← Blog Home

EU Data Governance Act: Requirements for Business Compliance

GDPR

Posted by Kevin Yun | February 16, 2026

The European Union rolled out something significant in 2022 that most people outside the data policy world barely noticed. The Data Governance Act entered into force on June 23, 2022, and became fully applicable in September 2023 after a 15-month grace period.

This isn't just another regulatory box-ticking exercise. The DGA represents a fundamental shift in how Europe thinks about data sharing, trust, and economic growth. While GDPR told us what we can't do with personal data (and boy, did it make that clear), the Data Governance Act takes a different approach. It's about what we can do, under the right conditions, with both personal and non-personal data.

And here's the thing: the DGA doesn't exist in isolation. It's part of a bigger picture called the European Strategy for Data, which aims to create a genuine single market for data across all 27 EU member states. Think of it as the infrastructure layer that makes data sharing practical, trustworthy, and legally sound.

But let's be honest. Most businesses are still wrapping their heads around what this means for daily operations. Data intermediaries, data altruism organizations, public sector data reuse… these aren't exactly terms that roll off the tongue at Monday morning meetings.

Table of contents

What the Data Governance Act actually does

The DGA creates a framework for data sharing that didn't exist before. Yes, we had data protection rules. Yes, we had open data directives. But we didn't have a coherent system for trustworthy data intermediation or mechanisms to encourage voluntary data sharing for societal benefit.

The regulation tackles three main scenarios:

First, it establishes conditions for reusing certain categories of protected public sector data. This is data that can't be released as open data because it contains commercial secrets, personal information, or intellectual property rights. Think health records that could advance medical research or transport data that might improve traffic management.

Second, it creates a notification and supervision framework for data sharing services. These are the intermediaries that connect data holders with data users. The DGA sets rules to ensure these intermediaries operate fairly and transparently.

Third, it builds a voluntary registration system for data altruism organizations. These are entities that collect data from individuals or companies who want to make it available for the common good, like scientific research or public policy development.

The scope is broad but specific. Article 1 makes clear that the DGA applies throughout the Union and covers both personal and non-personal data. But it doesn't override sector-specific legislation. If you're in a regulated industry with existing data sharing rules, those still apply.

The four pillars of the DGA

The regulation stands on four distinct structural elements. Each addresses a different barrier to data sharing that existed before September 2023.

Pillar 1: Public sector data reuse

Not all government data can be open data. Some of it is too sensitive, too commercially valuable, or too personal. But that doesn't mean it shouldn't be accessible under controlled conditions.

The DGA requires public sector bodies to publish the conditions under which they'll allow data reuse. They must establish transparent procedures for requesting access. And they need to ensure that these conditions are fair and non-discriminatory.

This matters for research institutions, policy analysts, and businesses that could derive value from government datasets. The barriers to access get lowered, but protections remain in place.

Pillar 2: Data intermediation services

This pillar creates a new category of trusted data broker. These intermediaries must remain neutral. They can't use the data they handle for purposes beyond facilitating its exchange. The DGA requires them to operate in a separate legal entity to avoid conflicts of interest.

Article 11 lays out eleven specific conditions these service providers must meet. They range from ensuring fair access procedures to maintaining high security standards to implementing competition compliance programs.

Pillar 3: Data altruism

Here's where the DGA gets interesting from a societal perspective. Data altruism means making data available voluntarily for purposes that serve the general interest. Climate research. Public health studies. Urban planning initiatives.

The regulation creates an EU register of recognized data altruism organizations. These entities get a special logo (adopted through an implementing regulation in August 2023) that identifies them as trustworthy. The QR code on the logo links directly to the public register.

Pillar 4: Cross-sector data sharing facilitation

The fourth pillar addresses technical and legal barriers to moving data across sectors and borders. It's about making sure the right data reaches the right purpose at the right time. Standardization. Interoperability. Findability.

This pillar connects directly to the Common European Data Spaces initiative, which we'll get to in a moment.

Data intermediation services explained

Let's get practical about what a data intermediation service actually looks like.

These aren't cloud storage providers. They're not data brokers in the traditional sense. They're not content platforms. The DGA specifically excludes several types of services from its definition:

  • Providers focused on copyright-protected content
  • Platforms used exclusively by one data holder
  • IoT platforms primarily ensuring device functionality
  • Data consultancies that aggregate and enrich data before selling it

What they are: entities that establish relationships between data holders and data users. They facilitate transactions without becoming data users themselves.

The notification requirement means these providers must register with their national competent authority before starting operations. The authority has 14 days to acknowledge receipt and 12 weeks to assess whether the provider meets all Article 11 conditions.

If a provider operates across multiple member states, they designate one as their main establishment. That country's authority becomes the lead supervisor, coordinating with other relevant authorities.

The table below shows the key obligations for data intermediation service providers:

Obligation Description Legal Basis
Neutrality Cannot use data for purposes beyond provision of service Article 11(1)
Separate legal entity Must operate data intermediation as distinct entity Article 11(1)
Fair access Transparent and non-discriminatory procedures for all parties Article 11(3)
Metadata usage Can only use metadata to develop the service itself Article 11(2)
Format flexibility Must accept data in received format, convert only when needed Article 11(4)
Fraud prevention Procedures to detect and prevent abusive access attempts Article 11(5)
Business continuity Guarantees for data access if provider becomes insolvent Article 11(6)
Security measures Technical and organizational safeguards for data protection Article 11(8)
Competition compliance Procedures ensuring adherence to EU and national competition law Article 11(9)
Data subject protection Must act in best interests when facilitating rights exercise Article 11(10)
Jurisdiction disclosure Must specify where data use is intended to occur Article 11(11)

Data altruism and why it matters

Data altruism sounds idealistic. And maybe it is. But it's also pragmatic.

We generate data constantly. Every connected device, every transaction, every interaction creates digital traces. Most of that data gets used commercially or sits unused. The DGA creates a pathway for people and companies to donate data for public benefit.

The recognized data altruism organization model provides structure. These entities must operate on a not-for-profit basis. They must have transparent governance. They need to maintain separation from commercial activities.

The European Commission maintains the EU register of these organizations. As of September 2023, any qualified entity can seek recognition. The process involves demonstrating compliance with specific requirements around purpose, transparency, and data handling.

Why would anyone donate data? Several reasons. Scientific advancement. Policy improvement. Social good. The DGA protects these motivations by ensuring recognized organizations can't repurpose donated data for commercial gain.

The logo system creates visibility. When you see that distinctive mark with its QR code, you know the organization has met European standards for trustworthy data altruism. It's a signal that reduces friction in the donation decision.

Public sector data reuse mechanisms

Governments collect massive amounts of data. Administrative records. Geographic information. Transport statistics. Economic indicators. Health data. Environmental measurements.

Some of this gets released as open data under the Open Data Directive. But a significant portion can't be freely published due to legitimate constraints: business confidentiality, personal privacy, intellectual property, statistical confidentiality, or security concerns.

The DGA recognizes that this protected public sector data still has value. Making it available under controlled conditions can accelerate innovation, improve research, and strengthen policy making.

Articles 3 through 5 establish the framework. Public sector bodies must publish their conditions for data reuse. They need clear procedures for submitting access requests. They should process requests in reasonable timeframes.

Competent authorities at the national level oversee these arrangements. They ensure public bodies don't discriminate in granting access. They verify that fees (if charged) are reasonable and cost-based. They handle complaints about access denials or unfair conditions.

This creates a middle ground between completely open data and completely closed data. It acknowledges legitimate protection needs while maximizing social and economic value from public sector information assets.

Common European data spaces

The DGA serves as foundational infrastructure for sector-specific data spaces. These are domains where data sharing can unlock significant value but requires trusted frameworks and common standards.

The European Commission has identified priority sectors:

Health data space: Improving treatments, advancing rare disease research, enabling precision medicine. The potential savings in the EU health sector could reach €120 billion annually. Better data sharing means faster diagnosis, more personalized care, and accelerated drug development.

Mobility data space: Real-time navigation, public transport optimization, autonomous vehicle development. Estimates suggest saving 27 million hours annually for public transport users and €20 billion in reduced labor costs for drivers.

Environmental data space: Climate change monitoring, CO2 emission tracking, emergency response for floods and wildfires. Data sharing enables better predictive models and faster intervention.

Agricultural data space: Precision farming, supply chain optimization, rural service development. Combining production data with earth observation and weather information improves sustainability and productivity.

Energy data space: Smart grid management, renewable energy integration, consumption optimization. Cross-sector data sharing supports decarbonization goals and grid stability.

Financial data space: Risk assessment, fraud detection, regulatory compliance, open banking expansion. Data sharing drives innovation while maintaining security and consumer protection.

Industrial manufacturing data space: Predictive maintenance, supply chain resilience, quality control, AI training for industrial processes. IoT data from connected machinery creates enormous optimization potential.

Public administration data space: Better statistics, evidence-based policy making, reduced administrative burden. Includes specialized spaces for public procurement data and legal information.

Skills data space: Matching education with labor market needs, recognizing qualifications across borders, enabling lifelong learning. The Europass Digital Credentials framework facilitates secure, interoperable skill verification.

Each space operates according to sector-specific rules while building on DGA principles of trust, transparency, and fair access. The spaces aren't isolated. Interoperability between them amplifies the benefits.

Who needs to comply and when

The DGA has been fully applicable since September 24, 2023. If you're operating a data intermediation service, you need to be compliant now.

Public sector bodies holding protected data must have their reuse procedures in place and published. Member states needed to designate competent authorities by the application date.

But here's what happened: ten member states missed the deadline. In December 2024, the Commission sent reasoned opinions to Czechia, Germany, Estonia, Greece, Cyprus, Luxembourg, Austria, Poland, Portugal, and Slovenia. These countries either hadn't designated authorities or hadn't given them proper powers.

This enforcement action signals that the Commission takes DGA implementation seriously. It's not optional. It's not a soft recommendation. It's binding EU law with real consequences for non-compliance.

For businesses, the compliance question depends on what you do. Are you connecting data holders with data users as your main business activity? You might be a data intermediation service provider requiring notification.

Are you collecting data donations for public interest purposes? You might benefit from recognition as a data altruism organization.

Are you trying to access protected public sector data? You need to understand the conditions and procedures the relevant authority has established.

The DGA intersects with other regulations. GDPR still applies to personal data. The Data Act (which became applicable in September 2025) creates additional rights and obligations around data access. The AI Act affects how data can be used for training AI systems.

How the DGA differs from GDPR

People often confuse these two regulations. They both deal with data, they're both EU regulations, and they both affect how businesses operate. But they serve different purposes.

GDPR protects individual rights over personal data. It restricts processing. It requires consent or another legal basis. It gives people control over their information. It's fundamentally about privacy and data protection.

The DGA facilitates data sharing under trustworthy conditions. It creates frameworks for making more data available. It applies to both personal and non-personal data. It's about unlocking value while maintaining safeguards.

Where they overlap: both require security measures, both demand transparency, both impose obligations on entities handling data. A data intermediation service dealing with personal data must comply with both regulations.

But they're not redundant. GDPR doesn't tell you how to set up a data altruism organization or how public sector bodies should handle reuse requests for commercial data. The DGA doesn't override GDPR rights like access, rectification, or erasure.

Think of GDPR as the rules of the road: speed limits, traffic signals, right of way. The DGA builds infrastructure: highways, interchanges, service stations. You need both for the system to function.

Recent enforcement actions and what they tell us

Beyond the December 2024 reasoned opinions about missing designations, enforcement activity has been relatively quiet. The regulation is still young. Many provisions require implementation through national law or administrative procedures.

The Commission published practical guidance in September 2024 titled "Implementing the Data Governance Act – guidance document." This living document provides stakeholder interpretations and clarifications. It's not legally binding but indicates official thinking about ambiguous provisions.

Several member states have launched consultation processes about their national implementation measures. Others are still working through designation procedures for competent authorities.

The real test will come as data intermediation services begin operating at scale and as data altruism organizations seek recognition. Will supervision be consistent across member states? Will notification procedures work smoothly? Will the neutral intermediary model prove viable commercially?

Early signs suggest enthusiasm mixed with confusion. The common logos introduced in August 2023 provide clear visual identification. But market uptake of data intermediation services has been gradual. The business model challenges are real. How do you monetize pure intermediation without using or enriching the data yourself?

The Digital Omnibus proposal and what comes next

Here's where things get complicated. And maybe controversial.

On November 19, 2025, the Commission proposed the Digital Omnibus regulation. This massive simplification initiative aims to streamline digital legislation, reduce compliance burdens, and boost competitiveness.

The proposal doesn't just amend regulations. It repeals several, including the Data Governance Act itself. Under the Digital Omnibus, the DGA would be absorbed into a simplified framework alongside changes to GDPR, the Data Act, NIS2, and other digital regulations.

The stated goal: reduce red tape without weakening protections. Eliminate duplicative requirements. Make compliance more manageable, especially for smaller businesses.

Critics worry this might be premature. The DGA has only been applicable since September 2023. We haven't seen how data intermediation markets will develop or what lessons emerge from data altruism registrations. Repealing it before proper evaluation seems hasty.

Supporters argue the DGA created unnecessary complexity. They point to overlapping obligations between the DGA and Data Act, confusion about which regulation applies when, and administrative burdens for authorities supervising multiple similar schemes.

The Digital Omnibus is still a proposal. It will go through the full EU legislative process: Commission proposal, Parliament amendments, Council negotiations, trilogue discussions. This takes time. Probably years.

What does this mean for businesses trying to plan compliance strategies? Stay informed but don't freeze. The DGA remains binding law until (and unless) the Digital Omnibus passes and enters into force. Compliance obligations exist now. Speculative future changes shouldn't prevent meeting current requirements.

But it does highlight regulatory uncertainty. The EU digital policy landscape continues shifting. What seems settled today might change tomorrow. Adaptive compliance frameworks that can accommodate regulatory evolution become more valuable than rigid, single-regulation approaches.

Practical compliance requirements

If you're running a data intermediation service, here's your checklist:

Before starting operations:

  1. Determine your main establishment if operating across multiple member states
  2. Prepare documentation demonstrating compliance with all Article 11 conditions
  3. Submit notification to the relevant competent authority
  4. Wait for acknowledgment (14 days) and completion of assessment (12 weeks)
  5. Establish separate legal entity for data intermediation activities
  6. Implement technical and organizational security measures
  7. Create transparent, non-discriminatory access procedures
  8. Develop fraud prevention protocols
  9. Set up business continuity guarantees

Ongoing obligations:

  • Maintain neutrality, never using data beyond facilitation purposes
  • Keep metadata usage strictly limited to service development
  • Ensure competition compliance procedures function properly
  • Update competent authority about material changes
  • Display any applicable logos correctly
  • Maintain records of data transactions and access requests
  • Cooperate with supervisory inquiries
  • Stay current on guidance documents and implementation developments

If you're seeking recognition as a data altruism organization:

  1. Establish not-for-profit legal status
  2. Develop transparent governance structures
  3. Separate data altruism activities from any commercial operations
  4. Define clear public interest purposes
  5. Create safeguards ensuring data isn't repurposed
  6. Submit recognition application to competent authority
  7. Once recognized, use the official logo with QR code correctly
  8. Maintain registration information accuracy
  9. Report to competent authority as required

If you're a public sector body with protected data:

  1. Publish conditions for data reuse clearly
  2. Establish transparent request procedures
  3. Set reasonable processing timeframes
  4. Ensure fees (if any) are cost-based and justified
  5. Apply conditions non-discriminatorily
  6. Coordinate with your competent authority
  7. Keep records of reuse agreements
  8. Review and update procedures regularly

The Commission's September 2024 guidance document provides detailed examples and interpretations. It's worth reading carefully if you're implementing any DGA requirements.

Implementing DGA compliance with ComplyDog

Data governance regulations like the DGA create obligations that intersect with existing privacy and security requirements. Managing compliance across multiple frameworks becomes exponentially more complex as regulations accumulate.

This is where integrated compliance platforms become valuable. Rather than maintaining separate systems for GDPR, DGA, Data Act, and other regulations, businesses need unified approaches that address common requirements once while meeting specific obligations for each framework.

ComplyDog provides comprehensive GDPR compliance tools that extend naturally to data governance requirements. The platform's record of processing activities functionality, consent management systems, and data mapping capabilities support both privacy protection and data sharing governance.

For data intermediation services, maintaining detailed records of data flows, access requests, and compliance measures is crucial. ComplyDog's documentation features help meet Article 11 obligations while demonstrating regulatory compliance to supervisory authorities.

For organizations participating in data altruism or accessing public sector data, managing consents, documenting purposes, and ensuring transparent governance requires systematic approaches. Compliance software creates audit trails, maintains version histories, and generates reports that satisfy both internal governance needs and external accountability requirements.

The interconnection between GDPR and DGA means compliance with one often supports compliance with the other. Personal data involved in data sharing must meet privacy requirements. Documentation created for GDPR purposes often satisfies DGA transparency obligations. Security measures implemented for data protection serve data governance goals.

Rather than treating each regulation as a separate project, businesses benefit from viewing them as components of an overall data governance framework. ComplyDog helps organizations build that framework systematically, reducing duplication while ensuring nothing falls through gaps between regulatory requirements.

As the Digital Omnibus proposal demonstrates, the regulatory landscape will continue changing. Compliance solutions that adapt to regulatory evolution without requiring complete rebuilding provide long-term value beyond immediate checkbox compliance. The goal isn't just meeting today's requirements but building sustainable governance practices that accommodate tomorrow's changes.

Data governance isn't just about avoiding fines. Done properly, it enables innovation, builds trust with stakeholders, and creates competitive advantages. The DGA reflects this reality by facilitating valuable data sharing rather than simply restricting it. Compliance tools that support both protection and productive use align with this balanced approach to data governance in the modern economy.

Popular Posts
popular post 1

The 7 Essential Principles at the Heart of GDPR Compliance
popular post 1

GDPR Cookie Consent (Banner): An Essential Guide, Checklist, and Examples
popular post 1

OpenAI's €15 Million GDPR Fine: What It Means for AI Companies
popular post 1

GDPR Software ROI: Is It Worth the Investment?
popular post 1

GDPR and the Consequences of Non-Compliance: What B2B SaaS Companies Need to Know
popular post 1

New to ComplyDog? Your Guide to Getting Started
popular post 1

What is a DPA? Data Processing Agreement for GDPR Explained
popular post 1

GDPR Compliance Checklist For B2B SaaS Companies
popular post 1

GDPR Implementation Examples: Success Stories for B2B SaaS Companies

You might also enjoy

AI Act amendments: What companies need to know about upcoming revisions
GDPR

AI Act amendments: What companies need to know about upcoming revisions

The upcoming revisions to the EU AI Act will impact AI compliance, risk classification, foundation model regulation, enforcement mechanisms, and industry-specific requirements, requiring companies to adapt their strategies accordingly.

Posted by Kevin Yun | November 22, 2025
What Are Data Governance Tools and Why You Need Them
GDPR

What Are Data Governance Tools and Why You Need Them

Discover how data governance tools are essential software solutions that help organizations manage, protect, and ensure compliance of their data assets in today's complex regulatory landscape.

Posted by Kevin Yun | November 1, 2025
Pillars of Data Governance: Framework Implementation
GDPR

Pillars of Data Governance: Framework Implementation

Effective data governance rests on four pillars—data quality, stewardship, protection, and management—that create a reliable foundation for compliance, trust, and informed decision-making in modern organizations.

Posted by Kevin Yun | October 29, 2025

Choose the easy way to become GDPR compliant

Start your 14-day free trial of ComplyDog today. No credit card required.

Try It Free ➔

Trusted by B2B SaaS businesses

Blink Growsurf Requestly Odown Wonderchat