When did the EU Data Governance Act start applying to businesses?

The DGA entered into force on 23 June 2022 but has applied to businesses since 24 September 2023. Any data intermediary services or public sector re-use arrangements that were already operational by that date needed to be in compliance from that point forward.

Does a B2B data marketplace based outside the EU need to register under the DGA?

If the marketplace facilitates data sharing between parties in the EU, it is likely subject to DGA notification requirements regardless of where it is established. The regulation applies based on where the data intermediary service is offered, not where the provider is incorporated.

What is the difference between the EU Data Governance Act and the EU Data Act?

The DGA governs the institutional infrastructure for voluntary data sharing, including data intermediaries and altruism organisations. The EU Data Act focuses on access rights to data generated by connected products and related services. The two regulations are complementary but address distinct data-sharing scenarios.

What conditions must a data intermediary meet to legally operate under the DGA?

A data intermediary must notify the relevant national competent authority before commencing operations, maintain neutrality by not acquiring commercial rights over shared data, refrain from using data to develop competing products, and maintain technical separation from its other services.

What are the requirements for an organisation to obtain the EU Data Altruism Organisation label?

The organisation must be non-profit, register with a national competent authority, maintain a public register of data-sharing activities, appoint a data governance officer, and use the Commission-approved EU data altruism consent form. The label is voluntary but triggers ongoing governance obligations.

What safeguards apply when a DGA-regulated data intermediary transfers non-personal data to a third country?

Transfers of non-personal data to third countries by data intermediaries must be subject to adequacy-equivalent safeguards. This prevents regulatory circumvention and mirrors the logic of GDPR transfer restrictions, ensuring data shared through EU infrastructure is not re-routed to jurisdictions with weaker protections.

← Directory Compare with another →

Must ComplyRegulation EU

EU Data Governance Act

Issued by

European Parliament and Council of the European Union

liveEffective 2023-09-24DGAVerified April 2026

Official document →

The EU Data Governance Act establishes a regulatory framework for data intermediaries, data altruism organisations, and the re-use of public sector data protected by third-party rights. It creates new governance structures to facilitate trusted data sharing across sectors and member states, supporting the broader European Data Strategy.

Applies To

Providers of data intermediary services, including B2B data marketplaces, data brokers, and sector-specific data-sharing platformsPublic sector bodies in EU member states holding data subject to third-party rights such as GDPR, IP, or trade secrecy obligationsNon-profit organisations and research institutions seeking the EU Data Altruism Organisation designationEnterprises that source data from public sector re-use programmes or registered data intermediaries for AI training and analyticsCloud and data infrastructure providers that host intermediary servicesHealthcare, mobility, energy, agriculture, and financial sector enterprises operating sector data spaces under the European Data Spaces initiativeAI developers and product teams relying on altruism or intermediary datasets for model trainingLegal and compliance teams responsible for data procurement, data licensing, and third-party data vendor management

Overview

Regulation (EU) 2022/868, the Data Governance Act (DGA), entered into force on 23 June 2022 and has applied since 24 September 2023. It is one of the foundational instruments of the European Data Strategy, designed to increase trust in data sharing and to lower the transaction costs of making data available for secondary use. Unlike the EU Data Act, which governs access to data generated by connected products, the DGA focuses on the institutional and organisational infrastructure that enables voluntary data sharing. It creates a mandatory notification and registration regime for providers of data intermediary services-neutral platforms that facilitate B2B and B2C data exchange without themselves acquiring commercial rights over the data. It establishes conditions under which public sector bodies may permit re-use of data subject to existing legal protections, including personal data protected by GDPR, trade secrets, and intellectual-property-protected data. The DGA introduces the concept of 'data altruism'-voluntary data sharing by individuals and companies for purposes of general interest-and creates a voluntary EU Data Altruism Organisation label with associated governance requirements. A European Data Innovation Board (EDIB) has been established to advise the Commission on data-sharing practices and standards. For AI compliance teams, the DGA is directly relevant because it governs the data intermediaries and data pools that may be used to source training datasets, and creates a reusable-data infrastructure on which AI systems across healthcare, mobility, energy, and agriculture depend.

Key Requirements

•Providers of data intermediary services must notify the competent national authority before commencing operations and must meet conditions of neutrality, non-commercial data use, and technical separation from other services.
•Data intermediaries must not use data shared through their platforms for any purpose other than making it available to data users, and must not sell the data or use it to develop competing products.
•Public sector bodies wishing to allow re-use of protected data must establish transparent procedures, technical environments for secure processing, and charge fees that are cost-based and non-discriminatory.
•Data altruism organisations seeking the voluntary EU label must register with a competent national authority, maintain a public register, appoint a data governance officer, and comply with a European data altruism consent form to be established by the Commission.
•Data intermediaries and altruism organisations must maintain records of data-sharing activities sufficient to demonstrate compliance.
•The European Data Innovation Board provides guidance on cross-sector and cross-border data-sharing standards; member states must cooperate with the EDIB.
•Competent national authorities must be designated in each member state; they must have investigative powers, the ability to impose administrative measures, and coordinate with data protection authorities.
•Non-personal data held by public sector bodies must be made re-usable in a manner that does not restrict competition or create exclusive arrangements, subject to limited exceptions.
•Transfers of non-personal data to third countries by data intermediaries are subject to adequacy-equivalent safeguards to prevent regulatory circumvention.

What Your Organization Must Do

→Audit all data sourcing arrangements by 24 September 2023 (already effective) to identify any third-party data vendors, marketplaces, or brokers operating as data intermediaries under the DGA, and confirm each has submitted the required notification to its competent national authority before your organisation continues or renews contracts with them.
→Assign the Chief Compliance Officer or Data Protection Officer to review every active public sector data re-use agreement, verifying that the supplying public body has published transparent procedures, applies cost-based non-discriminatory fees, and provides a secure processing environment where required under Articles 5 and 6.
→Where your organisation sources training datasets from EU data intermediaries, obtain written contractual confirmation that the intermediary does not acquire commercial rights over shared data and does not use it to develop competing products, and include these restrictions as standard clauses in all future data procurement contracts.
→If your organisation operates or plans to operate a data-sharing platform that facilitates B2B or B2C data exchange, engage legal counsel to determine whether notification to the relevant national competent authority is required and file that notification before the service commences or continues operations.
→For AI teams relying on data altruism datasets, verify that any organisation supplying such data holds a valid EU Data Altruism Organisation registration, has appointed a data governance officer, and uses the Commission-approved consent form, retaining copies of these verification steps in your vendor due diligence records.
→Establish a documented compliance monitoring process, with quarterly reviews led by the Data Protection Officer, covering records of all data-sharing activities involving DGA-regulated intermediaries or altruism organisations, and confirm that any transfer of non-personal data to third countries by your intermediary partners is subject to adequacy-equivalent safeguards before the data is used in model training or analytics pipelines.

Playbook Guidance

Step-by-step implementation guidance for compliance teams.

09How do we maintain data privacy compliance when using AI?12Is our training data compliant with global privacy laws?03How do we ensure third-party AI vendors meet our standards?24What does audit-ready AI documentation look like in practice?19How do we handle intellectual property and copyright in AI?

Frequently Asked Questions

When did the EU Data Governance Act start applying to businesses?: The DGA entered into force on 23 June 2022 but has applied to businesses since 24 September 2023. Any data intermediary services or public sector re-use arrangements that were already operational by that date needed to be in compliance from that point forward.
Does a B2B data marketplace based outside the EU need to register under the DGA?: If the marketplace facilitates data sharing between parties in the EU, it is likely subject to DGA notification requirements regardless of where it is established. The regulation applies based on where the data intermediary service is offered, not where the provider is incorporated.
What is the difference between the EU Data Governance Act and the EU Data Act?: The DGA governs the institutional infrastructure for voluntary data sharing, including data intermediaries and altruism organisations. The EU Data Act focuses on access rights to data generated by connected products and related services. The two regulations are complementary but address distinct data-sharing scenarios.
What conditions must a data intermediary meet to legally operate under the DGA?: A data intermediary must notify the relevant national competent authority before commencing operations, maintain neutrality by not acquiring commercial rights over shared data, refrain from using data to develop competing products, and maintain technical separation from its other services.
What are the requirements for an organisation to obtain the EU Data Altruism Organisation label?: The organisation must be non-profit, register with a national competent authority, maintain a public register of data-sharing activities, appoint a data governance officer, and use the Commission-approved EU data altruism consent form. The label is voluntary but triggers ongoing governance obligations.
What safeguards apply when a DGA-regulated data intermediary transfers non-personal data to a third country?: Transfers of non-personal data to third countries by data intermediaries must be subject to adequacy-equivalent safeguards. This prevents regulatory circumvention and mirrors the logic of GDPR transfer restrictions, ensuring data shared through EU infrastructure is not re-routed to jurisdictions with weaker protections.