Engineer a cross-border data strategy operating model

Regulatory context

Understanding the legal environment is the foundation for designing a defensible data strategy. The following subsections break down the statutory and policy requirements that shape the operating model.

European Union: Data Act obligations

The EU Data Act applies to manufacturers of connected products, providers of related services, data processing service providers, and public sector bodies. Chapter II grants users access rights to data generated through the use of connected products and associated services, while Chapter III defines business-to-business data sharing obligations under fair terms.^{Regulation (EU) 2023/2854} Article 4 requires manufacturers to design products so data is easily accessible by default, and Article 5 mandates provision of data to users or third parties in a machine-readable format without undue delay. Article 6 sets conditions for third-party requests, including confidentiality protections and compensation rules.

Chapter IV of the Data Act introduces protections against unfair contract terms for SMEs, requiring larger parties to avoid imposing clauses that limit liability or restrict use beyond what is necessary.^{Regulation (EU) 2023/2854} Chapter VI addresses switching between data processing services, requiring providers to remove commercial, technical, and contractual obstacles within 30 days and to offer functionalities supporting interoperability. Compliance with these obligations necessitates metadata standards, contractual playbooks, and monitoring tools.

2025 Data Act switching readiness

Switching obligations in Chapter VI apply from 12 September 2025, forcing cloud and edge service providers to enable contract termination without penalties, remove egress fees, and deliver functionally equivalent services during transitions.^{Data Strategy Briefing — September 5, 2025Data Strategy Briefing — August 22, 2025Regulation (EU) 2023/2854European Commission Data Act Q&A}

• Refit contracts and pricing. Update master service agreements to remove switching charges, document transitional compensation limits under Article 29, and codify 30-day termination windows for standard services.^{Data Strategy Briefing — August 22, 2025Regulation (EU) 2023/2854}
• Test interoperability pathways. Stage exit rehearsals that validate export tooling, data format compatibility, and API portability; record results to prove readiness for national competent authorities and enterprise customers.^{Data Strategy Briefing — September 5, 2025European Commission Data Act Q&A}
• Automate switching support. Build service management workflows that issue switching support within the mandated timeline, including documentation, staff assistance, and security reviews for successor providers.^{Data Strategy Briefing — September 5, 2025Regulation (EU) 2023/2854}

European Union: Data Governance Act

The Data Governance Act establishes mechanisms to increase trust in data sharing. Chapter III creates a notification and supervisory framework for data intermediaries facilitating data sharing between data subjects and data holders. Article 11 requires intermediaries to provide services through a legal entity established in the EU, implement safeguards to prevent conflicts of interest, and separate data exchange services from other commercial activities.^{Regulation (EU) 2022/868} Article 12 mandates transparency obligations, including providing data subjects with information about data usage and rights.

Chapter IV introduces data altruism organisations, requiring registration, compliance with transparency obligations, and provision of information to data subjects and legal entities about data use. Article 23 mandates that public sector bodies facilitate re-use of protected data under specific conditions, requiring secure processing environments and adherence to confidentiality requirements.^{Regulation (EU) 2022/868} These provisions compel organisations to build trusted governance structures, consent management systems, and secure data sharing platforms.

European Union: Open data and interoperability

Directive (EU) 2019/1024 extends open data obligations to public sector bodies and public undertakings, identifying high-value datasets that must be made available in machine-readable formats free of charge.^{Directive (EU) 2019/1024} Annex I lists thematic categories such as geospatial, earth observation, and mobility data. Article 5 requires technical and legal arrangements for API access, while Article 14 addresses charging rules. Private organisations partnering with public bodies must align their data interfaces and licensing models accordingly.

United States: Evidence Act and OMB M-19-23

Public Law 115-435 Title II mandates that federal agencies publish comprehensive data inventories, designate Chief Data Officers, and establish data governance bodies (Data Governance Boards) with representation from program, IT, statistical, and privacy offices.^{Public Law 115-435, Title II} Section 202 requires agencies to maintain open data inventories and provide public access to datasets in machine-readable formats. Section 203 establishes Chief Data Officer responsibilities, including coordinating data management and ensuring open data requirements are met.

OMB M-19-23 operationalises these requirements by directing agencies to build learning agendas, annual evaluation plans, capacity assessments, and data governance structures.^{OMB M-19-23 (July 2019)} It requires agencies to adopt data quality plans, inventory data assets, and implement enterprise data governance with clear roles and responsibilities. These expectations cascade to contractors and partners, who must demonstrate interoperable data architectures, robust metadata, and privacy protections.

Singapore: Digital Government Blueprint

Singapore’s Digital Government Blueprint articulates a vision for a data-driven public sector with commitments such as “digital to the core” and “serving with heart,” supported by measurable targets like making 100 percent of applicable services digital from end-to-end.^{Singapore Digital Government Blueprint (2018)} The blueprint mandates integrated data platforms, common data standards, and secure data sharing across agencies. It emphasises privacy safeguards, accountability for data quality, and cross-agency collaboration. Private-sector partners supplying digital services must align with these principles by providing metadata, API management, and audit trails.

Together, these regulations and policies demand an operating model that coordinates data access, sharing, stewardship, monetisation, and trust. The remainder of this guide translates these obligations into organisational design, tooling, metrics, and future planning.

Operating model design

An effective data strategy operating model integrates governance, product management, architecture, and change management. This section describes the roles, processes, and decision structures required to comply with regulations while delivering value.

Governance structures

Establish a Data Governance Council chaired by the Chief Data Officer (CDO) with executive representation from legal, compliance, product, engineering, privacy, and business units. Align the council’s charter with the Data Act’s requirements for ensuring user access rights and data sharing fairness, the Data Governance Act’s supervision obligations, and the Evidence Act’s governance board responsibilities.^{Regulation (EU) 2023/2854Regulation (EU) 2022/868Public Law 115-435, Title II} Document meeting agendas, risk decisions, and policy updates in a governance management tool with immutable logs.

Form subcommittees for data access requests, data sharing agreements, data quality, and privacy impact assessments. For EU markets, ensure a Data Sharing Approval Board reviews third-party requests under Articles 5–7 of the Data Act, evaluating requestor legitimacy, contractual fairness, and technical readiness.^{Regulation (EU) 2023/2854} For U.S. federal collaborations, align governance with OMB M-19-23 by maintaining learning agendas and evaluation priorities that inform data product roadmaps.^{OMB M-19-23 (July 2019)}

Stewardship and role taxonomy

Define a stewardship taxonomy encompassing data owners (accountable executives), data stewards (operational managers), data custodians (technical administrators), data product managers, and data ethicists. Align responsibilities with regulatory obligations: data owners approve access and sharing decisions; stewards maintain metadata and quality controls; custodians enforce security and interoperability; product managers prioritise datasets that serve high-value use cases; ethicists oversee consent and fairness for data altruism initiatives.

Ensure stewards maintain records demonstrating compliance with Data Governance Act transparency requirements, including consent forms, usage logs, and data altruism commitments.^{Regulation (EU) 2022/868} In U.S. operations, align stewardship documentation with Evidence Act inventory requirements by cataloguing data assets, provenance, access restrictions, and quality metrics.^{Public Law 115-435, Title II}

Core processes

Map core processes across the data lifecycle:

• Data acquisition and ingestion: Implement supplier onboarding workflows that capture licensing, usage rights, and Data Act compliance considerations, including machine-readable formats and interoperability metadata.^{Regulation (EU) 2023/2854}
• Metadata and cataloguing: Maintain enterprise data catalogs with mandatory fields covering provenance, sensitivity, legal basis, retention, and sharing constraints. Ensure catalogs generate public-facing inventory views for open data commitments under Directive (EU) 2019/1024 and Evidence Act requirements.^{Directive (EU) 2019/1024Public Law 115-435, Title II}
• Access management: Deploy request workflows that authenticate users, capture purpose, and enforce Data Act contractual safeguards. Document approvals, denials, and usage audits.^{Regulation (EU) 2023/2854}
• Data sharing agreements: Standardise contract templates that incorporate fairness clauses, liability limits compliant with Article 13 of the Data Act, and transparency obligations from the Data Governance Act.^{Regulation (EU) 2023/2854Regulation (EU) 2022/868}
• Data product development: Apply agile product management to prioritise datasets supporting learning agendas (OMB M-19-23) and high-value public datasets (Directive 2019/1024).^{OMB M-19-23 (July 2019)Directive (EU) 2019/1024}
• Monitoring and audits: Schedule compliance reviews covering access logs, contract adherence, data quality, and consent expiration. Align with supervisory expectations under the Data Governance Act and OMB M-19-23’s requirement for annual reports.

Architecture and interoperability

Implement a layered architecture comprising data lakes, warehouses, and semantic layers with APIs and event streams. Ensure interoperability through open standards (JSON-LD, OGC, DCAT-AP) to comply with the Data Act’s switching provisions and the Open Data Directive’s machine-readable requirements.^{Regulation (EU) 2023/2854Directive (EU) 2019/1024} For Singapore collaborations, align with the Digital Government Blueprint’s call for common data infrastructure and secure data exchange, using government-approved APIs and security gateways.^{Singapore Digital Government Blueprint (2018)}

Adopt privacy-enhancing technologies (PETs) such as differential privacy, secure multiparty computation, and federated analytics where needed to support data altruism and emergency data use cases under the Data Act while maintaining confidentiality obligations.^{Regulation (EU) 2023/2854} Document PET deployment in governance records to demonstrate accountability.

Change management and capability building

Institute capability programs that train staff on data sharing obligations, consent management, metadata standards, and public value measurement. Embed change networks in each business unit to champion data literacy and ensure adoption of new workflows. Provide targeted training for legal and procurement teams on Data Act contractual safeguards and Evidence Act inventory obligations. Track participation, feedback, and certification status in the enterprise learning management system.

Tooling

Tooling decisions should reinforce compliance and unlock value. The stack must integrate catalogs, governance platforms, interoperability layers, and analytics.

Data catalog and inventory management

Select an enterprise data catalog that supports automated metadata harvesting, business glossary management, lineage, and policy tagging. Configure mandatory fields to capture obligations from the Data Act (access rights, sharing conditions), Data Governance Act (consent, purpose limitations), and Evidence Act (open data designation, public dissemination status).^{Regulation (EU) 2023/2854Regulation (EU) 2022/868Public Law 115-435, Title II}

Enable public-facing inventory views for datasets designated as high-value under Directive (EU) 2019/1024. Provide APIs for developers to access metadata, supporting open data reuse and compliance with Article 10 requirements.^{Directive (EU) 2019/1024} Use automated data quality profiling to flag completeness, accuracy, and timeliness issues before datasets are published.

Consent and permissions management

Implement consent management platforms that capture granular permissions for data sharing, data altruism, and emergency access under the Data Act. Provide user interfaces for data subjects to review, grant, or revoke consent, and maintain audit trails for supervisory authorities.^{Regulation (EU) 2023/2854Regulation (EU) 2022/868} Integrate consent status with access control systems, ensuring that revocations propagate to analytics platforms and downstream systems.

For partnerships with U.S. federal agencies, ensure permissions align with Evidence Act requirements for public access and privacy protections, including tiered release levels for restricted datasets.^{Public Law 115-435, Title II}

Data sharing and collaboration platforms

Deploy secure data sharing environments that support API-based access, virtual data rooms, and privacy-preserving analytics. For Data Act emergency data requests (Chapter V), implement workflows that verify public sector authority, evaluate necessity, and log data transfers, ensuring transparency and auditability.^{Regulation (EU) 2023/2854} For data intermediaries operating under the Data Governance Act, configure separation of services, access controls, and logging to demonstrate independence and prevent conflicts of interest.^{Regulation (EU) 2022/868}

Support federated analytics to enable cross-border collaboration without centralising sensitive data. Leverage PETs to satisfy confidentiality obligations while enabling insights, especially for healthcare, mobility, and energy datasets referenced in high-value categories.

Data product lifecycle platforms

Adopt platforms that manage data product roadmaps, backlog prioritisation, and value tracking. Integrate with the data catalog to ensure traceability between product features and underlying datasets. Embed KPI dashboards showing contribution to learning agendas, regulatory reporting, and commercial outcomes. Align release management with change control procedures documented in governance records.

Analytics and measurement

Provide analytics workbenches for data scientists, analysts, and policymakers with controlled environments that enforce access policies, logging, and reproducibility. Track usage metrics to demonstrate fulfilment of Evidence Act dissemination goals and Data Act user rights. Offer pre-built models that measure service performance, public value, and trust indicators.

Deep dive: statutory obligations shaping the operating model

The EU Data Act establishes compulsory business-to-business data sharing for connected products, imposes switching obligations on cloud services, and requires transparency around algorithmic decision-making. Article 4 gives users the right to access and share data generated by their products, while Articles 23–31 set interoperability and fair contract rules for data processing service providers.^{Regulation (EU) 2023/2854} The Data Governance Act complements these rights by creating a permit regime for data intermediaries and data altruism organisations, mandating logging, transparency, and compliance monitoring for each reuse request.^{Regulation (EU) 2022/868} The Open Data Directive (EU) 2019/1024 obliges public sector bodies to publish high-value datasets in machine-readable formats with APIs, anchoring the technical baseline for your interoperability roadmap.^{Directive (EU) 2019/1024}

Outside the EU, large programmes must account for the U.S. Foundations for Evidence-Based Policymaking Act and associated OMB guidance. Agencies must maintain comprehensive data inventories, publish open data plans, and integrate learning agendas into governance forums.^{Foundations for Evidence-Based Policymaking Act of 2018U.S. Federal Data Strategy} India’s Digital Personal Data Protection Act 2023 requires organisations to appoint data protection officers, maintain grievance redressal mechanisms, and honour consent withdrawal promptly, influencing stewardship and consent orchestration designs.^{Digital Personal Data Protection Act 2023} Singapore’s Digital Government Blueprint, meanwhile, sets expectations for data classification, secure sharing, and analytics adoption within public agencies, providing a model for cross-agency data collaboration.^{Singapore Digital Government Blueprint (2018)}

International cooperation frameworks inform cross-border strategy. The OECD’s work on data governance highlights the need for stewardship roles, ethical review boards, and interoperable metadata to balance innovation with rights protection.^{OECD Data Governance} The APEC Privacy Framework and Cross-Border Privacy Rules system describe accountability mechanisms for regional data flows, influencing contractual clauses and assurance evidence for Asia-Pacific partnerships.^{APEC Privacy Framework (2015)}

Case studies: executing data strategy under regulatory scrutiny

The European Commission’s High-Value Datasets Implementing Regulation requires member states to publish geospatial, earth observation, environmental, meteorological, statistics, and mobility datasets with APIs and bulk download options, prompting investments in metadata harmonisation and stewardship training.^{Commission Implementing Regulation (EU) 2023/138} Municipal data offices—such as Helsinki’s digital twin programme—have responded by building reusable ontologies and quality dashboards that align with EU guidance.

The U.S. Department of Transportation’s 2023 Data Strategy shows how federal agencies operationalise the Evidence Act by defining mission-critical datasets, instituting governance councils, and publishing maturity roadmaps.^{U.S. DOT Data Strategy (2023)} DOT’s approach stresses data inventories, steward assignments, and privacy engineering across modal administrations, offering a template for large enterprises managing federated data estates.

Singapore’s GovTech Analytics and Artificial Intelligence (AI) Strategy demonstrates how to integrate trustworthy AI controls into a national data operating model. The strategy prioritises privacy-by-design, responsible AI assessment, and secure data exchange built atop the Singapore Government Tech Stack, reinforcing the governance practices described in this guide.^{Singapore Government Tech Stack}

Architecture and tooling blueprint

Data strategy execution hinges on robust metadata, access control, and lineage tooling. Deploy catalogues that support DCAT-AP and schema.org vocabularies so datasets can be published to European and global portals without manual conversion.^{European Commission DCAT-AP guidance} Integrate consent and contract management platforms with API gateways to enforce Data Act sharing terms, Data Governance Act permits, and DPDP consent withdrawals automatically. Adopt data fabric or mesh patterns to federate domain teams while maintaining central policy enforcement—use Apache Atlas or similar governance tools for automated lineage and policy application.

Security and privacy tooling must align with regulatory language. Implement privacy-enhancing technologies such as differential privacy, secure multiparty computation, or trusted execution environments when sharing data under DGA data altruism or cross-border collaborations. Maintain audit trails that record who accessed datasets, under which legal basis, and with what transformations; these logs become evidence for regulators and partners. Align storage and compute infrastructure with cloud switching requirements in Article 25 of the Data Act by documenting portability mechanisms and testing exit plans annually.

Stewardship dashboard and accountability

Translate regulatory expectations into actionable dashboards for data stewards, product owners, and executives. Track stewardship assignments, training completion, and escalation timelines for quality issues. Include indicators for consent fulfillment, grievance resolution (as required under India’s DPDP Act), and responsiveness to data subject requests. Align measurement with OECD value principles by quantifying how data products improve social welfare or productivity, and with APEC’s accountability model by showing third-party assurance status and cross-border transfer approvals.^{Digital Personal Data Protection Act 2023OECD Data GovernanceAPEC Privacy Framework (2015)}

Establish quarterly stewardship councils to review these dashboards, approve data sharing agreements, and update risk registers. Document decisions, rationale, and follow-up actions to provide auditable records for regulators and auditors. Tie council outputs to enterprise OKRs so data strategy progress influences budgeting, talent planning, and technology investment decisions.

Metrics

A resilient data strategy relies on metrics that capture value creation, compliance, and trust. The following categories should form the backbone of executive dashboards.

Value realisation

Measure revenue uplift, cost savings, or public service outcomes attributed to data products. Track adoption rates of new data services, time-to-value for priority use cases, and contribution to statutory learning agendas under OMB M-19-23.^{OMB M-19-23 (July 2019)} For EU operations, quantify contributions to high-value datasets and partnerships enabled by Data Act sharing obligations.

Compliance metrics

Maintain dashboards showing the percentage of connected products with Data Act-compliant data access mechanisms, turnaround time for third-party requests, and contract reviews incorporating fairness clauses.^{Regulation (EU) 2023/2854} Track Data Governance Act intermediary notifications, consent fulfillment rates, and data altruism participation.

For U.S. operations, monitor Evidence Act data inventory completeness, frequency of updates, and publication timelines. Include metrics on learning agenda progress, evaluation completions, and cross-agency collaborations.

Data quality and stewardship

Report on data quality dimensions (completeness, accuracy, timeliness, consistency) with threshold-based alerts. Document remediation plans and steward ownership. Align quality indicators with regulatory obligations—Article 12 of the Data Act requires accurate, complete, and up-to-date information for users, while OMB M-19-23 expects data quality assessments integrated into governance processes.^{Regulation (EU) 2023/2854OMB M-19-23 (July 2019)}

Trust and ethics

Track consent fulfillment, opt-out rates, privacy impact assessment completion, and grievances resolved. For data altruism initiatives, monitor the number of contributors, approved projects, and compliance with transparency obligations under the Data Governance Act.^{Regulation (EU) 2022/868} Capture public feedback and independent audits to evidence trustworthiness.

Interoperability and switching

Measure API uptime, adherence to interoperability standards, data export success rates, and switching request fulfillment timelines. Article 25 of the Data Act sets deadlines for switching data processing services, so metrics should show compliance with 30-day transition windows and portability support.^{Regulation (EU) 2023/2854}

Capability building

Report training completion for stewards, engineers, legal teams, and executives. Track certification in metadata standards, privacy engineering, and data ethics. Align with Singapore’s Digital Government Blueprint target of equipping public officers with digital skills, and demonstrate progress to leadership.^{Singapore Digital Government Blueprint (2018)}

Future watchlist

Track these developments to keep the operating model future-proof.

• EU implementing acts on high-value datasets. The European Commission is preparing implementing acts defining specific data formats and APIs for high-value dataset categories under Directive 2019/1024, which will require technical upgrades and metadata harmonisation.^{Directive (EU) 2019/1024}
• European Data Innovation Board guidelines. The Board established under the Data Governance Act will issue interoperability recommendations affecting data intermediaries and altruism organisations.^{Regulation (EU) 2022/868}
• U.S. Federal Data Strategy updates. OMB is expected to release refreshed action plans aligning with Evidence Act milestones, influencing data governance practices for federal partners and contractors.^{OMB M-19-23 (July 2019)}
• Singapore’s National AI Strategy 2.0 implementation. The government’s 2023 update emphasises trusted data flows and secure digital infrastructure, requiring alignment between AI initiatives and data strategy governance.
• International data transfer frameworks. Monitor the EU-U.S. Data Privacy Framework, UK-U.S. data bridge, and ASEAN cross-border data initiatives to ensure interoperability investments remain compliant.

Use Zeph Tech’s EU Data Act AI portability briefing and cloud switching roadmap to prioritise upgrades and coordinate with policy teams.