Compliance Briefing — June 23, 2022

Executive briefing: With the Data Governance Act (DGA) now in force as of 23 June 2022, organisations that broker, monetise, or reuse European data must operationalise compliance ahead of the regulation’s 24 September 2023 application. The law reshapes how companies run data marketplaces, build developer ecosystems, and support altruistic data donations by imposing neutrality, transparency, and security standards backed by Member State supervision. Product, engineering, legal, and sourcing leaders should mobilise immediately to document services, separate conflicting business lines, modernise consent tooling, and prepare for inspections.

Unlike prior voluntary codes, the DGA creates binding obligations for “data intermediation services,” including B2B data-sharing platforms, dashboards that allow individuals to authorise data sharing, and collaborative research environments. It also harmonises conditions for reusing protected public-sector data (such as health, finance, and transport datasets) and sets a EU-wide badge for recognised data altruism organisations. Organisations must therefore build cross-functional programs that combine privacy engineering, cybersecurity, procurement, and commercial governance to meet the regulation’s expectations.

Prioritising services in scope

Begin by cataloguing products and partnerships that could be classified as data intermediation services under Article 2(11): platforms that intermediate between data subjects or holders and data users to allow sharing for remuneration or other considerations. Examples include:

• Industrial data exchanges where manufacturers and suppliers publish machine telemetry for predictive maintenance partners.
• Smart city dashboards that let residents authorise sharing of mobility or energy data with third-party developers.
• Cloud-based analytics hubs that aggregate datasets from multiple corporate participants and resell insights.

Flag services that operate across borders, as they may require registration in multiple Member States or appointment of a legal representative. Document whether the service merely stores data (out of scope) or actively facilitates transactions (in scope). For each candidate service, designate a business owner, compliance lead, and technical architect responsible for readiness.

Designing the compliance workstreams

• Regulatory notification and governance. Assemble the information required for Article 11 notifications: legal entity details, description of services, organisational structure, contact information for responsible officers, and a statement affirming neutrality. Map relationships with affiliates to ensure the intermediation service is structurally independent. Draft board resolutions documenting neutrality commitments and delegating authority to compliance leads.
• Neutrality-by-design. Implement organisational separation between intermediation units and any business that competes with participants. This may require ring-fenced profit-and-loss accounting, separate leadership reporting lines, independent data stores, and information barriers. Establish policies forbidding use of non-public participant data for marketing, product development, or competitive intelligence.
• Technical safeguards. Embed access control, encryption, and monitoring consistent with ISO/IEC 27001 and NIS2 readiness. Build immutable logging for all data transfers, consent changes, and administrative actions. Ensure the platform supports real-time permission revocation and data portability requests.
• Consent orchestration. Provide participants with dashboards for granting, monitoring, and withdrawing permissions, aligned with the European data altruism consent form where relevant. Integrate with identity verification (eIDAS, bank ID) and maintain time-stamped consent records that can withstand regulatory scrutiny.
• Service-level documentation. Draft standard terms of service covering liability, data quality, dispute resolution, audit rights, security obligations, and termination. Include commitments to notify participants of data breaches or changes to processing purposes. Align contractual language with DGA Article 7 conditions prohibiting exclusive access to public-sector data.

Building secure processing environments

Organisations that seek to reuse protected public-sector data must demonstrate secure environments. Implement isolated computing workspaces with strict role-based access, data loss prevention, and prohibition of exporting raw data. Consider privacy-enhancing technologies (PETs) such as differential privacy, homomorphic encryption, or secure multi-party computation when sharing sensitive datasets. Document standard operating procedures for onboarding researchers, approving analyses, and generating aggregate outputs.

Member States may require audits of secure environments before granting access. Prepare architectural diagrams, penetration test reports, and compliance certifications (ISO/IEC 27001, SOC 2) for submission. Establish monitoring dashboards to evidence uptime, patch management, and incident response performance.

Preparing for data altruism certification

If pursuing recognised data altruism status, align governance with Article 20:

• Incorporate as a non-profit entity or create a dedicated foundation subsidiary. Draft by-laws mandating social-purpose objectives and independent oversight.
• Constitute an ethics committee to review proposed data uses and ensure alignment with stated objectives of general interest.
• Deploy consent tools allowing donors to specify permitted purposes, track reuse, and withdraw contributions. Provide transparency dashboards showing data use cases, recipients, and impact metrics.
• Publish annual reports covering data sources, governance decisions, security incidents, financial statements, and outcomes achieved. Prepare for inspections by competent authorities.

Embedding procurement and vendor oversight

Procurement teams must extend DGA requirements to suppliers that host or build intermediation services. Update vendor questionnaires to ask about neutrality controls, secure processing environments, and consent management capabilities. Include contractual clauses mandating cooperation with regulators, notification of incidents, and adherence to EU interoperability standards. Require vendors to maintain appropriate certifications and allow on-site audits.

For cloud providers, confirm data localisation options, logging granularity, and the ability to segregate customer environments. Evaluate whether service-level agreements cover regulatory inspections and emergency suspension scenarios. Maintain an inventory of critical vendors with assigned risk owners and remediation plans.

Aligning with data protection and cybersecurity programs

DGA compliance must interlock with GDPR, ePrivacy, and NIS2 obligations. Coordinate with data protection officers to ensure lawful bases for processing, cross-border transfer mechanisms (standard contractual clauses, adequacy), and privacy impact assessments. For intermediation services handling personal data, integrate GDPR consent management with DGA permission dashboards, ensuring a single source of truth for user authorisations.

Under the upcoming NIS2 Directive, many digital infrastructure providers will face enhanced cybersecurity requirements. Harmonise incident response plans so that a security event triggers notification obligations across DGA, GDPR, and NIS2. Conduct joint tabletop exercises simulating breaches in secure processing environments or data altruism platforms.

Metrics, reporting, and assurance

• Key risk indicators. Track the number of active intermediation services registered, outstanding supervisory queries, incidents of neutrality breaches, and average time to honour consent withdrawals.
• Quality metrics. Monitor dataset onboarding time, percentage of datasets with complete metadata, user satisfaction scores, and compliance training completion rates.
• Audit readiness. Maintain evidence binders with policies, training logs, architectural diagrams, risk assessments, and vendor contracts. Schedule internal audits to test neutrality controls, logging, and secure environment access management.

Provide quarterly dashboards to executive leadership summarising regulatory developments (e.g., European Data Innovation Board guidelines, national implementing acts), open remediation items, and planned sectoral data space participation. Ensure board minutes record oversight discussions to evidence accountability.

Implementation timeline

• 0–45 days: Complete service inventory, appoint programme sponsors, and launch the gap assessment covering governance, technology, and contracts.
• 45–120 days: Finalise organisational separation plans, upgrade consent and logging capabilities, and draft notification dossiers for competent authorities.
• 120–210 days: Submit notifications, pilot secure processing environments, and conduct supplier readiness reviews. Begin drafting data altruism governance frameworks where applicable.
• 210–360 days: Respond to regulator feedback, run incident simulations, publish transparency materials, and align reporting cycles with annual compliance statements.

By treating the DGA as an enterprise transformation initiative—rather than a narrow legal filing—organisations can unlock participation in EU data spaces, strengthen partner trust, and set the foundation for complying with the upcoming Data Act and sector-specific regulations.

Related briefings

Curated signals from the same pillar or overlapping topics.

Compliance · Credibility 87/100 · June 21, 2022

Compliance Briefing — June 21, 2022

CBP’s 21 June 2022 enforcement of the Uyghur Forced Labor Prevention Act imposes a rebuttable presumption against goods tied to Xinjiang or the UFLPA Entity List, forcing importers to evidence granular tracing…

Compliance · Credibility 87/100 · July 27, 2022

Compliance Briefing — July 27, 2022

FCA Policy Statement PS22/9 and Guidance FG22/5 require UK firms to deliver Consumer Duty implementation plans, evidence customer outcomes with robust MI, and achieve open- and closed-book milestones in 2023–2024.

Compliance · Credibility 91/100 · August 2, 2022

Compliance Briefing — August 2, 2022

MiFID II firms must now capture and honour client sustainability preferences, aligning product data, governance, and outcome testing with EU Taxonomy, SFDR, and PAI criteria.

Compliance · Credibility 86/100 · April 28, 2022

Compliance Briefing — April 28, 2022

CERT-In’s April 2022 directions impose six-hour incident reporting, India-based log retention, and expanded subscriber identification duties that organisations must operationalise through updated playbooks, governance…

Compliance · Credibility 92/100 · March 31, 2022

Compliance Briefing — PCI DSS Version 4.0 Published

To capitalize on PCI DSS v4.0’s March 2022 release, payment organizations must realign engineering roadmaps, update governance charters, and renegotiate supplier obligations so that security controls remain resilient as…

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Third-Party Risk Oversight Playbook — Zeph Tech

  Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

• Compliance Operations Control Room — Zeph Tech

  Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

• SOX Modernization Control Playbook — Zeph Tech

  Modernize Sarbanes-Oxley (SOX) compliance by aligning PCAOB AS 2201, SEC management guidance, and COSO 2013 controls with data-driven testing, automation, and board reporting.