What is the EU Data Governance Act?
The EU Data Governance Act (DGA) — Regulation 2022/868 — entered into force on 23 June 2022 and became applicable on 24 September 2023. It is part of the European Strategy for Data, designed to create a single European data space and build trust in data sharing. The DGA does not replace GDPR. It creates a governance layer on top of it — new obligations for specific types of actors who facilitate or engage in data sharing.
The DGA addresses three main problems: (1) data held by public sector bodies cannot be reused because it contains personal or commercially sensitive information; (2) businesses distrust data sharing because intermediaries might use their data against them; and (3) individuals are reluctant to share personal data for societal benefit because they lack control and trust.
Pillar 1: Public Sector Data Reuse (Art. 3–9)
The Open Data Directive (2019/1024) covers data that public bodies can publish freely. The DGA covers a different, harder category: data held by public sector bodies that cannot be released as open data because it contains personal data, commercial secrets, statistical confidentiality, or third-party IP rights.
Under Art. 3–9, public sector bodies must put in place mechanisms for controlled reuse of this data: secure processing environments (data rooms), anonymisation pipelines, transparency on available data at national single information points (Art. 8), and review mechanisms for rejected requests (Art. 9). Fees must be transparent, non-discriminatory, and cost-based (Art. 6). SMEs and researchers may benefit from reduced fees.
This pillar matters for: government agencies with health, transport, energy, and financial datasets; universities and research institutions processing public sector data; companies applying to access controlled public sector data for commercial or research purposes.
Pillar 2: Data Intermediation Services (Art. 10–15)
A data intermediation service is a service that facilitates the sharing of data between data holders and data users. This covers three service types under Art. 10:
- B2B data sharing services: Platforms that facilitate sharing of data between businesses (data holders) and other businesses (data users). Examples: industrial data platforms, agricultural data exchanges, IoT data marketplaces.
- B2C (individual) data sharing services: Services that help individuals share their personal data with organisations. Examples: personal data spaces, health data wallets, MyData operators.
- Data cooperatives / pools: Services that aggregate data from multiple holders for sharing with users. Note: mere data brokerage (buying and selling data) is not a data intermediation service under the DGA.
Notification requirement (Art. 11): Before providing a data intermediation service, you must notify the national competent authority. This is not a license — it is a registration. The notification must include: legal entity name and registration, description of the service, categories of data, geographic scope, estimated start date. The competent authority must confirm receipt within 4 weeks and list you in the public register.
Ongoing obligations (Art. 12): Once notified, data intermediaries must:
- Maintain structural or functional neutrality (Art. 12(a)) — no conflicts of interest with data marketplace activities
- Not use shared data for their own commercial purposes (Art. 12(c)) — data only used to improve the service
- Apply fair, transparent, non-discriminatory terms (Art. 12(b))
- Ensure data portability and switching (Art. 12(g))
- Maintain interoperability with other data spaces and intermediaries (Art. 12(h))
- Maintain activity logs (Art. 12(i))
- Implement appropriate security measures (Art. 12(f))
- Protect international data transfers (Art. 12(m))
Pillar 3: Data Altruism Organisations (Art. 16–25)
Data altruism is the voluntary sharing of data for objectives of general interest, without any reward. The DGA creates a framework for organisations that facilitate this: they can register as recognised data altruism organisations and use the EU data altruism label.
To qualify (Art. 17): the organisation must be constituted on a non-profit basis, must be legally independent from entities that use data for commercial purposes, and must operate exclusively for objectives of general interest (scientific research, climate change monitoring, public health, improving public services, education).
Registration is with the national competent authority. A recognised organisation can use the EU label (Art. 17(2)) if recognised in multiple member states or at EU level. Annual activity reports are required (Art. 20(2)).
The standardised European data altruism consent form (Art. 21) will be specified by Commission implementing act. Until published, organisations should use GDPR-compliant consent forms that meet DGA principles (purpose limitation, withdrawable, granular).
European Data Spaces (Art. 26–31)
The DGA establishes the legal framework for European data spaces — sector-specific data sharing ecosystems. Ten data spaces are in development: health, mobility, agriculture, energy, manufacturing, financial, public administration, skills, media, and green deal. Each will have its own interoperability standards and governance.
The European Data Innovation Board (EDIB) — established under Art. 29 — advises on cross-sector standards, interoperability, and European data space governance. EDIB opinions and recommendations are non-binding but shape Commission implementing acts.
Relationship to GDPR and other EU data law
The DGA is layered on top of GDPR, not a replacement. Wherever DGA activities involve personal data, GDPR applies in full. The DGA does not create new legal bases for processing personal data — it creates governance structures for making data sharing easier and more trusted, within the GDPR framework.
The EU Data Act (Regulation 2023/2854) — applicable from September 2025 — is complementary. The Data Act focuses on IoT data and industrial data: rights of users and third parties to access data generated by connected devices, cloud switching obligations, and B2G data sharing in emergencies. The DGA governs the intermediaries and altruism organisations that might facilitate this sharing.
The Digital Markets Act is separate — it addresses competition obligations for gatekeepers of core platform services. DMA interoperability obligations (Art. 7) interact with DGA interoperability standards but are enforced by different authorities.
National competent authorities and enforcement
Each EU member state designates a national competent authority for DGA oversight. Key authorities: Germany — Bundesnetzagentur (BNetzA) for data intermediation, BfDI for data protection aspects; France — CNIL (personal data aspects) + sectoral regulators; Netherlands — Autoriteit Consument & Markt (ACM); Spain — CNMC + AEPD for privacy aspects.
Sanctions under Art. 34 are proportionate and dissuasive — member states set the specific amounts, but they must be effective. Non-notified data intermediation services, failure to maintain neutrality, and breach of data altruism registration conditions are all sanctionable. There is no EU-wide maximum like GDPR's 4% of global turnover — sanctions vary by member state.
Assess your DGA obligations
The EU Data Governance Act Compliance Checklist covers 42 DGA obligations across six domains — public sector data reuse, notification, ongoing intermediation obligations, data altruism, European data spaces, and governance. Fill in your organisation's details, assess each obligation, and generate an AI-drafted compliance report with a prioritised remediation roadmap.
Related tools
See also: Digital Markets Act Compliance Checklist, EU AI Act Compliance Checklist, GDPR Compliance Audit, GDPR Records of Processing Activities (RoPA).