EU Data Governance Act

With the Data Governance Act (DGA) now in force as of 23 June 2022, teams that broker, monetise, or reuse European data must operationalize compliance ahead of the regulation’s 24 September 2023 application. The law reshapes how companies run data marketplaces, build developer ecosystems, and support altruistic data donations by imposing neutrality, transparency, and security standards backed by Member State supervision. Product, engineering, legal, and sourcing leaders should mobilize immediately to document services, separate conflicting business lines, modernize consent tooling, and prepare for inspections.

Unlike prior voluntary codes, the DGA creates binding obligations for “data intermediation services,” including B2B data-sharing platforms, dashboards that allow individuals to authorize data sharing, and collaborative research environments. It also harmonizes conditions for reusing protected public-sector data (such as health, finance, and transport datasets) and sets a EU-wide badge for recognized data altruism teams. Teams must therefore build cross-functional programs that combine privacy engineering, cybersecurity, procurement, and commercial governance to meet the regulation’s expectations.

Prioritizing services in scope

Begin by cataloguing products and partnerships that could be classified as data intermediation services under Article 2(11): platforms that intermediate between data subjects or holders and data users to allow sharing for remuneration or other considerations. Examples include:

• Industrial data exchanges where manufacturers and suppliers publish machine telemetry for predictive maintenance partners.
• Smart city dashboards that let residents authorize sharing of mobility or energy data with third-party developers.
• Cloud-based analytics hubs that aggregate datasets from multiple corporate participants and resell insights.

Flag services that operate across borders, as they may require registration in multiple Member States or appointment of a legal representative. Document whether the service merely stores data (out of scope) or actively helps transactions (in scope). For each candidate service, designate a business owner, compliance lead, and technical architect responsible for readiness.

Designing the compliance workstreams

• Regulatory notification and governance. Assemble the information required for Article 11 notifications: legal entity details, description of services, organizational structure, contact information for responsible officers, and a statement affirming neutrality. Map relationships with affiliates to ensure the intermediation service is structurally independent. Draft board resolutions documenting neutrality commitments and delegating authority to compliance leads.
• Neutrality-by-design. Implement organizational separation between intermediation units and any business that competes with participants. This may require ring-fenced profit-and-loss accounting, separate leadership reporting lines, independent data stores, and information barriers. Establish policies forbidding use of non-public participant data for marketing, product development, or competitive intelligence.
• Technical safeguards. Embed access control, encryption, and monitoring consistent with ISO/IEC 27001 and NIS2 readiness. Build immutable logging for all data transfers, consent changes, and administrative actions. Ensure the platform supports real-time permission revocation and data portability requests.
• Consent orchestration. Provide participants with dashboards for granting, monitoring, and withdrawing permissions, aligned with the European data altruism consent form where relevant. Integrate with identity verification (eIDAS, bank ID) and maintain time-stamped consent records that can withstand regulatory scrutiny.
• Service-level documentation. Draft standard terms of service covering liability, data quality, dispute resolution, audit rights, security obligations, and termination. Include commitments to notify participants of data breaches or changes to processing purposes. Align contractual language with DGA Article 7 conditions prohibiting exclusive access to public-sector data.

Building secure processing environments

Teams that seek to reuse protected public-sector data must show secure environments. Implement isolated computing workspaces with strict role-based access, data loss prevention, and prohibition of exporting raw data. Consider privacy-enhancing technologies (PETs) such as differential privacy, homomorphic encryption, or secure multi-party computation when sharing sensitive datasets. Document standard operating procedures for onboarding researchers, approving analyzes, and generating aggregate outputs.

Member States may require audits of secure environments before granting access. Prepare architectural diagrams, penetration test reports, and compliance certifications (ISO/IEC 27001, SOC 2) for submission. Establish monitoring dashboards to evidence uptime, patch management, and incident response performance.

Preparing for data altruism certification

If pursuing recognized data altruism status, align governance with Article 20:

• Incorporate as a non-profit entity or create a dedicated foundation subsidiary. Draft by-laws mandating social-purpose objectives and independent oversight.
• Constitute an ethics committee to review proposed data uses and ensure alignment with stated objectives of general interest.
• Deploy consent tools allowing donors to specify permitted purposes, track reuse, and withdraw contributions. Provide transparency dashboards showing data use cases, recipients, and impact metrics.
• Publish annual reports covering data sources, governance decisions, security incidents, financial statements, and outcomes achieved. Prepare for inspections by competent authorities.

Embedding procurement and vendor oversight

Procurement teams must extend DGA requirements to suppliers that host or build intermediation services. Update vendor questionnaires to ask about neutrality controls, secure processing environments, and consent management capabilities. Include contractual clauses mandating cooperation with regulators, notification of incidents, and adherence to EU interoperability standards. Require vendors to maintain appropriate certifications and allow on-site audits.

For cloud providers, confirm data localization options, logging granularity, and the ability to segregate customer environments. Evaluate whether service-level agreements cover regulatory inspections and emergency suspension scenarios. Maintain an inventory of critical vendors with assigned risk owners and remediation plans.

Aligning with data protection and cybersecurity programs

DGA compliance must interlock with GDPR, ePrivacy, and NIS2 obligations. Coordinate with data protection officers to ensure lawful bases for processing, cross-border transfer mechanisms (standard contractual clauses, adequacy), and privacy impact assessments. For intermediation services handling personal data, integrate GDPR consent management with DGA permission dashboards, ensuring a single source of truth for user authorizations.

Under the upcoming NIS2 Directive, many digital infrastructure providers will face improved cybersecurity requirements. harmonize incident response plans so that a security event triggers notification obligations across DGA, GDPR, and NIS2. Conduct joint tabletop exercises simulating breaches in secure processing environments or data altruism platforms.

Metrics, reporting, and assurance

• Key risk indicators. Track the number of active intermediation services registered, outstanding supervisory queries, incidents of neutrality breaches, and average time to honor consent withdrawals.
• Quality metrics. Monitor dataset onboarding time, percentage of datasets with complete metadata, user satisfaction scores, and compliance training completion rates.
• Audit readiness. Maintain evidence binders with policies, training logs, architectural diagrams, risk assessments, and vendor contracts. Schedule internal audits to test neutrality controls, logging, and secure environment access management.

Provide quarterly dashboards to executive leadership summarizing regulatory developments (for example, European Data Innovation Board guidelines, national implementing acts), open remediation items, and planned sectoral data space participation. Ensure board minutes record oversight discussions to evidence accountability.

Similar analysis

Additional analysis covering similar themes.

Compliance · Credibility 87/100 · June 21, 2022

UFLPA and Forced labor compliance

CBP’s 21 June 2022 enforcement of the Uyghur Forced Labor Prevention Act imposes a rebuttable presumption against goods tied to Xinjiang or the UFLPA Entity List, forcing importers to evidence granular tracing…

Compliance · Credibility 87/100 · July 27, 2022

FCA Consumer Duty

FCA Policy Statement PS22/9 and Guidance FG22/5 require UK firms to deliver Consumer Duty setup plans, evidence customer outcomes with strong MI, and achieve open- and closed-book milestones in 2023–2024.

Compliance · Credibility 91/100 · August 2, 2022

MiFID II sustainability preferences

MiFID II firms must now capture and honor client sustainability preferences, aligning product data, governance, and outcome testing with EU Taxonomy, SFDR, and PAI criteria.

Compliance · Credibility 86/100 · April 28, 2022

Compliance — CERT-In directions

CERT-In’s April 2022 directions impose six-hour incident reporting, India-based log retention, and expanded subscriber identification duties that teams must operationalize through updated playbooks, governance, and…

Compliance · Credibility 92/100 · March 31, 2022

PCI DSS Version 4.0 Published

To capitalize on PCI DSS v4.0’s March 2022 release, payment organizations must realign engineering roadmaps, update governance charters, and renegotiate supplier obligations so that security controls remain resilient as…

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Third-Party Risk Oversight Playbook

  Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

• Compliance Operations Control Room

  Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

• ESG Assurance Operating Guide

  Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.

Coverage intelligence

Published

June 23, 2022

Coverage pillar

Compliance

Source credibility

89/100 — high confidence

Topics

EU Data Governance Act · Data intermediaries · Data altruism · Public-sector data

Sources cited

3 sources (eur-lex.europa.eu, ec.europa.eu, iso.org)

Reading time

5 min

Further reading

1. Regulation (EU) 2022/868 of the European Parliament and of the Council — Official Journal of the European Union
2. The Data Governance Act enters into force — European Commission
3. ISO 37301:2021 — Compliance Management Systems — International Organization for Standardization