Unlocking the Power of Data: Europe’s Framework Explained

European Data Governance: Open up €120B in Healthcare Savings Now

European data governance is the EU’s framework for making health, mobility, and industrial data shareable, secure, and useful—without compromising privacy or control. It’s built on the Data Governance Act (DGA), which entered into force in June 2022 and became enforceable in September 2023.

Key facts about European data governance:

• Primary goal: Create trustworthy data-sharing systems across sectors and borders to fuel innovation while protecting rights
• Four core measures: Reuse of protected public data, neutral data intermediaries, voluntary data altruism, and cross-border data flows
• Real impact: Expected to save €120 billion annually in EU healthcare, 27 million hours in mobility, and cut market barriers for SMEs
• Legal relationship: Works alongside GDPR—does not replace it or create new legal bases for personal data processing
• Enforcement: Fully applicable since September 2023; 10 member states received compliance warnings by December 2024

The DGA complements existing regulations like GDPR by focusing on how data moves between organizations, not just how it’s protected. It introduces trusted data intermediaries, secure processing environments, and altruistic data sharing for public good—all while keeping data under EU sovereignty.

This matters because Europe generates massive amounts of health, research, and industrial data that sits siloed in disconnected systems. Without standardized, compliant ways to share it, pharma companies can’t run real-world evidence studies fast enough, regulators can’t monitor drug safety in real time, and researchers can’t access the datasets they need for breakthroughs.

I’m Maria Chatzou Dunford, CEO and Co-founder of Lifebit, where we’ve built federated platforms that power compliant European data governance across 275 million patient records. My background spans computational biology, AI, and health-tech entrepreneurship, and I’ve spent over 15 years working on the infrastructure that makes secure, privacy-preserving data analysis possible at scale.

European data governance vocabulary:

• AI healthcare UK
• AI powered diagnostics
• 10 Unique Biotech Companies in London Specializing in Federated Data Analytics

What is the EU Data Governance Act? Ending Data Silos

Stop Data Silos. Start Innovation: The Primary Objective of the DGA

The primary objective of the Official version of the Data Governance Act is to foster a trustworthy environment for data sharing across the European Union. Think of it as the “plumbing” for the European data economy. While the GDPR tells us what we cannot do with personal data, the DGA provides the framework for what we can do—safely and legally.

We often see brilliant research stalled because the data needed is “protected”—perhaps it contains trade secrets, intellectual property, or sensitive personal health information. The DGA aims to open up this value by creating a single market for data. It ensures that industrial data, personal data, and sensitive public sector information can flow securely between countries and sectors. This is achieved by establishing a harmonized framework for the reuse of certain categories of protected public sector data, increasing trust in data intermediation services, and promoting data altruism across the Union.

By establishing high standards for European data governance, the EU is asserting its data sovereignty. This means ensuring that European data is handled according to European values and laws, even when it’s being used to train the next generation of AI models or find cures for rare diseases. The act specifically addresses the concerns of data holders who fear that sharing their data might lead to a loss of control or a breach of confidentiality, providing them with legal certainty and technical safeguards.

The Core Pillars of European Data Governance

To build this “single market for data,” the EU has implemented four broad sets of measures that work in tandem to create a robust ecosystem:

1. Reuse of Public Sector Data: This pillar creates mechanisms to allow the reuse of data held by public sector bodies that are subject to the rights of others. This includes data protected by commercial confidentiality, intellectual property, or personal data protection. Crucially, it mandates that public bodies must be technically equipped to ensure privacy is fully respected, often through secure processing environments or anonymization techniques.
2. Data Intermediation Services: A regulatory framework for neutral third parties that facilitate data sharing between holders and users. These intermediaries cannot use the data for their own purposes; they must remain strictly neutral. This prevents the emergence of data monopolies and ensures that the value of data is shared fairly among all participants in the economy.
3. Data Altruism: This measure encourages citizens and companies to make their data available for the common good, such as scientific research, healthcare improvements, or climate action. The DGA establishes a voluntary registration system for “Recognised Data Altruism Organisations,” which must meet strict transparency and requirement standards to earn a common EU logo.
4. European Data Innovation Board (EDIB): A new formal expert group to coordinate these efforts. The EDIB is tasked with advising the Commission on prioritizing interoperability standards and ensuring that the DGA is applied consistently across all 27 Member States. It also plays a key role in cross-sector data sharing and the development of the Common European Data Spaces.

The Single Information Point (SIP)

To make the reuse of public sector data a reality, each Member State must establish a Single Information Point (SIP). This acts as a one-stop-shop for researchers and businesses. Instead of navigating dozens of different government departments, a startup can go to the SIP to find out what data is available, what the conditions for reuse are, and how to apply for access. This drastically reduces the administrative burden and speeds up the innovation cycle.

Timeline: When Did European Data Governance Become Law?

The road to a unified data space wasn’t built in a day. The DGA entered into force on 23 June 2022. However, the EU gave organizations a 15-month grace period to get their houses in order, recognizing the technical and legal complexity of the new requirements.

The regulation became fully applicable on 24 September 2023. Since that date, any organization operating as a data intermediary or a data altruism organization in the EU must comply with these strict transparency and neutrality rules. For those of us in the health and tech sectors, this was the “go-live” moment for a more integrated European research ecosystem, marking the end of the era where data silos were the default state of affairs.

Beyond GDPR: How the DGA Builds Trust in Data Sharing

Why “Safe” Data Sharing is the Only Way Forward

Trust is the currency of the digital age. If a patient doesn’t trust that their health records are secure, they won’t consent to research. If a company fears losing its trade secrets, it won’t share industrial performance data. The DGA addresses this head-on by moving beyond the binary choice of “open data” or “no data.”

Feature	Open Data Directive	Data Governance Act (DGA)
Data Type	Non-sensitive public data	Sensitive/Protected public data
Access	Free for anyone	Restricted, conditional access
Security	Minimal	High (Encryption, TREs, Audits)
Primary Goal	Transparency	Innovation & Research
Intermediaries	Not regulated	Strictly regulated for neutrality

To increase trust, the DGA mandates strict neutrality for data intermediaries. These entities cannot use the data they handle for their own profit (like selling it to advertisers or developing their own competing products). They must act as fiduciary agents, purely facilitating the exchange. This structural separation is a cornerstone of the EU’s strategy to prevent the “gatekeeper” effect seen in the platform economy.

At Lifebit, we’ve always believed that you shouldn’t have to move data to analyze it. The DGA supports this philosophy by promoting secure processing environments (often called Trusted Research Environments or TREs). By using encryption, role-based access controls, and regular audits, these environments ensure that sensitive PII (Personally Identifiable Information) and PHI (Protected Health Information) never leave their secure home. The researcher brings their code to the data, rather than taking the data to their code.

The Role of Data Intermediaries and Altruism

How Data Altruism Can Save Lives Without Sacrificing Privacy

Data intermediaries are the “honest brokers” of the new data economy. Under European data governance rules, these providers must register with national authorities and comply with strict requirements. They are prohibited from using the data for any purpose other than sharing it. This structural separation prevents the kind of data monopolies we’ve seen in the past and ensures that SMEs have the same access to data as large corporations.

Then there is Data Altruism. This is a powerful concept: individuals or companies voluntarily sharing their data for “objectives of general interest.” Think of a patient sharing their genomic data to help find a cure for Alzheimer’s, or a logistics company sharing its fuel consumption data to help city planners reduce CO2 emissions. The DGA provides a legal framework for this, including a standardized European data altruism consent form to ensure that users know exactly what they are signing up for.

The DGA regulates these organizations to ensure they are not-for-profit and transparent. Recognized organizations can use a common EU logo, which acts as a “seal of trust” for citizens. This is vital for scaling up data-driven research, as it provides a clear signal that the organization is operating under the highest ethical and legal standards.

The 10 Common European Data Spaces

The DGA is the horizontal framework that supports the creation of Common European Data Spaces. These are sector-specific ecosystems where data can be shared securely. The European Commission has identified 10 initial areas:

1. Health: The European Health Data Space (EHDS) for primary and secondary use of health data.
2. Industrial (Manufacturing): To support the competitiveness of the EU industry through data-driven optimization.
3. Agriculture: Enhancing the sustainability and performance of the agricultural sector through data sharing.
4. Finance: Promoting innovation in financial services while ensuring consumer protection.
5. Mobility: Creating a more efficient and sustainable transport system.
6. Green Deal: Supporting the EU’s climate goals through environmental and climate data.
7. Energy: Improving the efficiency of the energy market and the integration of renewables.
8. Public Administration: Improving the efficiency and transparency of public services.
9. Skills: Matching the supply and demand of skills in the labor market.
10. Media: Strengthening the European media sector through data-driven insights.

Key Concepts in European Data Governance and EHDS

The EHDS is the first sector-specific application of these rules. It introduces two critical paths:

• Primary Use: Allowing you to access your medical records anywhere in the EU (e.g., if you get sick while on vacation in Spain). This ensures continuity of care and patient safety across borders.
• Secondary Use: Allowing researchers to use anonymized health data for breakthroughs. This is where the technical heavy lifting happens. We use anonymization and pseudonymization to protect identities. We also rely on interoperability standards like FHIR (Fast Healthcare Interoperability Resources) and OMOP (Observational Medical Outcomes Partnership) to make sure a data file from a hospital in Berlin can be understood by a researcher in London. This is exactly what our R.E.A.L. (Real-time Evidence & Analytics Layer) does—harmonizing messy data so it’s actually useful for large-scale analysis.

DGA vs. GDPR: Which Regulation Takes Precedence?

The Truth About DGA and GDPR: Who Actually Wins?

A common question we hear is: “Does the DGA replace the GDPR?” The answer is a resounding no. In fact, the White Paper on the Data Governance Act and the regulation itself make it clear that GDPR rules always prevail. The DGA is designed to be “without prejudice” to the GDPR. This means that if a data sharing activity involves personal data, the GDPR’s requirements for a legal basis, data minimization, and purpose limitation must still be met.

The DGA does not create a new legal basis for processing personal data. If you are handling personal data, you still need a valid reason under the GDPR (like consent, contract, or public interest). What the DGA does is provide the infrastructure to exercise those GDPR rights more effectively. For example, a data intermediary could help a citizen manage their consents across dozens of different research projects from a single dashboard, effectively operationalizing the right to data portability.

The Relationship with the Data Act

It is also important to distinguish the DGA from the Data Act (Regulation (EU) 2023/2854). While the DGA focuses on the governance and intermediaries for data sharing, the Data Act focuses on who can access data and under what conditions, particularly for data generated by IoT (Internet of Things) devices. Together, they form the twin pillars of the European Strategy for Data. The Data Act gives users the right to access the data they generate through smart devices and share it with third parties, while the DGA provides the secure channels (the intermediaries) to make that sharing possible.

Organizations must still appoint a Data Protection Officer (DPO) and conduct Data Protection Impact Assessments (DPIAs). The DGA simply adds a layer of “governance” to ensure that when data is shared, it happens in a way that respects the data subject’s rights and the data holder’s commercial interests. It introduces the concept of “data sovereignty” at the organizational level, allowing entities to share data without losing the ability to control how it is used downstream.

€120B Savings: The Real-World Impact of Data Governance

How European Data Governance Cuts Healthcare Costs by €120B Yearly

The potential of European data governance isn’t just theoretical; it’s measured in billions of euros and millions of lives. By breaking down the silos that currently trap data, the EU is unlocking a massive economic and social dividend.

1. Healthcare: By making health data more available for research, the EU expects to save €120 billion a year. This comes from better-personalized treatments, faster responses to health crises like COVID-19, and breakthroughs in rare diseases that currently lack funding or data. Furthermore, the EHDS is expected to provide an additional €11 billion in savings over ten years through better access for patients to their health data and more efficient use of health services.
2. Mobility: Real-time navigation and optimized public transport could save 27 million hours for commuters and up to €20 billion in labor costs for drivers. By sharing data across the mobility ecosystem, cities can reduce congestion, lower emissions, and improve the safety of autonomous driving systems.
3. The Green Deal: Data sharing is essential for the transition to a circular economy. By tracking the lifecycle of products through “Digital Product Passports,” companies can optimize resource use and reduce waste. The Green Deal Data Space will allow for better monitoring of biodiversity, air quality, and carbon emissions, providing the evidence base needed for effective climate policy.
4. Industrial & Manufacturing: The “Industrial Data Space” aims to increase the efficiency of European factories. By sharing data across supply chains, manufacturers can implement predictive maintenance, reduce downtime, and optimize energy consumption. This is estimated to add 1.5% to 2% to the EU’s GDP by 2030 through increased productivity.
5. SMEs and Startups: Small businesses often struggle with the high cost of acquiring data. The DGA lowers these barriers, allowing a small AI startup in Dublin to compete with global giants by accessing high-quality, protected public sector data at a fair price. This levels the playing field and ensures that innovation isn’t just the province of those with the deepest pockets.

For a farmer in rural Europe, European data governance means precision farming—using satellite and soil data to reduce pesticide use, increasing yields while protecting the environment. This is the “Data for Good” promise in action, where data becomes a tool for sustainability rather than just a commodity for extraction.

Compliance Risks: Why the Old Way of Data Sharing is Dead

Why the “Old Way” of Data Sharing is Dead — And What’s Replacing It

Transitioning to this new framework isn’t without its headaches. For many organizations, the “old way” of data sharing involved ad-hoc agreements, manual data transfers, and a “hope for the best” approach to security. That era is over. The DGA and the broader EU data strategy introduce a level of rigor that requires a fundamental shift in how organizations think about their data assets.

For SMEs, the compliance costs can be daunting. Investing in advanced security, such as end-to-end encryption and Trusted Research Environments (TREs), requires both capital and expertise. There is also the challenge of semantic interoperability—ensuring that data from different sources can actually be combined and analyzed. This requires the adoption of common metadata standards and ontologies, which can be a significant technical hurdle for legacy systems.

Geopolitical Ripples and Data Sovereignty

There are also geopolitical ripples. The DGA’s emphasis on data sovereignty and localization has created some friction with international partners, particularly the US. The EU’s insistence that sensitive data be processed within secure environments that are not subject to foreign laws (like the US CLOUD Act) is seen by some as a form of digital protectionism. We’ve seen concerns raised about how these rules affect transatlantic data flows and the ability of global companies to centralize their data operations.

The US often views these regulations as a threat to their business models, which are often built on the free flow and monetization of data. In contrast, the EU views them as a necessary protection of fundamental rights and a way to ensure that European citizens and businesses retain control over their digital lives. This tension is likely to continue as more countries look to the EU’s “third way” of data governance as a model for their own regulations.

Implementation Challenges and Fragmentation

Furthermore, the implementation hasn’t been uniform. As of late 2024, the European Commission had to issue reasoned opinions to 10 member states (including Germany and Austria) for failing to fully implement the DGA. This fragmentation makes it harder for companies to operate across the entire “Single Market” they were promised. Without a consistent application of the rules, the risk of “forum shopping”—where companies seek out the most lenient jurisdictions—remains high. For the DGA to succeed, the European Data Innovation Board must work tirelessly to harmonize national practices and ensure that the “Single Market for Data” is more than just a slogan.

FAQ: Everything You Need to Know About European Data Governance

Does the DGA replace the GDPR?

No. The GDPR remains the gold standard for personal data protection in Europe. The DGA is a complementary framework that focuses on the mechanics of data sharing and the regulation of intermediaries. If there is a conflict, the GDPR always takes precedence.

What are the penalties for non-compliance?

Penalties are set by individual Member States but must be “effective, proportionate, and dissuasive.” Beyond fines, the European Commission can launch infringement procedures against countries that fail to designate competent authorities, which we are already seeing happen.

Can non-EU companies act as data intermediaries?

Yes, but with caveats. A non-EU company must appoint a legal representative within the EU and comply with all the neutrality and structural separation requirements. They cannot use the data for their own commercial gain, which challenges the business models of many traditional “data brokers.”

The Federated Future: Secure Your Data Ecosystem with Lifebit

The European data governance framework is a bold bet on a future where data is a public good, not just a corporate asset. By building Common European Data Spaces, the EU is creating a playground for innovation that respects the individual.

We are moving toward a “federated” future. Instead of moving data into one giant, risky central database, we are bringing the AI to the data. This is the core of what we do at Lifebit. Our federated AI platform allows organizations to collaborate and gain insights without ever moving a single byte of sensitive information.

As we look toward 2026 and beyond, the success of this framework will depend on how well we bridge the gap between legal theory and technical reality. The tools are now in place. The rules are clear. Now, it’s time to open up the power of that data.

Secure your data ecosystem with Lifebit