Skip to content

AI-generated content: Responses are generated by AI, automatically assembled and may contain errors. Conformi is a research tool and does not replace legal advice or case-by-case legal review. All responses should be verified using the linked original sources.

Conformi/Knowledge Base/32022R0868

Data Governance Act (DGA) — Regulation (EU) 2022/868

Analysis from 18 April 20262 sourcesOriginal version (OJ L 152, 3.6.2022, p. 1)EUR-Lex Original

Do we need to register as a data intermediary or data altruism organisation before we can legally broker data in the EU?

Any entity providing data intermediation services in the EU must notify the competent authority under the Data Governance Act, applicable since 24 September 2023 — non-compliance exposes providers to Member-State penalties and potential service prohibition [Art. 11, Art. 14].

Short Answer

The Data Governance Act creates three compliance pillars: conditions for re-using protected public-sector data [Art. 5], a mandatory notification regime for data intermediation services providers [Art. 11], and a voluntary registration framework for data altruism organisations [Art. 18]. Data intermediaries must operate through a structurally separate legal entity and are prohibited from using brokered data for their own purposes [Art. 12(a)]. Competent authorities can order cessation of non-compliant intermediation services within 30 days [Art. 14(4)].

Who is affected

Data intermediation services providers brokering data between holders and users or between data subjects and users [Art. 10]; public-sector bodies making protected data available for re-use [Art. 3]; not-for-profit entities collecting data for altruistic purposes [Art. 18]; and any re-user of protected public-sector data including commercially confidential, statistically confidential, or IP-protected data [Art. 3(1)].

Deadline

Fully applicable since 24 September 2023. Entities already providing data intermediation services on 23 June 2022 had a transitional deadline of 24 September 2025 to comply with Chapter III [Art. 37]. Commission evaluation due by 24 September 2025 [Art. 35].

Risk

Penalties are determined at Member-State level — the Regulation requires them to be effective, proportionate and dissuasive [Art. 34(1)]. Competent authorities can order cessation of data intermediation services within 30 days for non-compliance [Art. 14(4)]. No harmonised EU-wide fine ceiling is set; actual sanctions depend on national transposition.

Proof

Legal status

  • In force
  • as of 2026-04-18
  • Original version (OJ L 152, 3.6.2022, p. 1)

Primary sources

What to do now

Legal / DPO

  • Determine whether your data-sharing activities fall within the scope of 'data intermediation services' under [Art. 10] — the definition covers bilateral/multilateral data exchanges and platforms connecting data holders with data users.
  • Verify that your data intermediation entity is structured as a separate legal person from any entity using the brokered data, as required by [Art. 12(a)] — shared corporate structures must be reviewed for structural separation.
  • Review international data transfer arrangements to ensure contractual safeguards prevent governmental access creating conflicts with EU or Member-State law [Art. 31(1)].

Compliance

  • File the notification with the competent authority for data intermediation services in your Member State of main establishment, providing all information required under [Art. 11(6)] including a description of the service, estimated start date, and Member States of operation.
  • Establish and document procedures to prevent fraudulent or abusive practices by parties accessing data through your intermediation services [Art. 12(g)].
  • Implement a logging regime maintaining records of data intermediation activities for the duration of the business relationship plus a reasonable retention period to support competent authority audits [Art. 12(o)].

IT / Security

  • Deploy adequate technical measures for the storage, processing and transmission of non-personal data, ensuring the highest level of security specifically for competitively sensitive information [Art. 12(l)].
  • Set up incident detection and notification processes to inform data holders without delay of any unauthorised transfer, access or use of non-personal data [Art. 12(k)].
  • Implement interoperability measures with other data intermediation services using commonly used open standards in your sector [Art. 12(i)].

Product / Engineering

  • Build consent management tooling that allows data subjects to give and withdraw consent and data holders to give and withdraw permissions, specifying the third-country jurisdiction of intended data use where relevant [Art. 12(n)].
  • Ensure data format handling preserves the original format received from data holders or subjects, converting only for interoperability or upon explicit request, and offer an opt-out for conversions [Art. 12(d)].
  • Design continuity and data portability mechanisms so that in the event of insolvency, data holders and users can retrieve their data and data subjects can exercise their rights [Art. 12(h)].

Key Terms

Data intermediation service
A service that facilitates data sharing between data holders and data users or between data subjects and data users, subject to notification and structural separation requirements under the DGA [Art. 2(11)].
Data altruism
The voluntary making available of data by data subjects or data holders without seeking or receiving a reward, for objectives of general interest such as scientific research, public health or combating climate change [Art. 2(16)].
Data holder
A legal person or data subject who has the right to grant access to or share certain data under their control, including through a contractual or legal relationship [Art. 2(8)].
Secure processing environment
A physical or virtual environment controlled by the public-sector body in which protected data can be re-used under strict access controls, ensuring the protected nature of the data is preserved [Art. 5(3)(b)].
European Data Innovation Board
An expert group established by the Commission to advise on data governance best practices, common European data spaces, interoperability standards and cross-sectoral data sharing priorities [Art. 29, Art. 30].
Single information point
A national portal designated by each Member State to provide information on conditions and procedures for re-using protected public-sector data, including available data sets and applicable fees [Art. 8].
Competent authority for data intermediation services
A national authority designated by each Member State to receive notifications from data intermediation services providers and to monitor compliance with Chapter III of the DGA [Art. 13].
?

Frequently Asked Questions

What services qualify as 'data intermediation services' under the DGA?
The DGA covers three categories: intermediation between data holders and potential data users, intermediation between data subjects seeking to share personal data and potential data users, and data cooperatives. The key criterion is brokering data access — not merely providing cloud storage, analytics, or data enrichment [Art. 10].
Is the notification for data intermediaries an authorisation or a simple registration?
It is a notification procedure, not an authorisation. The provider may start offering services once the notification is complete; however, competent authorities can subsequently audit compliance and order cessation within 30 days if requirements are not met [Art. 11(1), Art. 14(4)].
Can a data intermediary also use the data it brokers for its own analytics or AI training?
No. The DGA strictly prohibits data intermediation services providers from using the brokered data for purposes other than placing it at the disposal of data users. Services must be provided through a structurally separate legal person [Art. 12(a)].
What is a 'recognised data altruism organisation' and how does registration work?
A recognised data altruism organisation is a not-for-profit entity that collects and processes data made available voluntarily for objectives of general interest such as scientific research or public health. Registration is voluntary and follows an application to the competent authority, which must decide within 12 weeks [Art. 18, Art. 19(5)].
How does the DGA interact with the GDPR?
The DGA explicitly does not create new legal bases for processing personal data and is without prejudice to the GDPR. Where personal and non-personal data are inextricably linked, data protection law prevails in case of conflict [Recital 4, Art. 1(3)].
Are there specific penalties set by the DGA for non-compliance?
The DGA does not set harmonised EU-wide fine amounts. Instead, Member States must lay down their own penalty rules, which must be effective, proportionate and dissuasive. Competent authorities can order cessation of non-compliant services within 30 days [Art. 34(1), Art. 14(4)].
What conditions apply to re-using protected public-sector data?
Public-sector bodies must ensure conditions are non-discriminatory, transparent and proportionate. They may require anonymisation of personal data, use of secure processing environments, or physical-premises access for sensitive data. Exclusive re-use arrangements are generally prohibited [Art. 4, Art. 5(2)-(3)].
3

Assessment Factors & Checklist

Premium
Start 7-day free trial
4

Questions for Your Lawyer

Premium
Start 7-day free trial
5

Conclusion & Summary

Premium
Start 7-day free trial

Detailed analysis with source links.

Schalten Sie die KI-Analyse frei — mit markierten Fundstellen und direkten Links zu EUR-Lex. 7 Tage kostenlos testen.

Start 7-day free trial

Keine Kreditkarte heute. Kündigung jederzeit.