, technical safeguards, and contact information for responsible persons. Prepare to submit updates when services change materially.
• Neutrality controls. Implement Chinese-wall policies separating data intermediation functions from other business units. Restrict employee access based on role, prohibit use of non-public user data for marketing or product development, and maintain logs for supervisory review.
• Security and interoperability. Align with ISO/IEC 27001, ISO/IEC 27701, and EU Cybersecurity Act standards. Adopt open interfaces and interoperability specifications promoted by the EDIB and sectoral data space initiatives (e.g., GAIA-X, International Data Spaces Association). Establish APIs with consent management, logging, and data portability capabilities.
• Consent and contract management. Implement user dashboards for granting, monitoring, and revoking permissions. Standardise licence templates that reflect DGA Article 7 conditions, including prohibitions on exclusive access and requirements to notify of any data breaches.
• Public-sector engagement. For organisations seeking reuse of protected public-sector data, create playbooks for interacting with single information points, managing secure processing environments, and complying with licence terms. Build secure rooms or virtualised environments for handling sensitive datasets.
• Data altruism enablement. If pursuing recognition, establish governance structures (board oversight, ethics committee), create transparent consent journeys, and design reporting templates for annual submissions.

Member State implementation and monitoring

Companies should track national implementation steps. By September 2023, Member States must designate one or more competent authorities for data intermediation services and data altruism, and notify the Commission. Some may integrate responsibilities into existing digital or data protection agencies, while others could create new supervisory bodies. These authorities will maintain public registers, handle complaints, and enforce penalties, which may include fines, suspension, or prohibition of services.

Member States also need to operationalise single information points for public-sector data. Organisations should engage early with national ministries (e.g., Germany’s Federal Ministry for Economic Affairs and Climate Action, France’s Etalab, or Spain’s Secretaria de Estado de Digitalización e Inteligencia Artificial) to understand licensing procedures, fees, and technical requirements for secure processing environments.

Interaction with other EU regulations

The DGA interfaces with existing data protection, competition, and sectoral rules:

• GDPR and ePrivacy. The DGA does not alter GDPR obligations. Controllers and processors must still identify lawful bases, conduct data protection impact assessments (DPIAs), and ensure international transfers comply with Chapter V. Intermediation services handling personal data should coordinate with data protection officers (DPOs) and integrate GDPR consent mechanisms with DGA permissions.
• Trade secrets. Article 5 safeguards trade secrets by requiring secure environments and non-disclosure commitments. Enterprises should review trade secret inventories, implement access controls, and define liabilities in licences.
• Competition law. Neutrality provisions align with competition policy by preventing intermediation providers from using data to gain unfair advantage. Companies should consult antitrust counsel when designing platform governance, especially if they hold significant market power.
• Data Act and sectoral data spaces. The forthcoming Data Act will mandate data sharing for IoT products and B2G access in exceptional cases. Compliance teams should design modular governance processes that can incorporate Data Act obligations. Sectoral data spaces (e.g., European Mobility Data Space) will likely reference DGA-compliant intermediation models.

Metrics, assurance, and reporting

Establish KPIs to track readiness: percentage of data-sharing services mapped to the DGA, number of datasets onboarded with user-consent metadata, time to process permission changes, incident response times, and audit findings addressed. Maintain evidence logs (policies, training records, security assessments) for supervisory reviews. Internal audit should include DGA compliance in its annual plan, evaluating neutrality controls, access management, and adherence to licence terms.

Prepare external communications describing how the organisation supports trustworthy data sharing. Consider sustainability or ESG reports highlighting data altruism participation, contributions to data spaces, and safeguards protecting fundamental rights. Monitor European Data Innovation Board guidelines, European Commission implementing acts, and national authority FAQs for evolving expectations.

Timeline and action plan

• 0–60 days: Launch the gap assessment, appoint a DGA programme lead, and inventory affected services and partnerships.
• 60–150 days: Design organisational separation, update contracts, deploy consent dashboards, and draft notification dossiers.
• 150–300 days: Engage with competent authorities, rehearse secure processing environment operations, and pilot participation in sectoral data spaces or data altruism initiatives.
• 300+ days: Complete registration, roll out monitoring dashboards, and integrate DGA compliance into continuous improvement cycles aligned with the Data Act and EHDS rollouts.

Organisations that invest early in DGA compliance will strengthen trust with customers and public partners, accelerate participation in European data spaces, and minimise disruption when the regulation becomes fully applicable in 2023.

Related briefings

Curated signals from the same pillar or overlapping topics.

Policy · Credibility 89/100 · December 3, 2020

Policy Briefing — EU Sixth AML Directive Deadline

EU Member States faced the December 2020 deadline to transpose Directive (EU) 2018/1673 (6AMLD), which broadens predicate offences, strengthens corporate liability, and raises sanctions for money laundering across the…

Policy · Credibility 91/100 · June 16, 2022

Policy Briefing — Canada Reintroduces Digital Charter Implementation Act

Canada’s Bill C-27 would replace PIPEDA with the Consumer Privacy Protection Act, create a new data protection tribunal, and introduce the Artificial Intelligence and Data Act, demanding enterprise privacy programs, data…

Policy · Credibility 40/100 · July 5, 2022

Policy Briefing — European Parliament adopts the Digital Services Act

The European Parliament formally adopted the Digital Services Act on 5 July 2022, confirming sweeping platform liability, recommender transparency, and systemic risk mitigation duties ahead of Council approval and…

Policy · Credibility 92/100 · July 18, 2022

Policy Briefing — EU Digital Markets Act Formally Adopted

EU member states formally adopted the Digital Markets Act, setting timelines for designating gatekeepers and imposing interoperability, data access, and self-preferencing bans that digital platforms must operationalise.

Policy · Credibility 91/100 · July 18, 2022

Policy Briefing — UK Data Protection and Digital Information Bill Introduced

The UK government introduced the Data Protection and Digital Information Bill, proposing targeted reforms to UK GDPR accountability, international transfers, and digital identity governance that demand refreshed privacy…

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Semiconductor Industrial Strategy Policy Guide — Zeph Tech

  Coordinate CHIPS and Science Act, EU Chips Act, and Defense Production Act programmes with capital planning, compliance, and supplier readiness.

• Digital Markets Compliance Guide — Zeph Tech

  Implement EU Digital Markets Act, EU Digital Services Act, UK Digital Markets, Competition and Consumers Act, and U.S. Sherman Act requirements with cross-functional operating…

• Export Controls and Sanctions Policy Guide — Zeph Tech

  Integrate U.S. Export Control Reform Act, International Emergency Economic Powers Act, and EU Dual-Use Regulation requirements into trade compliance, engineering, and supplier…