DGA — Regulation (EU) 2022/868¶
Regulation on European data governance (Data Governance Act, DGA). It establishes a horizontal framework for (a) re-use within the Union of certain categories of protected data held by public sector bodies (commercial confidentiality, statistics, intellectual property, personal data); (b) a notification and supervisory regime for providers of data intermediation services; (c) a framework for the voluntary registration of organisations which collect and process data for altruistic purposes (data altruism); (d) the establishment of the European Data Innovation Board (EDIB). It is the first pillar of the European Commission's European data strategy, complemented by the subsequent Data Act. It applies alongside the GDPR (for personal data), the AI Act (for uses in AI systems) and the PLD (for liability profiles connected to defective data and datasets).
Identifiers¶
| Field | Value |
|---|---|
| Official title | Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act) |
| CELEX | 32022R0868 |
| ELI | http://data.europa.eu/eli/reg/2022/868/oj |
| Publication | OJ L 152, 3.6.2022, p. 1 |
| Adoption | 30 May 2022 |
| Entry into force | 23 June 2022 |
| Application | 24 September 2023 |
| Amended act | Regulation (EU) 2018/1724 (Single Digital Gateway) |
| Legal basis | Article 114 TFEU |
| Type of act | Regulation — directly applicable in all Member States |
Structure¶
9 chapters · 38 articles · 63 recitals · no annex.
| Chapter | Subject | Articles |
|---|---|---|
| I | General provisions | 1 – 2 |
| II | Re-use of certain categories of protected data held by public sector bodies | 3 – 9 |
| III | Requirements applicable to data intermediation services | 10 – 15 |
| IV | Data altruism | 16 – 25 |
| V | Competent authorities and procedural provisions | 26 – 28 |
| VI | European Data Innovation Board | 29 – 30 |
| VII | International access and transfer | 31 |
| VIII | Delegation and committee procedure | 32 – 33 |
| IX | Final and transitional provisions | 34 – 38 |
Scope of application¶
Material (Article 1(1)): the Regulation lays down rules on (a) re-use within the Union of certain categories of protected data held by public sector bodies; (b) a notification and supervisory framework for the provision of data intermediation services; (c) a framework for the voluntary registration of entities which collect and process data made available for altruistic purposes; (d) the establishment of the European Data Innovation Board (EDIB).
Personal (Article 1(1); Chapters II-IV): the Regulation applies to public sector bodies of the Union holding protected data, to providers of data intermediation services operating in the Union (irrespective of place of establishment, Article 11), and to recognised data altruism organisations. The Regulation does not create an obligation for public sector bodies to allow re-use of data, nor does it exempt them from their confidentiality obligations (Article 1(2)): it is a horizontal framework of conditions that apply if and when re-use is provided for under Union or national law.
Safeguards and coordination (Article 1(3)-(5)): the DGA is expressly without prejudice to Union and national law on the protection of personal data (in particular the GDPR, Regulation (EU) 2018/1725 and Directives 2002/58/EC and (EU) 2016/680); in the event of conflict, the relevant personal data protection law prevails. The DGA does not create a legal basis for the processing of personal data and does not affect the rights and obligations under the GDPR. It is without prejudice to the application of competition law and to the competences of Member States as regards public security, defence and national security.
Quintuple cross-references with the AI Act, GDPR, Data Act and PLD¶
The DGA interacts simultaneously with four other EU acts that are the subject of dedicated pages in this section: the AI Act (for data governance of AI systems), the GDPR (for the personal data dimension and definitional cross-references), the Data Act (sister act of the EU data package) and the PLD (for the qualification of "data" and for liability concerning systems trained on shared datasets).
DGA ↔ AI Act axis (data governance for AI systems)¶
| DGA | AI Act | Nature of the intersection |
|---|---|---|
| Recitals 2, 3, 5 | Whole AI Act, in particular Article 10 | The DGA is a horizontal infrastructure for data governance; data re-used under the DGA can constitute a legitimate source for the data governance of high-risk AI systems (quality, representativeness, bias monitoring) |
| Chapter II — Articles 3-9 | AI Act, Article 10 (data and data governance); Article 59 (regulatory sandboxes) | Re-use of protected public sector data for research purposes, including AI model training: DGA conditions (anonymisation, pseudonymisation, synthetic data, secure processing environment — Article 5) and AI Act conditions for high-risk systems are cumulative |
| Article 2(20) ("secure processing environment"); Article 5(6) | AI Act, Article 57 (sandboxes); Article 59 (processing of personal data in sandboxes) | The DGA's "secure processing environment" requirements operationally feed into the technical criteria for AI regulatory sandboxes, where protected public data may be processed to test high-risk AI systems |
| Chapter IV — Articles 16-25 (data altruism); Article 25 (European data altruism consent form) | AI Act, Article 10(5); Article 27 (FRIA) | Data obtained through altruistic consent can be a source for bias monitoring and for the fundamental rights impact assessment (FRIA), within the limits of GDPR consent and of the European form (Commission implementing act) |
| Chapter VI — Articles 29-30 (EDIB) | AI Act, Article 65 (European Artificial Intelligence Board); Article 66 | The EDIB and the European Artificial Intelligence Board are distinct bodies but operate in coordination on cross-sector dossiers; the EDIB has competence over technical contributions to the data governance feeding the AI ecosystem (interoperability, data spaces, standards) |
DGA ↔ GDPR axis (carve-out, definitions, data sharing)¶
| DGA | GDPR | Nature of the intersection |
|---|---|---|
| Article 1(3); Recital 4 | Whole GDPR | Safeguard clause: the DGA is without prejudice to the GDPR; in the event of conflict, the GDPR prevails; the DGA does not create a legal basis for the processing of personal data |
| Article 2(3) ("personal data") | GDPR, Article 4(1) | Definition: direct definitional cross-reference |
| Article 2(5) ("consent") | GDPR, Article 4(11); Article 7 | Definition: direct definitional cross-reference to GDPR consent |
| Article 2(7) ("data subject") | GDPR, Article 4(1) | Definition: direct definitional cross-reference |
| Article 2(12) ("processing") | GDPR, Article 4(2) | Definition: direct definitional cross-reference |
| Chapter II — Articles 3-9, in particular Article 5(3)-(13) | GDPR, Articles 5, 6, 9; Article 25 (privacy by design) | Re-use of protected public data including personal data: the public sector body must ensure anonymisation, pseudonymisation, confidentiality, secure environment, confidentiality agreements and prohibition of re-identification; DGA conditions accumulate with the GDPR legal basis and principles |
| Chapter III — Articles 10-15 (data intermediation services); Article 12 (conditions of provision) | GDPR, Articles 7, 12-22 | Intermediation services involving personal data must operate in the interest of the data subject, with structural separation of activities from the data user, neutrality with regard to the data intermediated and a prohibition on monetising personal data |
| Chapter IV — Articles 16-25 (data altruism); Article 25 (European data altruism consent form) | GDPR, Articles 6, 7, 9; Article 13; Article 14 | Altruistic consent is collected through the European data altruism consent form (Commission implementing act) and is subject to all GDPR conditions for valid consent (freely given, specific, informed, withdrawable) |
DGA ↔ Data Act axis (sister acts of the EU data package)¶
The DGA (2022) and the Data Act (2023) are the two sister acts of the European data strategy: the DGA introduces a horizontal framework for governance of re-use, intermediation and altruism; the Data Act extends the scope to data from connected products (IoT) and regulates B2C, B2B, B2G data sharing and cloud switching. The two regulations operate cumulatively and are designed to be coherent.
| DGA | Data Act | Nature of the intersection |
|---|---|---|
| Whole DGA | Recitals 1, 32, 90; whole framework | The Data Act expressly states that it complements and does not replace the DGA: together they form the EU framework on data governance and access |
| Chapter III — Articles 10-15 (intermediation) | Chapter II — Articles 3-7 (B2C/B2B); Chapter VI — Articles 23-31 (cloud switching) | DGA intermediation services operate in coordination with B2C/B2B data sharing and cloud switching under the Data Act: requirements of interoperability, provider neutrality and portability apply consistently |
| Chapter IV — Articles 16-25 (altruism) | Chapter II; Chapter V — Articles 14-22 (B2G in exceptional need) | Data altruism organisations can collect and make available data falling within Data Act mechanisms (e.g. data from connected products provided by the user with consent) |
| Chapter VI — Articles 29-30 (EDIB) | Chapter VIII — Articles 33-36 (interoperability); Chapter IX (implementation and enforcement) | The EDIB advises the Commission on interoperability standards for common European data spaces, which the Data Act operationalises through common standards, open interoperability specifications and codes of conduct |
| Article 2(1), (6) ("data", "permission") | Article 2(1), (16) ("data", "metadata") | The base definitions are aligned; the Data Act extends the vocabulary with operational concepts (connected product, related service, metadata) which presuppose the DGA framework |
DGA ↔ PLD axis (data quality and product liability)¶
The DGA ↔ PLD intersection is less frequent in literal terms but significant for AI systems trained on data shared under the DGA: defects in the dataset may propagate into the system's behaviour and therefore into the assessment of defectiveness for PLD purposes.
| DGA | PLD | Nature of the intersection |
|---|---|---|
| Chapter II — Articles 3-9 (re-use of protected public data); Article 5(1)-(2) (re-use conditions) | PLD, Recital 13; Article 7(2) (presumption of defectiveness) | Public data re-used for AI system training: compliance with DGA conditions (quality, completeness, non-discrimination) contributes to determining the non-defectiveness of the resulting product; conversely, incomplete or biased datasets may amount to defectiveness of the resulting AI system |
| Chapter IV — Articles 16-25 (data altruism) | PLD, Article 4(6) ("data" definition — refers to Reg. (EU) 2022/868) | The PLD expressly cross-refers to the DGA definition of "data": data collected through altruism enter the PLD scope if they become a component of a defective digital product or AI system |
| Article 5(9)-(13); Chapter VII — Article 31 (international transfer of non-personal data) | PLD, Recitals 18, 50; Article 11 (defence "defectiveness came after marketed") | Extra-EU transfer of non-personal data (DGA Chapter VII) interferes with the manufacturer's continuing control over the product: PLD liability does not extinguish if datasets or models are relocated outside the manufacturer's effective control perimeter |
| Article 11 (notification and requirements for data intermediation providers) | PLD, Article 8 (liable operators) | Data intermediation service providers are not as such "manufacturers" under the PLD; they may however fall within the PLD scope if they integrate related services or software components into a defective product |
Definitional quintuplet¶
Five key notions span all five acts simultaneously, with the GDPR as primary source for personal data and the DGA as autonomous source for the definitions of intermediation and data altruism:
| Concept | DGA | AI Act | GDPR (source) | Data Act | PLD |
|---|---|---|---|---|---|
| Personal data | art. 2(3) | art. 3(50) | art. 4(1) | art. 2(3) | art. 4(6) (cross-refers to DGA) |
| Data subject | art. 2(7) | (implicit cross-reference to GDPR) | art. 4(1) | art. 2(11) | n/a |
| Processing | art. 2(12) (refers to GDPR and Reg. (EU) 2018/1807) | (referenced across multiple chapters) | art. 4(2) | n/a | n/a |
| Consent | art. 2(5) (refers to GDPR) | (operational cross-reference to GDPR for personal data) | art. 4(11); art. 7 | n/a | n/a |
| Intermediation service / provider | art. 2(11) | art. 3(3), (4) (provider, deployer) | art. 4(8) (processor) | art. 2(13), (14) (data holder/recipient) | art. 4(10) (manufacturer) |
The table covers direct cross-references. Broader operational cross-references (relations with the DSA, Cyber Resilience Act, NIS2 and the Single Digital Gateway — the act amended by the DGA) will be the subject of dedicated analyses in the Soft law and Resources sections as the corresponding pages are published.
Amendments and corrigenda¶
The original text of 30 May 2022 has been in force since 23 June 2022 and has applied since 24 September 2023. As of the publication date of this fact sheet, no corrigenda have been published in the Official Journal of the EU. Any corrigenda or implementing/delegated acts adopted by the Commission (in particular the European data altruism consent form pursuant to Article 25 and the common interoperability standards pursuant to Article 30) will be incorporated in subsequent revisions of this page.
Status of applicability¶
The DGA entered into force on 23 June 2022 and applies in full from 24 September 2023 (Article 38). For data intermediation service providers already operating on the date of entry into force, a transitional regime applies until 24 September 2025 (Article 11(1)). The Regulation is directly applicable in all Member States without the need for transposition; Member States designate the competent authorities for data intermediation services (Article 13) and for data altruism organisations (Article 23). The DGA also amends Regulation (EU) 2018/1724 on the Single Digital Gateway, supplementing its annex of online services (Article 35).
Related glossary terms¶
Entries from the AI-centric glossary relevant to this act:
Official sources¶
- EUR-Lex — Italian version (CELEX 32022R0868)
- EUR-Lex — English version (CELEX 32022R0868)
- EUR-Lex — European Legislation Identifier (ELI)
- European Commission — European data strategy
- European Commission — Data Governance Act page
- European Data Innovation Board (EDIB)
- EDPB and EDPS — Joint Opinion 03/2021 of 10 March 2021 on the DGA proposal
Section index¶
- Recitals — full bilingual text of the 63 recitals
- Text of the regulation — all articles organised by chapter:
- Chapter I — General provisions (Articles 1-2)
- Chapter II — Re-use of certain categories of protected data held by public sector bodies (Articles 3-9)
- Chapter III — Requirements applicable to data intermediation services (Articles 10-15)
- Chapter IV — Data altruism (Articles 16-25)
- Chapter V — Competent authorities and procedural provisions (Articles 26-28)
- Chapter VI — European Data Innovation Board (Articles 29-30)
- Chapter VII — International access and transfer (Article 31)
- Chapter VIII — Delegation and committee procedure (Articles 32-33)
- Chapter IX — Final and transitional provisions (Articles 34-38)