The Data Governance Act: A Plain-English Guide
The DGA's framework for data intermediaries, data altruism organisations, and public sector data reuse — and what it means for your business.
What is the Data Governance Act?
The Data Governance Act (Regulation (EU) 2022/868) is an EU regulation that creates governance structures and trust frameworks to facilitate voluntary data sharing across sectors and borders. It applies since September 24, 2023.
The DGA is not primarily about compliance obligations for most businesses — it is an enabling regulation that creates new categories of trusted data-sharing actors and establishes rules for public sector data reuse. However, companies that act as data intermediaries or data altruism organisations face direct compliance requirements.
The DGA complements GDPR (it does not replace it) and sits alongside the EU Data Act in the EU's broader data governance ecosystem. Companies sharing data commercially must understand where DGA obligations intersect with their activities.
Who does the DGA directly apply to?
- Data intermediary services: Any company providing a marketplace, exchange, or platform where data holders (individuals, companies, or public bodies) can share data with data users — for commercial or non-commercial purposes. This includes B2B data platforms, personal data spaces, and IoT data marketplaces. These must register with national competent authorities.
- Data altruism organisations: Non-profit entities that collect and make available data donated by individuals or companies for general interest purposes (public health research, climate science, smart city planning). These must register on a national or EU-wide register and follow strict governance rules.
- Public sector bodies: Government agencies and public institutions that hold data (health records, geographic data, environmental data) and wish to make it available for reuse beyond existing open data frameworks.
- Re-users of protected public sector data: Any company or researcher seeking access to sensitive public sector data (personal data, trade secrets, statistical data) for secondary use must comply with the DGA's reuse conditions.
Key requirements for data intermediary providers
If your business provides data intermediary services (and is not a pure data broker selling data itself), you must:
- Notify the national competent authority of your intention to provide intermediary services
- Maintain structural separation between data intermediary services and other commercial data processing activities
- Not use data shared through the platform for your own purposes (including training AI models)
- Ensure EU data residency for data processing and storage where required
- Provide transparent, non-discriminatory, and fair access conditions to both data holders and data users
- Maintain adequate technical and organisational security measures
- Publish annual activity reports
How Kortave automates DGA compliance
For businesses operating or planning to operate as data intermediaries, Kortave provides:
- Scope assessment — determining if your business model falls under DGA intermediary definitions
- National authority notification filing checklist and documentation templates
- Structural separation assessment — reviewing your data flows for compliance with the non-use requirement
- Annual activity report template and data tracking
- Interoperability standard monitoring — tracking ENISA and Commission guidance on DGA technical standards
- Cross-framework compliance: ensuring DGA practices align with GDPR obligations where personal data is involved
DGA · Live Since September 2023
Operating a data platform in the EU?
The DGA notification and documentation requirements are already in effect. Kortave maps your obligations and keeps your governance documentation current.
See our plans →