EU Data Governance Act (DGA): Data Sharing & Reuse Rules

What the DGA Regulates

The Data Governance Act (Regulation EU 2022/868) establishes EU-wide rules for how data can be shared, reused, and intermediated. Unlike GDPR (which protects personal data from misuse), the DGA encourages data sharing — but under transparent, fair, and secure conditions.

Who Must Comply

The DGA applies to three categories of organizations:

1. Public sector bodies making protected data available for reuse (government agencies, statistical offices, research institutions holding non-personal datasets like geospatial data, environmental data, transport data, or economic statistics).

2. Data intermediaries — platforms that facilitate data sharing between businesses or between businesses and individuals. This includes data marketplaces, data exchanges, and personal data management services. If your platform connects data holders with data users without controlling the data itself, you're likely a data intermediary under the DGA.

3. Data altruism organizations — entities that collect and process data voluntarily donated by individuals or companies for purposes of general interest (scientific research, public health, combating climate change, improving public services).

Website Operator Relevance

Most website operators are not directly regulated by the DGA unless they:

• Operate a data marketplace or data exchange platform.
• Act as an intermediary matching data providers with data consumers.
• Collect voluntarily shared data for research or public interest purposes.
• Are a public sector body making datasets available for reuse.

However, the DGA indirectly affects website operators who use EU data-sharing services, integrate with data intermediary platforms, or build products that consume public sector open data. Understanding the DGA is important for:

• Analytics platforms that aggregate and resell user behavior data — this may constitute data intermediation.
• Ad tech companies that facilitate data exchange between publishers and advertisers.
• SaaS platforms that offer data export/sharing features between customers.
• Research platforms that collect user-contributed data for public interest analysis.

Key Requirements

Data Intermediary Registration

Organizations acting as data-sharing intermediaries must:

1. Register with the national Data Governance Authority before providing services.
2. Operate neutrally — intermediaries cannot use the shared data for their own purposes (no competing with their customers using their data).
3. Maintain transparency — publish clear terms for data sharing, including pricing, access conditions, and security measures.
4. Separate data services from other business activities — if a company provides data intermediation alongside other services, the intermediation must be structurally and legally separated.

Compliance timeline: Intermediaries that existed before September 24, 2023, had 18 months to register. New intermediaries must register before starting operations.

Public Sector Data Reuse

Public bodies that make protected data available for reuse must:

• Ensure data is accessed in a secure processing environment — not simply published as open data.
• Apply technical safeguards (anonymization, pseudonymization, access controls, differential privacy) before making data available.
• Treat all reuse requests non-discriminatorily — no preferential access for specific companies.
• Limit exclusive arrangements to a maximum of 12 months (with narrow exceptions for essential services).
• Prohibit cross-border data transfers outside the EU unless adequate protections are verified.

Data Altruism Framework

Organizations collecting voluntarily donated data for general interest must:

• Register as a Recognized Data Altruism Organization with their national authority.
• Maintain a data altruism rulebook specifying purposes, processing activities, and safeguards.
• Provide transparent reporting on how donated data was used.
• Ensure donors can withdraw consent and request deletion of their contributed data.

The European Commission published a European Data Altruism Consent Form — a standardized consent mechanism that organizations can use to collect data donations in a GDPR-compliant way.

Technical Implementation for Data Platforms

If your platform facilitates data sharing or operates as an intermediary, these are the technical requirements:

Access Controls and Audit Trails

Required capabilities:
├── User authentication for all data access requests
├── Role-based access control (data holder, data user, admin)
├── Complete audit trail of:
│   ├── Who accessed what data
│   ├── When access occurred
│   ├── What purpose was stated
│   └── Whether data was downloaded, viewed, or processed in-place
├── Automated data access expiration
└── Secure processing environment (if handling protected public data)

Data Protection Measures

For any personal data involved in sharing arrangements:

• GDPR alignment is mandatory — the DGA does not replace or weaken GDPR. All personal data processing must have a valid GDPR legal basis.
• Anonymization or pseudonymization must be applied before sharing personal data through intermediary platforms.
• Consent management — if data is shared based on consent, the intermediary must verify that valid consent was obtained by the data holder.
• Data minimization — only share the minimum data necessary for the stated purpose.

Cross-Border Transfer Controls

Data shared through DGA-regulated services must not be transferred outside the EU/EEA unless:

• The recipient country has an EU adequacy decision.
• Standard Contractual Clauses or Binding Corporate Rules are in place.
• The data has been fully anonymized (no longer personal data).

This affects analytics platforms that process EU data in non-EU infrastructure — ensure your data processing stays within EU boundaries or has proper transfer mechanisms.

Interaction with Other EU Regulations

Enforcement and Penalties

National enforcement: Each EU member state designates a national Data Governance Authority responsible for registering intermediaries, monitoring compliance, and handling complaints.

Penalties for non-compliance:

• Fines up to €20 million or 4% of global annual revenue (whichever is higher).
• Suspension or revocation of data intermediary registration.
• Prohibition from operating data-sharing services in the EU.

Current enforcement status (as of early 2025): The DGA is still in early enforcement stages. No major fines have been issued, but the European Commission is actively monitoring compliance, particularly among large data intermediary platforms. First significant enforcement actions are expected in 2025–2026 as national authorities build capacity.

Compliance Checklist for Data Platforms

• Determine if your platform constitutes a data intermediary under Article 10 (facilitating data sharing between parties).
• If yes, register with your national Data Governance Authority before providing services.
• Ensure structural separation between intermediation services and other business activities.
• Implement audit trails for all data access and sharing activities.
• Verify that all personal data sharing has a valid GDPR legal basis.
• Apply anonymization or pseudonymization before making data available for reuse.
• Implement cross-border transfer controls to prevent unauthorized data exports outside the EU.
• Publish transparent terms of service covering pricing, access conditions, and security measures.
• Designate a contact point for the national Data Governance Authority.

Next Steps

• GDPR Compliance — the personal data protection framework that DGA builds upon
• ePrivacy Directive — EU electronic communications privacy rules
• Digital Services Act — EU platform content moderation requirements
• EU Data Governance Act Full Text — official regulation
• European Commission DGA Overview — summary and implementation guidance