Glossary · EU Data Regulation Data Governance Act (Regulation (EU) 2022/868 — Data Governance Act (DGA))
EU regulation, in force since September 2023, establishing the framework for trustworthy re-use of public-sector data, data intermediation services, and data altruism. Distinct from (and earlier than) the Data Act. Creates a new regulated category — data intermediation service providers — and establishes the European Data Innovation Board.
## What the Data Governance Act actually is
The Data Governance Act (DGA, Regulation EU 2022/868) is the EU's framework for *making data flow* within a sovereignty-aware governance structure. Adopted in May 2022 and applicable since 24 September 2023, it predates the more famous Data Act (2024) and addresses a different problem.
Where GDPR is about *protecting* personal data and the Data Act is about *who can use* IoT-generated data, the DGA is specifically about *enabling re-use* of data that already exists — particularly public-sector data and data shared through new "data intermediation" structures — while preserving sovereignty, consent, and trust.
## The three pillars of the DGA
The DGA structures its rules around three operational areas.
### 1. Re-use of public-sector data
Member States must designate competent bodies to enable controlled re-use of public-sector data that contains:
- **Personal data** (with appropriate technical and legal safeguards)
- **Commercially confidential data**
- **Intellectual-property-protected data**
- **Statistically confidential data**
Re-use is allowed under conditions — typically secure processing environments, anonymisation requirements, and (for sensitive categories) data-protected access. Member States cannot grant exclusive re-use rights to any single party.
This unlocks significant volumes of high-value data — health, mobility, environmental, research — for legitimate re-use by private sector and academia.
### 2. Data Intermediation Services
The DGA creates a *new regulated category* of business: **data intermediation service providers**. These are entities offering services that:
- Establish commercial relationships between data holders and data users
- Enable data exchange under technical and legal frameworks
- Operate as neutral intermediaries (not as parties acquiring data for themselves)
Data intermediation services must be **notified to a national competent authority**, must operate under specific neutrality requirements, must hold data only for the intermediation purpose, must not combine data with their own services, and must implement appropriate security measures.
This is the legal foundation for European [data spaces](/en/glossary/data-spaces/) and for the emerging market of "trusted data intermediaries."
### 3. Data Altruism
Organisations can register as **recognised data altruism organisations (RDAOs)** to facilitate voluntary data sharing for purposes of general interest:
- Scientific research
- Public health
- Environmental protection
- Improving public services
RDAOs operate under specific transparency, security, and consent requirements. They cannot reward data subjects in ways that incentivise behaviour, must publish annual transparency reports, and must use a common European data altruism consent form.
## The European Data Innovation Board
The DGA establishes the **European Data Innovation Board (EDIB)** — a formal expert group bringing together Member State competent authorities, the European Data Protection Supervisor, ENISA, the Commission, and stakeholder representatives. The EDIB advises on:
- Cross-border data intermediation
- Data altruism best practices
- Interoperability across sectoral data spaces
- Coordination with [GDPR](/en/glossary/gdpr/) implementation
## How the DGA relates to other EU data law
The DGA is the *framework* layer. The Data Act, sectoral data spaces (health, mobility, environment, etc.), and GDPR are the operational layers built on or alongside it.
| Regulation | Subject | Status |
|------------|---------|--------|
| **DGA** | Data sharing infrastructure (intermediation, altruism, public sector re-use) | In force 2023 |
| **GDPR** | Personal data protection | In force 2018 |
| **Data Act** | IoT/connected device data, contract fairness | In force 2024 |
| **Sectoral Data Spaces** | Specific sector data sharing rules | In development |
| **AI Act** | AI system rules including training-data provisions | In force 2024 |
The DGA does not override or replace GDPR. Personal data shared under DGA mechanisms remains subject to GDPR — the DGA adds *governance infrastructure* on top.
## What it means in practice
### For data intermediation businesses
If you operate or are launching a service that connects data holders with data users — whether for research, advertising, AI training, business analytics, or any other purpose — you may be regulated as a data intermediation service provider. The notification process to your national competent authority is mandatory before operating in the EU.
### For public-sector buyers and data holders
DGA-compliant infrastructure for secure re-use of public-sector data is being deployed across Member States. This represents significant procurement opportunity for European cloud providers and data-platform vendors.
### For data subjects and data altruism
If you want to contribute personal data for research or public-interest purposes, the DGA gives you a formal framework — including a standardised consent form — for doing so. Recognised data altruism organisations are listed in national registers.
### For US-headquartered data businesses
The DGA's neutrality requirements for data intermediation services are challenging for vendors that combine intermediation with their own platforms (advertising, analytics, AI training). US ad-tech and consumer-data businesses face structural fit issues with the DGA's neutrality requirement.
## Implementation status (2026)
- **23 of 27 Member States** have designated competent authorities for data intermediation
- **EDIB operating** since 2024, having published several opinions on cross-border intermediation
- **First data intermediation service providers notified** in 2024-2025; market maturity uneven
- **Multiple sectoral data spaces** in development (European Health Data Space, European Common Mobility Data Space, etc.)
- **Recognised data altruism organisations**: small number registered to date; uptake slower than initial expectations
## DGA vs Data Act vs sectoral data spaces
| Aspect | DGA | Data Act | Sectoral Data Spaces |
|--------|-----|----------|----------------------|
| Subject | Data sharing infrastructure | IoT data, contract terms | Specific sector rules |
| Scope | Horizontal | Horizontal | Vertical (per sector) |
| Personal data | Adds governance | Mostly non-personal | Both |
| New entities | Data intermediation providers, RDAOs | Smart contract definitions | Sector-specific operators |
| In force | 24 Sept 2023 | 12 Sept 2025 | Per sectoral regulation |
The three regulations together create the EU data-sharing architecture for the rest of the decade.
## Practical implications
- **For European businesses**: understand whether your services qualify as data intermediation, which requires regulatory notification
- **For EU public-sector buyers**: DGA-compliant data infrastructure is becoming a procurement category
- **For data-intensive industries** (healthcare, mobility, finance, retail): sectoral data spaces will increasingly shape what data is available and how it must be accessed
- **For US-headquartered data businesses**: DGA neutrality requirements create structural compliance challenges that may require EU-specific operating entities
- **For researchers and civil society**: data altruism provides a new legal framework for voluntary data contribution
The DGA, less famous than GDPR or the Data Act, is the foundational governance layer for the EU's data strategy. Expect its operational footprint to grow significantly as sectoral data spaces come online through 2026-2027.
Was this helpful?
Thanks for your feedback!