The EU Data Governance Act: Data Intermediation Services

Data Leaders members can download our full 25-page report and connect with peers via the Data Leaders Hub.

A pivotal aspect addressed by the new EU Data Governance Act (DGA) is the provision of data intermediation services as a mechanism to bolster data sharing.

Data sharing is still a controversial topic. Many organisations remain reluctant to share their data, driven by concerns of losing their competitive advantage and amplifying the risks of data misuse. Meanwhile, Big Tech platforms wield significant market power in their data-handling practices owing to their extensive control over vast volumes of data.

The DGA framework establishes a set of rules to govern data intermediation services to ensure data intermediaries (such as data marketplaces) operate as trustworthy organisers of data sharing or pooling within the common European data spaces.

According to the EU Commission, the framework offers an alternative model to the data-handling practices of major tech platforms. It seeks to increase trust in data sharing based on the neutrality and transparency of data intermediaries whilst empowering individuals and companies to retain control over their data.

It is, therefore, essential for data leaders, despite their industry, who are already engaged in or considering data exchange through intermediation services within the EU, to comprehend the nuances of this new regulation. This understanding is crucial for CDAOs to navigate their responsibilities and rights effectively and to fully capitalise on the opportunities it presents.

In the following set of infographics, we lay out the key elements of the framework.

Categories of services considered data intermediation services under the Data Governance Act

The Data Governance Act lays out three categories of data intermediation services covered by its legislation:

  1. Services connecting data subjects (identified and identifiable persons) and data users (a person who can legally access and use data for commercial and non-commercial purposes). These services relate particularly to the use of personal data.
  2. Services connecting data holders (a person authorised, but not the data user, to share or provide access to data), and data users . A common use case is the sharing of industrial data.
  3. Service of data cooperatives (organisational structures who help their members in exercising their rights over data).
Types of Data Intermediation Services

Procedure for data intermediation service providers intending to operate within the EU.

Among others, the DGA outlines a clear procedure for data intermediation service providers intending to operate within the EU. This includes obtaining and using the common logo designed by the EU to identify authorised providers; the process differs for EU-based and non-EU based services who will require legal representatives within the member country.

In the next two infographics, we outline the steps to identifying and engaging with these authorities.

General procedure for provision of data intermediation services in the EU: 1 Identify the right competent authority to submit notifications 2. Notify competent authority 3. Begin providing data intermediation services 4. Get confirmation and recognition from the competent authority 5. Start using label and common logo for providers recognised in the EU 6. Competent authority notifies EU Commission to update the public register 7. Notify competent authority of any changes or end of services
Flow chart If EU Intermediary then go to competent authority of the member state where the provider’s main establishment (i.e.hq) is located. If no, is the legal representative based in the EU If yes, competent authority of the member state where the legal representative is based If no, action is prohibited.

Conditions for provision of data intermediation services

The DGA also establishes conditions for the provision of data intermediation services to ensure fairness, neutrality, transparency, and compliance. To help understand these, we have divided the conditions into three categories: commercial, data handling and management, and data privacy, security and protection. Organisations intending to provide data intermediation services in the EU must comply with the following conditions:

Infographic showing conditions for providing data intermediation services

Monitoring of intermediation services

The competent authorities appointed by the member states will be responsible for monitoring and supervising compliance, collaborating across the Union to ensure adherence to the DGA. Providers who are found to be non-compliant with one or more of the conditions listed in the DGA will be notified and given 30 days to respond.

Infographic: Monitoring the process of competent authorities on data intermediation services: - Information request - Notification of non-compliance - Cooperation among authorities - Enforcement measures

Enforcement measures

Competent authorities have the power to require the end of any infringements to the conditions above listed and to take appropriate and proportionate measures to ensure compliance, namely via financial penalties, legal proceedings, suspension and cessation of services.

Enforcement measures for non-compliance with the DGA framework on data intermediation services: Financial Penalties Legal Proceedings the postponement or suspension of services the cessation of services provision

Next in our Data Law series, we’ll be looking at Reuse of Data Held by the Public Sector under the EU Data Governance act.

Ensure you get stories like this and many more interesting insights from data and analytics leaders like you by signing up to our newsletter. Would like to become a member? Get in touch!


Make better informed decisions by assessing your data and analytics capability and use community intelligence to close the gap between strategy and execution.


Essential Data monthly newsletter is where you can discover limited availability articles, guides and frameworks otherwise only accessible to our members.