The Data Act

Comprehensive Guide to the European Data Regulations and Standards


Europe’s digital economy will fail without data integration. This inescapable fact makes data collaboration across all European organizations fundamental to their success in the decades to come.

In fact, the EU data economy is expected to surpass the one trillion euro threshold sometime in 2030, continuing its annual growth. It comprises nearly 3.6% of the GDP for the whole of the European Union.

Data Is the Future

Companies with access to vast data resources will have an unbeatable competitive advantage. No one denies the importance of data—but few companies are in a position to extract useful business information and drive innovation on the basis of the operational data they already possess—and that sabotages the future. For the past ten years, companies have focused primarily on collecting data. Now, they’ve come to realize that they don’t know how to use them for more than pure analytical purposes, that is, to drive business. Some of these use cases include introducing new services, creating new operational models, and boosting cooperation.

Why is obtaining information a challenge? It is vital to remember that data is a single point of information, e.g., the temperature of your office on Tuesday, November 1st, 2011 at 9:02 a.m., recorded by your brand new NEST thermostat.

In and of itself, useless, but historically, when combined with the continuous record of data about that spot and all the rest of the building, it could help tell the story of why the foundation is weakening in that corner. In that scenario, a remediation crew could use said information to deduce how the decay developed and determine how to fix it. Information is consolidated data, putting it into a useful form.

Such data extraction needs the ability to access the data in the first place, and that requires that it is properly organized so you can unlock the real value in your data. No data is useless, but making use of it is situationally dependent. You may not need to know how many bristles are in a push broom when you buy it, but you do need to know that number if you are manufacturing it.

Data turned into information drives product innovation, design, and development. Once your data are in thrall, they become your best resource; consolidating it prevents you from falling behind your competition. Used wisely, it lets you move beyond your competitors and become a leader in your domain.

There is tremendous pressure on tech startups and companies to operate at very large scales in order to obtain, access, and utilize sufficient data to enhance decision-making processes. Startups are obliged to mature quickly, handling more data than ever required before, so they can justify their expenditures for data acquisition to their stakeholders and investors.

The tools used for this are inconsistent, and how the data is stored varies considerably. Security is often a patchwork, and incompatible rules make it hard to delve beneath the surface. You are handicapped by bad data flow, strict data governance restrictions, poor access, and the resultant lack of the ability to analyze it, never turning it into actionable information.

Data needs to be democratized amongst ourselves and made available to increase competitiveness, but politically, the European Union also wants to make sure that such increased availability doesn’t confer an unfair advantage on foreign competition. Ideally, the EU will boost competitiveness by sharing data amongst ourselves to synergistically improve manufacturing and business decision-making.

What is the European Strategy for Data?​

The European Union has taken steps to protect the rights of individuals to make sure their rights aren’t violated in the digital realm. Embracing such a people-first strategy for protecting European rights, values, and data sovereignty is well worth the effort for businesses. The digital world doesn’t politely wait for stragglers to fall into step.

The EU needs to create a single united market for data to ensure competitiveness on a global scale while retaining data sovereignty. While data owners need to stay in control of their data, that doesn’t mean they are the sole users of it. Sharing knowledge through data-driven applications can:

  • Drive profits and increase competitiveness
  • Enhance healthcare
  • Make delivery of public services less expensive
  • Increase transportation safety
  • Reduce pollution
  • Increase energy efficiency
  • Boost sustainability
  • Lower environmental impact


Source: Unesco

Since 2020, the European Commission has introduced a set of regulations for harmonized rules establishing fair access to and use of data in the EU. This is one of the mainstays of the European strategy for data management which will make Europe a dominant force in the data economy, benefiting society and the economy as a whole.

This will require both infrastructure and legislation to provide data processing centers, cloud infrastructure, required support services, as well as electronic and physical architectures. The EU intends to invest €2 billion to fund various data protection and regulation initiatives.

The goal is to make data more trustworthy and more widely available, in addition to creating a legal framework governing rules of data usage. Legislation will be forthcoming on data access, control, and reuse, as well as rules governing data sharing between business and government for the public good.

This broader information availability will allow better insights for legislators, and more knowledge for businesses to use when making tactical decisions. Europe stands to benefit in these two distinct ways both internationally and internally.

Additional information may be found here.

GDPR, Digital Markets Act, Digital Governance Act & Data Act. Navigating these regulations.

These acts and regulations have overlapping authority. Let’s look at each data protection legislation below:

GDPR (Effective date: May 25, 2018)

Arguably, the GDPR is the toughest privacy and security law in the world. Any business or organization which collects person-related data for members of the EU is subject to its regulations. Each user must agree or disagree to have their data used by a company for a specific purpose. Whenever the company needs new data, or wants to use the current data but for a different purpose they must seek consent from the user.

Investigations are handled by DPAs (Data Protection Authorities), which are politically independent agencies with investigative and corrective tools at their disposal. They are responsible for applying data protection law, as well as providing expert guidance on all data protection matters and questions. They assess and manage reports against violators of the GDPR and relevant national laws. Each EU member has its own representative which manages both GDPR and DPA.

The fines for violators of the security and privacy standards can be eye-wateringly harsh, from tens of millions of Euros to hundreds of millions. Just consider that the top two violators, Amazon Europe and Whatsapp Ireland, have received nearly one billion euros in fines—specifically, €746 million and €225 million, respectively.

Additional GDPR information may be found here.

What is the Impact on Business?

Organizations that run afoul of the rules will pay the price. Bigger, wealthier companies will be hit particularly hard, as noted above, because they make an excellent example to other participants that everyone will be monitored and that the rules will be enforced, right down to the smallest player.

Example: Google Ireland

Consider the example of Google Ireland. The CNIL (the French Data Protection Authority) assessed a fine of €90,000,000 (US$102,000,000) in January of 2022. The reasoning was that the Google European Division’s implementation of cookie acceptance or refusal on YouTube was overly difficult. Accepting cookies took a single click whereas refusing cookies was a convoluted process requiring several clicks.

Since cookies are the basis of user tracking for marketing purposes, and Google derives extraordinary profits from providing the YouTube Service, the CNIL said the large fine was entirely justified. User data is one of the richest forms of wealth available on the internet, outpacing even cash.

As to why this was imposed by the French authorities instead of the Irish authorities where the company is based, it was a matter contradicting the e-Privacy Directive. This allows regulators to act directly on the offender, rather than going through the parent company. Nevertheless, this is still a GDPR fine because ultimately the GDPR regulates Internet businesses when it comes to obtaining consent from users.

Trello as a great example of an effective GDPR implementation

Trello takes privacy concerns seriously, and believes that the company-wide GDPR compliance strategy is of the utmost importance. They know their customers have to meet GDPR requirements when they use Trello services. That is why they are dedicated to ensuring that their customers can easily fulfill their requirements under the GDPR.

Since Trello has to comply with the GDPR requirements, they’ve undertaken the following initiatives. These are the steps published on the Atlassian privacy resource page (a suite of tools Trello is a part of).

  • They’ve published an updated Privacy Policy, effective as of May 25, 2018.
  • They’re committed to meeting the security and privacy measures required under GDPR.
  • When transferring data outside of the EU, Trello has committed to the required data transfer mechanisms stipulated by GDPR, specifically including current Privacy Shield certification
  • Assisting customers with satisfying their GDPR data security and privacy requirements, and promptly notifying regulators about any personal data breaches anywhere within their purview or systems, as well as quickly informing customers and end-users about any such breaches.
  • Warranting that Trello’s staff members who access and process the personal data of their customers’ are legally bound to preserve the privacy and safekeeping of their data.
  • Assuring that any legally entitled third-party data processors handling the customers’ personal data adhere to the applicable privacy standards, data management, and security requirements of the GDPR.
  • Pledging to execute data impact assessments, plus consulting with EU regulators, as is applicable.

Digital Markets Act (DMA)

The Digital Markets Act (aka Regulation 2022/1925) is an EU regulation that targets making the digital economy more competitive and fair. First proposed by the European Commission (EC) in December 2020, it was ratified in September 2022 both by the European Parliament and the Council of the EU.

Large online platforms, acting as important gatekeepers between European businesses and consumers, can leverage their size and financial resources, overwhelming smaller players. As of November 1st, 2022, DMA regulations prohibit unfair practices by setting rules that operate in parallel with both EU and national competition rules, supported by both the GDPR and DPAs.

As of May 1st, 2023, the EC will have the power to officially designate companies as gatekeepers based on financial and user thresholds. Companies qualifying or designated will have two months to refute that status, and the EC will then decide within 45 days based on the merits of the claim if they are indeed gatekeepers. If the decision is affirmative, companies will then have six months to comply with the DMA regulations.

Companies designated as gatekeepers meet the following criteria:

  • Provide a core platform service that serves as an important gateway between business users and end users.
  • Have a significant impact on the internal EU market.
  • Enjoy an established, expected, or entrenched and durable position in the market.

Further details are available here.

Data Governance Act (DGA)

The European Data Governance Act became law on June 23rd, 2022. The 15-month grace period for compliance will expire in September 2023.

Ideally, the DGA will create a framework to facilitate data-sharing as a key component of the 2020 European Strategy for Data. It will increase trust in that area, strengthening mechanisms to augment data availability, and eradicate technical obstacles to data reuse. This will allow players to leverage the potential of data for the benefit of European citizens and businesses.

Additionally, the DGA will augment the development and setup of common data spaces in strategic European domains. This will involve both Public & Private participants, in multiple sectors (e.g. agriculture, energy, environment, finance, health, manufacturing, mobility, public administration, and skills).

The initiative aims to boost the development of trustworthy data-sharing systems through 4 broad sets of measures:

  • Creating processes to allow reuse of specific public sector data that cannot exist as open data (e.g. health data that could advance medical research).
  • Controls ensuring European data spaces intermediaries function as trustworthy organizers of data sharing and pooling.
  • Dependable private methods for businesses & citizens to share their private essential data to benefit society as a whole.
  • Measures to make it possible for sharing data across sectors and borders, enabling relevant data to be found for a precise purpose.

More information is available here.

Data Act

European Union rules and values inspired the Data Act to enhance data availability to benefit the EU economy, services, and scientific advancement. The proposed act was published on February 23rd, 2022, and is expected to take effect in the Spring of 2023 at the earliest. It is yet another fundamental pillar for supporting the European strategy for data; it will contribute to the EU’s overall goals during this transformational Digital Decade.

The new measures complement the Data Governance Act . While the DGA regulations create the framework to facilitate data availability, the European Data Act clarifies who can create value from data, and under which conditions.

For example, individuals purchase cars, and those vehicles’ internal data systems know virtually everything about the vehicles. How does the user access it? It is all there, but how do they easily transfer that to a third party (say, an auto-mechanic)? Each industry may be legally required to provide a customized API (Application Program Interface) to make available that data to the owner.

Here are the fundamental takeaways from the Data Act:

  • Data generated by the use of products or related services should be accessible for the user in an easy and secure way, without delay, free of charge, and (as possible) in real-time;
  • Upon user request or need, the data should be shared with specified third parties without delay, free of charge, and (as possible) in real-time;
  • Third parties can access and process only data that is specified in the contract with the user. That third party must delete the data when it’s not needed to fulfill the contract with the user;
  • Trade secrets can be disclosed only if confidentiality is provided, especially regarding third parties’ access to the data;
  • Any compensation agreed between the data holder and data recipient for making data available shall be reasonable;
  • The vendor of an application using smart contracts shall comply with the following essential requirements: access control, continuity, data archiving, robustness, and safe termination.

More data is available here.

Will the European Data Act be a Tsunami Wave?

Now that the GDPR, DMA, and the DGA are in effect (though the Data Governance Act is still activating) people and businesses need to understand, what it means in practice, who will be affected, and the ultimate consequences of all this legal activity.

To date, according to researchers’ estimates at the Oxford Martin School, the GDPR has caused an 8.1% decline in profit and a 2.2% drop in sales. Their hypotheses were that the GDPR could have two significant impacts: increased compliance costs and lowered e-commerce demand.

Frey and Presidente’s study found that GDPR has not affected all companies equally. Small businesses are significantly more affected. For example, in the IT sector, small firms took a 12% hit while large firms suffered only 4.6% losses. Generally speaking, losses are about one-third for larger companies vs their small counterparts.

source: techmonitor

Companies which don’t take the GDPR provisions seriously can face severe fines, as indicated earlier. For example, as reported by Thomson Reuters:

  • British Airways’ fines exceeded 200 million euros;
  • Marriott Hotels faced in excess of 100 million euros in fines;
  • Google Inc. tallied 50 million euros.

Companies have found it perplexing or difficult to create and manage the systems and processes necessary for the immense amounts of data collected. They’ve also struggled with tracking it from the point of creation to its eventual destruction, while managing its proper storage in between. Prior to the introduction of GDPR, 39% of respondents indicated that they were completely unfamiliar with this new regulation, while only 33% had an established plan for GDPR compliance.

As seen from the examples above, while GDPR has brought positive change for the rights of individuals, it has also resulted in severe consequences for website and online service operators.

When it comes to the European Data Act, it requires device manufacturers to provide the device owner all of their data in an accessible format, for instance, via API. This means that the manufacturer must create an IT infrastructure that permits data sharing and API for data transfers. For this purpose, they must fulfill all security and compliance requirements outlined in the European Data Act.

This applies to the following groups:

  • manufacturers of products and providers of related services (i.e. those who handle industrial data as well as those who offer digital services. This includes software that is:
    • marketed in the EU, and
    • included in or interconnected with a product in such a way that their absence would prevent the product from performing its functions. These most commonly include IoT, or Internet of Things, devices.
  • public authorities in the EU.

The legislation mandates sharing requirements to permit data sharing among businesses, public authorities, and users. While SMEs are exempted from these obligations, the overall requirements imply that the European Commission will impose additional regulations for the most important sectors (on top of the Data Act).

Limits will be put in place so that data shared with third parties remains safe and harmless to those involved. There will be restrictions on the use of the data by market competitors of the data holder, as well as measures in place to protect privacy, confidentiality, and trade secrets of all participants.

Influencing or preventing the user’s data-sharing behavior by data holders or third parties in any manipulative, coercive, or technical way will be forbidden. These strict guidelines will not apply to micro and small companies, provided they’re independent from other companies.

Gatekeepers are subject to more specific restrictions. Users are not allowed to share data with these gatekeepers, nor are gatekeepers allowed to request access to these data.

Specific attention to assessing the risk of non-EU countries gaining access to data is a priority, too. Data owners ask “Where is my data being stored?”, “Who can access it?”, and “Is it on a Chinese cloud?” The European DA already includes the transfer of personal data outside the EU, but adds restrictions to non-personal data as well.

This requires an international agreement to be in place to assure that court orders from third countries will be followed. Keeping this in mind is important as it reflects the ongoing efforts of the US and the EU to ratify this agreement.

Harmonized Standards

To realistically strive for interoperability, harmonized standards among cloud service providers is vital. The previous SWIPO initiative for cloud-switching was deemed insufficient for this purpose because it lacked both adequate safeguards and functional equivalence when moving software to another cloud platform. Without these, fair competition isn’t possible. Standardization organizations will be approached for this purpose including, if necessary, a mandatory implementation act.

In summary, Krzysztof Malicki, our CEO, says:

“The Implementation of the requirements imposed by regulations is inevitable and usually has a specific due date. Despite this fact, implementation work is usually postponed by companies until the last minute for many reasons, including:

  • Lack of familiarity;
  • Considered of lower priority;
  • Timescales don’t seem imposing;
  • Decisions are in flux and may evolve;
  • No one wanting to be first!

The regulations are clearly within the non-core but, sooner or later, mission-critical group of cases. It is worth assuring that the supplier of the data exchange platform for our systems is aware of these upcoming regulations, so that compliance is of “core”, utmost importance to them. This would help ensure the compliance of the offered service, on a timely basis. Trusted Twin is a member of organizations involved in the creation of the Data Act and is therefore your best partner”.

Source: Unsplash

Data Act — real-life implications

Let’s look at a few examples of how the Data Act will change how data is used and transferred:

How it impacts individuals and businesses

Unlike software with EULAs (End-User License Agreements), when you buy a ‘traditional’ product, you own all parts and accessories of that product. However, when you buy a connected (IoT) product that generates data, it is often not clear who can do what with the data.

Personal Gear

Owning a car should mean owning the data about that car, and being able to use it to your own benefit. Fuel efficiency, driving techniques, navigational data, and other information could be used with an owner’s insurer to obtain a specific rate of insurance reflecting actual risk.

This data should be collected and made available by the manufacturer, but only with the owner’s permission, to be shared for whatever purposes they deem necessary. The manufacturer needs to provide an API and a centralized data depot to make this possible. Users are entitled to enjoy the benefits of the data they create.

Commercial Gear

Industrial equipment generates data, too, allowing for process and manufacturing optimizations. Construction companies, factories, farms, or any process is able to optimize production lines, operational cycles, and supply chain management, including that which is based on machine learning, when they have access to their own data. It also makes sure that data isn’t “hidden” in cloud infrastructure governed beyond the EU, for instance, in China. Instead, it ensures that data is readily available for manufacturers and other authorized parties. That’s what we do at Trusted Twin.

Agricultural Gear

IoT analytics in precision agriculture allows information like GPS data, weather, moisture levels, temperature, market prices, satellite imagery, insect status, and more to provide insights on optimization and crop yield. Fewer resources for full yield can save money and lower environmental impact. This allows farmers and farm owners to independently decide how the data collected by the farm machinery, piggery, etc. will be applied and connected with the systems used for farm management.

Even with foreshadowing, forewarning, and high information availability, only a small percentage of companies are prepared for the Data Act.

Obstacles to implementing the Data Act

Data silos

In many cases, data is locked in silos within companies; those same companies have no readily accessible methodologies for extracting that information. These problems are both technical (platform & integrations) as well as organizational (policies, e.g. data governance).

Many companies don’t have single sources of truth

This means silo-stored & dispersed data in legacy systems, which cannot be governed properly—and many companies still rely on legacy servers. Companies that use legacy servers suffer from significantly poorer data performance.

A joint study by the scholars at Harvard Business School and Stockholm School of Economics shows the impact of legacy servers. They surveyed a number of large corporations, focused on a few major industries (including finance, healthcare, and manufacturing) existing before the big tech revolution of the 1990s. They compared these organizations to companies that were set up in the 21st century.

Their conclusions: Legacy server users have an average of 12% poorer data architecture coherence as compared to organizations that reported no legacy servers.

Understanding the consequences of a silo-stored system is aided by a metaphor:

Data is like products in a grocery store. Each is unique and has different storage, delivery, and usage requirements. Typically, siloed companies either keep everything in one unsorted pile (so everything is universally difficult to access) or companies act like a canteen where you request an individual item, and it is dispensed one at a time, per request.

You don’t shop for groceries like that, and data works poorly that way, too. Creating a supermarket where you pick and choose anything you want or need (if you’re entitled to have it), is many times more efficient. That is the purpose of the Data Act—to create such an environment.

So, what can you do to relieve yourself from the ancient dependency on legacy systems? You can turn to Trusted Twin — we provide the means for setting up, storing, and handling business-relevant objects. These are created from data that comes from multiple sources (i.e., different legacy systems or even different organizations).

Trusted Twin isn’t another copy of your entire data. We are the place where data converges and becomes useful; where all the disparate pieces are connected together and converted into genuine information to power your digitized processes and help you make good business decisions—using data objects powered by the Digital Twin concept.

Internal data governance programs are missing

There is more to it than companies missing out on data-powered opportunities, or wasting resources by following data governance programs that are ineffective or obsolete. It’s also about staying compliant with local and international legislatures that regulate how data can be shared and accessed.

The EU’s Data Act is all about restoring the balance in data sharing contracts with different parties. It is for IoT device users who want to gain access to the data they generate (today generally used exclusively by the device manufacturer); to rebalance the data sharing negotiation power between small businesses and large organizations with a stronger “bargaining position”.

The EU Data Act is a good example because it partially amends the 1990s Database Directive. Organizations answering to the EU legislature need to update their data governance strategies manually; they’ll need to apply changes to their infrastructures so it is in alignment with these modernizations. If handled internally, you’ll have to monitor changes continuously and apply costly technical refinements.

For more information, read our dedicated piece on digital transformation obstacles.

A lack of data normalization and standardization processes

Two of the most important data processing techniques used in the transformation process are Standardization and Normalization. To maximize your data potential, it must be represented uniformly and consistently.

You do this by creating a business abstraction layer where multiple sources all use precisely the same system for the same data. This provides the “single source of truth” (mentioned earlier) upon which business is completely dependent. The same data cannot be allowed to produce different results depending on where it is processed.

More information is available here. We’ll discuss standardization later in this guide.

How to prepare for the Data Act

Here are a few steps your organization can undertake in preparation for the Data Act coming into force.

Make data completely accessible to users

Those who design IoT products and services must create them so that users can easily access any data generated through their use. Intermediary data holders, in turn, must not utilize or exploit personal data generated via IoT products and services without a legal basis (under general data protection laws, see below). Non-personal data remains untouchable without a contractual agreement with the user.

Potential purchasers/users of any IoT product must be made aware of the data generated by the device before the product is sold to EU customers. Data-reliant businesses will have to invest more effort (legally) to ensure that they have a valid basis for information collection and management.

Design effective product interfaces

Providing a secure data-sharing interface is an obligation for IoT manufacturers and service providers to protect the data holder’s rights. Data intermediaries and recipients must prevent unauthorized data transfer to third parties, and must refrain from using such data to create products that compete with the data creator.

Trade secrets that are required to be disclosed under specific confidentiality arrangements must still be shared. Monitoring compliance is problematic at this point, and in practice the means for preventing unauthorized sharing are limited.

Create terms for data sharing

The DA establishes comprehensive rules for the terms and conditions for data holders to make data available (if they are required to do so) not only under the Data Act but also under any other subsequently adopted EU or Member State legislation. Rules state that such terms must be fair, reasonable, non-discriminatory, and that the onus is on the data holder for their non-discriminatory nature.

The same applies to any amount paid to the data holder for data sharing. The compensation to be paid by (SMEs) must not exceed the actual costs of sharing the specific data. Trusted Twin shows exactly how much it costs to split costs between partners (instead of managing it independently) or even allows them to pay directly.

In addition, the DA establishes a collection of terms considered to be unfair in data sharing agreements. These are comparable to existing rules of consumer contract law.

Ultimately, this will require IoT producers and service suppliers to update their standard agreements for permitting third parties (e.g., third-party developers for customer-facing applications) access to user data. The scope of these responsibilities will vary depending on the scope of future data sharing legislation, requiring additional updates and adaptations, across the EU.

Working with a Legal Team

Ensuring GDPR compliance requires legal consultation. The consequences of violating the Data Act can be remarkably expensive (as shown earlier); compliance should never be based on non-legal team interpretations. These teams advise you on the legal requirements, and they will also apprise you about whether the infrastructure alterations you are planning are legally compliant.

Partner with Trusted Twin

When you are planning anything regulated by the Data Act, you need a platform that provides a compliant, ready-made, data-sharing utility. Self-created solutions require continuous maintenance, resulting in possibly falling out-of-date, time-and-effort, and a needless additional expense. The final shape of the regulation is still unknown.

Trusted Twin a partner for whom ensuring compliance with future regulations is a fundamental part of its core business.

Additionally, Trusted Twin is a member of the organizations involved in creating these regulations. Ensuring compliance with those rules is intrinsic to its strategy. For this reason, especially when the final regulations are not yet known, it is your best partner.

EU Data Act and the EU Data Strategy – The Key Considerations

Data standardization

We said we’d address data standardization. It is the process of creating standards and then converting data taken from dissimilar sources into one consistent format that follows those standards.

Most organizations utilize data from a number of disparate sources. You may see sources such as data lakes, warehouses, cloud servers, databases, private servers, and more.

Uniformity eliminates difficulties down the line. Data standardization is crucial for many reasons because it helps you establish clear, consistently defined elements and attributes, providing an all-inclusive set of your data.

Obtaining insights or solving problems properly makes consistent data a crucial starting point. Something as simple as a customer name could be represented as Name, Client, Company, FirstName;LastName, or any number of variations. Standardizing the way you label data will make sure you’re not missing important information. Analytics and reporting will be smoother; authentication and authorization will be easier, and allow the application of security restrictions to data items and data users as appropriate.

What are Data Spaces?

Data Space refers to a type of data relationship between trusted partners, specifically adhering to the same principles, standards, and guidelines in relation to data storage and data collaboration, and generally within one or even many vertically integrated data ecosystems.

Source: Gaia-X

Data Spaces can be organized by one company, relating solely to it and its partners, or they can be industry-specific Data Spaces such as European Common Data Spaces.

Whichever is the case, a data space is the sum of all its participants and allows them to collaborate on data. These parties may include data providers, users, and/or intermediaries. Indeed, data spaces can be, and often are nested and overlapping. Participating in numerous data spaces simultaneously can only enhance decision-making processes.

Data control and trust are essential for data spaces to work and sustain relationships between participants. To ensure this, the IDSA (International Data Spaces Association) has prepared a reference data structure prototype for members.

Each Data Space provides specific data, forming a solid basis for one (or many) ecosystems. Data Spaces use software tools that operate on cloud or edge cloud infrastructures.

Effective data sharing is the key

Ernst & Young Global Consulting points out that all data space operators must meet the Data Act’s requirements. They must adequately describe the content of a data set and/or the technical means of accessing it (e.g. APIs). They also have an obligation to ensure interoperability when using smart contracts.

The DA elaborates on smart contracts, defining necessary requirements for such contracts when data sharing. Application providers using smart contracts will have to meet requirements for access control, continuity, data archiving, interruption, resilience, and secure termination.

Common European Data Spaces

The goal for European Data Spaces is to guarantee that data is accessible for use in the society and the economy, all the while avoiding malpractices by keeping those who utilize it under control.

The initial nine Common European data spaces are, as follows:

  1. An Industrial data space, to support the competitiveness and performance of the EU’s industry;
  2. A Green Deal data space, to use the major potential of data in support of the Green Deal priority actions on issues such as climate change, circular economy, pollution, biodiversity, and deforestation;
  3. A Mobility data space, to position Europe at the forefront of the development of an intelligent transport system;
  4. A Health data space, essential for advances in preventing, detecting and treating diseases as well as for informed, evidence-based decisions to improve the healthcare systems;
  5. A Financial data space, to stimulate innovation, market transparency, sustainable finance, as well as access to finance for European businesses and a more integrated market;
  6. An Energy data space, to promote a stronger availability and cross-sector sharing of data, in a customer-centric, secure and trustworthy manner;
  7. An Agriculture data space, to enhance the sustainability performance and competitiveness of the agricultural sector through the processing and analysis of data;
  8. Data spaces for Public Administrations, to improve transparency and accountability of public spending and spending quality, fighting corruption, both at EU and national level;
  9. A Skills data space, to reduce the skills mismatches between the education and training systems and the labor market needs.

Organizations and projects focused on standardization

Standardization and data spaces are done in parallel because standardization is the domain of non-governmental organizations and associations (e.g. IDSA and Gaia-x), while the EU works on a legal framework regulating data-sharing and data spaces. It’s not one or the other, but rather both or neither.


Essentially, the IDSA is a provider of “near perfect” business requirements for all Data Spaces. They predicate their decisions and rules on ideal business architecture and ideal business requirements, but stay completely out of any technical requirements. Technological development is not in their purview.

The IDSA is akin to designing any manufactured object where you specify all the parts. A bicycle needs wheels, a steering mechanism, bearings, pedals, a drive system, and it must operate safely and reliably, but beyond that it is up to the manufacturer to complete the job. IDSA defines functionality, not physical engineering.


Gaia-X is a project initiated by Europe, for Europe, and beyond. Representatives come from politics, business, and from science to develop a working framework, whether from Europe or anywhere in the world, cooperating to create a federated and secure data infrastructure. Companies and citizens collate and share data—in such a way that they keep control over that data. They determine the fate of their own data, where it is stored, who can access it, under which conditions, and always retain dominion over their data sovereignty.

Gaia-X will not be a cloud of data. It will be a federated system, linking multiple cloud service suppliers and end-users, creating a transparent environment that will power the European data economy of tomorrow.

One subset of Gaia-X is Catena-X, which relates to the automotive industry. Catena-X, formerly known as the Automotive Alliance, will enable a secure and multi-company data exchange for all participants in the automotive value chain, benefiting all.

EU data strategy & data protection laws – key takeaways

The GDPR is the toughest privacy and security law in the world. If a business or organization collects person-related data for members of the EU, it is subject to its regulations. Compliance investigations are handled by DPAs (Data Protection Authorities) and they can assess massive fines. It is an important component of EU privacy law and of human rights law, designated in the Charter of Fundamental Rights of the European Union.

The Digital Markets Act (DMA) is an EU regulation that targets making the digital economy more competitive and fair. DMA regulations prohibit unfair practices by setting rules that operate in parallel with both EU and national competition rules, supported by both the GDPR and DPAs.

The European Data Governance Act (DGA) creates a framework to facilitate data-sharing as a key component of the 2020 European strategy for data. The DGA will augment the development and setup of common data spaces in strategic European domains and boost the development of trustworthy data-sharing systems.

The Data Act (DA) was created to implement data sharing to benefit the EU economy, its members, its services, and its scientific advancement. It was designed to complement the DGA. Its purpose is to clarify who can create value from data, and under which conditions, and that data generated by the use of products or related services should be accessible to the user, free of charge, and (as possible) in real-time.

Ultimately, Trusted Twin can help with getting prepared for the Data Act, make sure you stay in compliance with the rules and regulations, help to keep your data secure, and help to make sure that you benefit from your data, while retaining control of it.

Trusted Twin should be your automatic choice. Contact us today, and let’s discuss how we can put you ahead of the pack, ready to lead the rest of your industry into the future. We would love to hear from you!

Let's discuss how Trusted Twin can support you with the Data Act compliance.