Data Governance Act
DGA
The EU's trust framework for voluntary data sharing across the single market. Applicable since 24 September 2023, the DGA establishes rules for data intermediation services, data altruism organisations, and the re-use of protected public sector data -- laying the institutional groundwork for common European data spaces.
The Data Governance Act is an EU regulation that creates the institutional plumbing for data sharing across Europe. It does not force anyone to share data. Instead, it sets up the trusted middlemen, registration schemes, and ground rules that make voluntary data sharing possible at scale -- between businesses, between citizens and researchers, and between governments and the private sector.
Three things are new. First, if you run a platform whose main purpose is connecting data holders with data users -- a data marketplace, a personal data management service, a data cooperative -- you must notify a national authority and operate as a neutral party. You cannot exploit the data that flows through your platform for your own commercial benefit. Second, organisations that collect data donated by individuals for the public good (think medical research or climate science) can register for an EU-recognised label, provided they operate on a not-for-profit basis and follow strict transparency rules. Third, public bodies that hold protected data -- trade secrets, personal data, statistical records -- now have harmonised conditions under which they can allow that data to be re-used, with safeguards and fee limits.
The DGA has been fully applicable since 24 September 2023. Existing data intermediaries were required to notify their competent authorities by that date. Uptake has been slower than the Commission hoped -- as of early 2026, only around 45 intermediaries have notified EU-wide and 12 data altruism organisations have registered -- but the framework is live and enforcement infrastructure is in place in most Member States.
For most businesses, the DGA matters not because of direct obligations but because it shapes the infrastructure through which EU data spaces will operate. If your company produces, consumes, or brokers data in sectors like health, mobility, agriculture, or finance, the intermediation and altruism frameworks created by the DGA will increasingly define how that data moves.
The DGA is organised around four regulatory pillars, each addressing a distinct aspect of the EU's data sharing ecosystem.
The DGA defines four categories of data intermediation service. Each must notify the competent authority and comply with neutrality requirements -- but the notification process is administrative, not a licensing regime.
The DGA establishes a six-step trust framework for re-using protected data held by public bodies. This covers data that cannot be released as open data due to legal protections.
Commercially confidential data, statistically confidential data, data protected by IP rights, and personal data that cannot be anonymised. Open data is excluded (covered by the Open Data Directive).
Public bodies cannot grant exclusive re-use rights. Any existing exclusive arrangements must be reviewed and terminated if they do not meet strict conditions. Time-limited exceptions permitted only where necessary for a service of general interest.
Public bodies may impose conditions: anonymisation or pseudonymisation of personal data, use of secure processing environments, contractual confidentiality obligations, and restrictions on re-identification.
Fees may not exceed the cost of processing the re-use request plus a reasonable return on investment for data collection. Public bodies must publish fee structures transparently. SMEs and researchers may receive reduced fees.
Each Member State must establish a single information point to assist data re-users. These points provide information on available data, re-use conditions, applicable fees, and the application process.
Public bodies may provide re-use in a secure processing environment controlled by the public sector. This is particularly relevant for personal data or trade secrets that cannot leave the public body's infrastructure.
Data altruism allows individuals and companies to make their data available voluntarily for the common good. The DGA creates a standardised registration and recognition framework.
Organisation must pursue objectives of general interest on a not-for-profit basis, be legally independent from profit-making entities, and carry out data altruism activities through a legally separate structure.
Submit registration application to the competent authority in the Member State of establishment. Must include evidence of general interest purpose, governance structure, and intended data processing activities.
Comply with the European data altruism rulebook (Commission Delegated Regulation 2023/1622), which specifies purpose limitation, transparency, data security, and individual rights requirements.
Use the European data altruism consent form (Commission Implementing Regulation 2024/1927) for collecting permissions from data subjects and data holders. The form ensures informed, granular consent.
Publish annual transparency reports, maintain a complete record of data processing activities, inform data subjects of any data use, and allow withdrawal of consent at any time.
Upon registration, the organisation receives the "Data Altruism Organisation recognised in the EU" label and is listed in the public register maintained by the European Commission.
The DGA provides the institutional foundation for common European data spaces -- sectoral ecosystems for trustworthy data sharing. The DGA's intermediation and altruism frameworks are the connective tissue.
Two and a half years after application, DGA implementation across Member States shows uneven progress. The infrastructure for data intermediation and altruism is building, but gaps remain.