EU Data Governance Act
The EU Data Governance Act (DGA) establishes a unified framework for data sharing, reuse, and stewardship across the European Union. Enforced since September 2023, it is a cornerstone of the EU’s European Data Strategy, designed to foster a trusted data economy while maintaining strict control over privacy, security, and ethical use.
This regulation complements existing laws like the GDPR, Digital Services Act, and AI Act, providing mechanisms for data reuse between sectors and member states. By promoting trustworthy intermediaries and ensuring fair data access conditions, the DGA seeks to unlock the economic and social value of both public and private data.
You can read the full text of the regulation on the Official EU Law Portal.
Purpose of the EU Data Governance Act
The DGA aims to address a longstanding challenge in the digital economy: enabling the safe exchange and reuse of data without compromising privacy or intellectual property rights.
Its main objectives include enhancing data availability for innovation, research, and public good; creating trust in data sharing frameworks by regulating intermediaries; encouraging data altruism for societal benefits; protecting sensitive, confidential, or personal data during reuse; and establishing EU-wide governance structures for harmonization across sectors.
By balancing innovation with protection, the DGA introduces a “trust-first” approach that strengthens confidence in how data circulates in the European market.
Scope and Application
The DGA applies to both public and private entities operating in the EU that engage in data sharing, reuse, or intermediation. It also extends to international companies offering services to EU citizens or handling data originating from the EU.
Key areas covered include the reuse of public sector data subject to confidentiality, intellectual property, or trade secrets; data intermediation services that connect data holders with data users under regulated conditions; data altruism organizations that collect and manage data voluntarily shared for research or community purposes; and cross-border data transfers and safeguards for international access.
By setting consistent standards, the Act ensures that European businesses and citizens benefit from secure and transparent data ecosystems.
Core Principles of the DGA
The regulation establishes several guiding principles that ensure ethical and secure data governance: transparency and accountability, non-discrimination, security and confidentiality, voluntary participation, and the prioritization of public interest and altruism.
These principles collectively guarantee that data reuse respects the rights of individuals and organizations while enabling innovation and research across Europe.
Institutional Mechanisms
To coordinate implementation across the EU, the DGA creates several governance bodies and procedures designed to ensure transparency, consistency, and cooperation between national authorities and the European Commission. These institutions form the backbone of the data governance framework, making certain that standards are applied uniformly and that organizations have clear guidance when engaging in data sharing or reuse.
European Data Innovation Board (EDIB)
The EDIB facilitates consistent practices across member states. It advises the European Commission on interoperability standards, certification criteria for intermediaries, and common frameworks for sector-specific data spaces. The board also promotes collaboration between public institutions, private enterprises, and research organizations to strengthen trust and transparency in cross-border data flows. By developing shared technical and ethical guidelines, the EDIB helps maintain a unified and competitive European data market where innovation can flourish within a clear regulatory structure.
National Competent Authorities
Each member state designates a competent authority responsible for registering and monitoring data intermediation services and altruism organizations. These authorities ensure compliance, handle complaints, and impose penalties for violations. They also act as the primary contact point for both local and international stakeholders, providing clarification on DGA requirements and assisting with certification processes. By coordinating with other national regulators and the EDIB, these authorities ensure a coherent approach to enforcement and protect the integrity of the data-sharing ecosystem within their jurisdictions.
Data Intermediation Service Providers (DISPs)
DISPs act as neutral facilitators connecting data providers and users. They cannot profit from the data itself but may charge for the service of facilitating data sharing. Their neutrality is key to ensuring trust in the ecosystem. To maintain that trust, they must operate with full transparency regarding data handling practices, access conditions, and security measures. DISPs also play a growing role in enabling cross-sector cooperation, helping organizations unlock the value of data for innovation while preserving confidentiality and compliance with EU standards.
Data Categories and Reuse Conditions
Under the DGA, public sector data protected by commercial confidentiality, personal privacy, or IP rights may be reused under strict conditions. Data must be anonymized or pseudonymized before reuse. Reusers must agree to binding terms preventing re-identification or misuse. Data transfers to non-EU countries require equivalent protection levels, and metadata and access logs must be maintained for traceability.
These measures promote responsible innovation while preventing misuse or breaches of sensitive information.
For more details on compliance-ready logging and tracking, see Audit Trails and Audit Logs.
Relationship with GDPR and Other EU Regulations
While both the GDPR and DGA deal with data governance, they serve distinct but complementary purposes:
| Regulation | Focus | Main Goal |
|---|---|---|
| GDPR | Personal Data Protection | Ensures individual privacy and data rights |
| DGA | Data Sharing and Reuse | Enables safe data exchange between entities |
| AI Act | AI System Regulation | Governs trustworthy and human-centric AI |
| Data Act (2024) | Data Fairness | Defines obligations for data access and interoperability |
The DGA does not override the GDPR but builds upon it—adding mechanisms for lawful data sharing when appropriate safeguards are in place. Together, they form the foundation of Europe’s data economy.
Data Altruism Explained
One of the most innovative aspects of the DGA is its introduction of data altruism—the voluntary sharing of data for purposes of public benefit. Under this concept, individuals and organizations can consent to the use of their data for research, healthcare, or societal improvement without any expectation of personal gain. Examples include medical data donated for rare disease studies, environmental data shared to enhance sustainability research, and mobility data used to improve urban infrastructure planning.
Organizations that engage in data altruism must be officially registered and recognized by national authorities. They must ensure clear consent mechanisms, transparent data handling processes, and strict oversight of how shared data is used. This system builds public confidence by guaranteeing that altruistically contributed data serves collective goals while preserving privacy and security.
Ultimately, data altruism transforms voluntary contributions into a structured and ethically managed process that supports scientific discovery, policy development, and innovation across Europe.
Data Intermediation Services in Practice
The DGA introduces a new category of entities known as data intermediation service providers, or DISPs. These organizations act as neutral brokers connecting data holders with potential users while ensuring that the exchange remains fair, secure, and compliant. Unlike data aggregators or resellers, DISPs are prohibited from monetizing the data itself. Their role is to provide a trustworthy environment where data can circulate safely between parties.
They are responsible for ensuring confidentiality throughout the transaction, maintaining detailed audit trails of all operations, and allowing data subjects or organizations to withdraw consent at any time. These intermediaries operate under strict neutrality and transparency requirements, building the foundation of Europe’s trusted data-sharing infrastructure.
Such service providers are becoming critical in highly regulated sectors like healthcare, finance, manufacturing, and public administration, where sensitive information must be handled with precision, fairness, and compliance.
Technical and Organizational Safeguards
The DGA sets demanding standards for data protection and operational resilience. Organizations processing or sharing data under this regulation must adopt robust technical and procedural controls. Encryption and access control mechanisms must safeguard stored and transmitted data. Every access or modification must be logged in detailed audit trails to track who interacted with the data, when, and for what purpose.
Sensitive information must be protected through data masking or anonymization techniques, while role-based access control ensures that only authorized users can access specific information. Entities must also implement notification processes for data breaches and security incidents in alignment with GDPR and NIS2 directives.
These requirements guarantee that shared data remains secure across its entire lifecycle—from collection and processing to storage and reuse. Compliance relies on transparency, traceability, and continuous monitoring of security posture.
For organizations implementing these measures, platforms like DataSunrise can support DGA compliance through centralized database activity monitoring, dynamic data masking, and data discovery functions that align technical enforcement with regulatory obligations.
How DataSunrise Supports DGA Compliance
Automated Sensitive Data Discovery
DataSunrise automatically identifies and classifies sensitive data across databases, data lakes, and file storage systems. Its Compliance Autopilot continuously scans for personal, confidential, or restricted data, ensuring transparency and readiness for audits.
- Supports structured, semi-structured, and unstructured data including JSON, XML, and text files.
- Detects sensitive data types such as PII, PHI, and financial identifiers across multiple platforms.
- Applies machine learning models to detect patterns and classify new or previously unknown sensitive fields.
- Integrates seamlessly with data catalogs and governance tools to maintain synchronized metadata.
- Generates detailed discovery reports that map sensitive fields to corresponding regulatory categories (GDPR, HIPAA, SOX).
Secure Data Sharing and Reuse
Through its proxy and sniffer modes, DataSunrise provides non-intrusive protection while enabling secure data sharing between entities. Sensitive fields are dynamically masked during queries, ensuring that reusers only access permitted information.
- Operates transparently between clients and databases without application modification.
- Applies real-time dynamic masking rules based on user roles, query context, and sensitivity level.
- Ensures that shared datasets remain compliant when exported or reused across departments or partners.
- Logs every data-sharing transaction for full traceability and accountability.
- Prevents data leakage by blocking unauthorized queries or export attempts.
Comprehensive Audit and Reporting
DataSunrise creates immutable audit trails that record every data interaction. Reports are automatically mapped to regulatory frameworks such as GDPR, HIPAA, SOX, and now DGA, providing clear compliance evidence during inspections. Learn more about automated compliance reporting.
- Consolidates audit logs from multiple databases into a centralized reporting hub.
- Correlates audit data with user behavior analytics to highlight anomalies and risks.
- Allows real-time filtering by user, IP, query type, or operation category for forensic analysis.
- Generates pre-built compliance reports aligned with major frameworks and customizable per policy.
- Exports audit data to SIEM platforms such as Splunk, QRadar, or Azure Sentinel for extended analysis.
Compliance Automation
With no-code policy automation, DataSunrise accelerates time-to-compliance and minimizes human error. Its unified dashboard allows organizations to manage data access, consent, and compliance from a single interface.
- Automatically applies compliance policies based on detected data categories and sensitivity levels.
- Continuously calibrates rules as new datasets or users are introduced.
- Enables scheduling of regular compliance scans and remediation actions.
- Integrates with identity and access management (IAM) systems for synchronized policy enforcement.
- Provides visual compliance maps that show data flow, access frequency, and regulatory coverage.
Cloud and Hybrid Integration
DataSunrise operates seamlessly across on-premise, hybrid, and multi-cloud environments, supporting databases such as PostgreSQL, MySQL, Oracle, and Snowflake. This makes it ideal for organizations working across different data ecosystems regulated by the DGA.
- Supports over 40 data platforms including AWS RDS, Azure SQL, Google Cloud SQL, and on-prem systems.
- Deploys in proxy, sniffer, or agent modes to fit various network topologies.
- Scales horizontally in clustered environments for high-performance auditing.
- Maintains consistent masking and audit policies across cloud and local storage.
- Offers API integration for DevOps pipelines and automated deployment via Helm or Terraform.
Business Impact
The DGA’s introduction reshapes how businesses handle data collaboration and governance. Its impact can be summarized as follows:
| Impact Area | Description |
|---|---|
| Operational Efficiency | Centralized frameworks reduce duplication and simplify cross-border data sharing. |
| Innovation Acceleration | Easier access to trustworthy data fosters AI development and research. |
| Regulatory Trust | Transparent governance enhances credibility with regulators and partners. |
| Data Monetization | Creates new business models through lawful data intermediation. |
| Risk Reduction | Enforced security and auditability mitigate legal and reputational risks. |
Companies adopting advanced governance and compliance tools early will benefit from improved efficiency, stronger partnerships, and a competitive edge in the emerging data economy.
For more on aligning with European data regulations, visit Data Compliance Regulations.
Challenges and Considerations
While the DGA opens new opportunities, compliance requires addressing several challenges such as technical complexity, cross-border consistency, cultural change from data ownership to stewardship, and sufficient resource allocation for implementation and training.
To overcome these challenges, organizations should adopt platforms offering centralized compliance orchestration, such as DataSunrise, which provides unified monitoring, data protection, and automated policy calibration across environments. Explore more about data security and compliance automation.
The DGA in the Broader EU Data Strategy
The Data Governance Act is one of three pillars of the EU’s data legislative framework, together with the Data Act (2024) regulating fair access and use of industrial data, the Digital Markets Act (DMA) ensuring fair competition in digital services, and the AI Act (2025) establishing standards for trustworthy artificial intelligence.
Together, these frameworks create a coherent ecosystem that encourages responsible innovation, strengthens digital sovereignty, and empowers citizens with greater control over their data.
Future Outlook
The DGA will play a vital role in shaping European data spaces for healthcare, energy, finance, and public administration. As interoperability frameworks mature, organizations will be able to collaborate on shared datasets without compromising confidentiality or compliance.
The Act’s long-term success depends on the adoption of secure-by-design platforms, investment in digital infrastructure, and continuous adaptation to evolving privacy and cybersecurity standards. In this context, integrating automated compliance solutions like DataSunrise ensures that organizations remain agile, accountable, and aligned with both the spirit and the letter of EU data regulations.
Conclusion
The EU Data Governance Act represents a turning point in Europe’s approach to data regulation. It bridges the gap between protection and innovation—creating a trustworthy environment where data can circulate safely for research, business, and public good.
For enterprises, compliance with the DGA is not merely a legal obligation but a strategic opportunity. By embedding transparent governance, auditable processes, and secure data sharing mechanisms, businesses can strengthen their credibility and gain a competitive advantage in the EU’s digital single market.
With intelligent platforms such as DataSunrise, organizations can automate DGA compliance, protect sensitive data, and accelerate participation in the European data economy—transforming regulatory alignment into a source of trust and growth.
