Skip to main content

Data Intermediation Services: From Mandatory to Voluntary

The EU Data Governance Act (DGA) created a framework for trusted data intermediation—platforms that facilitate data sharing between individuals, businesses, and researchers. But the mandatory registration regime proved too burdensome, with only 27 providers registering instead of the expected 100-150.

The Digital Omnibus transforms data intermediation from a mandatory compliance burden into a voluntary trust label system, removing barriers while maintaining quality standards. This change, combined with abolishing the separate legal entity requirement, could save €318,750 one-off and €6 million annually while encouraging market growth.

What Are Data Intermediation Services?

Definition

Data intermediation service providers act as neutral intermediaries facilitating data sharing between:

Data holdersData intermediaryData users

Key characteristic: Neutrality—the intermediary does not use the data for its own purposes.

Types of Data Intermediation Services

1. Data Marketplaces

Function: Platforms connecting data sellers and buyers

Examples:

  • B2B data exchanges (industrial sensor data, logistics data)
  • Personal data marketplaces (individuals sell their shopping/browsing data)
  • Public sector data platforms

Value: Discovery, valuation, contracting, secure transfer

2. Data Sharing Platforms

Function: Infrastructure enabling data sharing for specific purposes

Examples:

  • Research data sharing (health research consortia)
  • Supply chain data sharing (collaborative logistics)
  • Smart city data platforms (municipal data for urban planning)

Value: Technical interoperability, governance, access control

3. Data Cooperatives

Function: Member-owned organizations pooling and sharing data on behalf of members

Examples:

  • Agricultural cooperatives (farmers share equipment/weather data)
  • Consumer data cooperatives (pooled shopping data for collective benefit)
  • Professional data cooperatives (freelancers share skills/availability data)

Value: Collective bargaining power, shared benefits, democratic governance

4. Personal Data Intermediaries

Function: Services helping individuals exercise data portability rights

Examples:

  • Personal data stores (individuals aggregate data from multiple sources)
  • Data portability platforms (move data between services)
  • Consent management platforms (centralized consent control)

Value: User control, simplified data management, privacy enhancement

The Current DGA Framework (Pre-Omnibus)

Mandatory Notification/Registration

DGA Chapter III (Articles 9-15) establishes:

Notification requirement:

  • Data intermediation providers must notify competent authority
  • Notification before commencing services
  • Detailed information about activities, safeguards, governance

Registration:

  • Competent authority registers compliant providers
  • National registers published
  • Union-level register maintained by Commission

Compliance obligations:

  • Neutrality (cannot use data for own purposes)
  • Separate legal entity requirement
  • Transparency reports
  • Monitoring and auditing
  • Compliance with cybersecurity standards

Why It Hasn't Worked

Only 27 Registered Providers

Expected: 100-150 providers by 2024

Actual: 27 providers as of late 2025

Gap: 73-123 fewer providers than projected

Why the shortfall?

DGA Article 12(1): Data intermediaries must be established as separate legal entities "for the sole purpose of providing data intermediation services."

Cost: Estimated €318,750 one-off to establish separate entity

  • Legal incorporation
  • Corporate structure
  • Governance setup
  • Accounting systems
  • Tax registration
  • Offices and personnel

Problem: Prohibitive for startups and existing businesses wanting to add data intermediation to service portfolio

Example: A cloud provider wanting to offer data marketplace functionality must create entirely separate company, cannot integrate with existing business

2. Continuous Monitoring Obligations

DGA Article 12(m): Implement procedures for monitoring compliance

Cost: Estimated €6 million annually across the sector

  • Internal compliance officers
  • External audits
  • Documentation and reporting
  • Technical monitoring systems
  • Regular reviews and updates

Problem: Heavy ongoing burden relative to business size; discourages market entry

3. Mandatory Notification Creates Barrier

Psychological barrier: Notification feels like asking permission (even though it's not authorization)

Administrative burden: Preparing notification, collecting required documentation, responding to competent authority queries

Uncertainty: Unclear whether specific business model qualifies; risk of notification rejection

Delay: Time from notification to registration delays market entry

4. Rulebook Requirement for Data Altruism

DGA Article 21: Recognized data altruism organizations must have publicly available rulebook

Content: Purpose, data use, safeguards, governance

Problem: For voluntary, public-interest activity, requiring formal rulebook is disproportionate

Impact: Deters organizations from offering data altruism frameworks

Changes in the Digital Omnibus

1. Notification Becomes Voluntary

Key change: Notification shifts from mandatory to voluntary

How it works:

Mandatory regime (current DGA):

  • Must notify to operate
  • Cannot offer services without registration
  • Enforcement for non-compliance

Voluntary regime (Digital Omnibus):

  • Can operate without notification
  • Notification earns "trusted intermediary" label
  • Market choice whether to certify

Trust label system:

  • Providers meeting DGA standards can notify
  • Receive official recognition
  • Use "EU Trusted Data Intermediary" designation (or similar)
  • Listed in public registers
  • Marketing advantage from trust label

Benefits:

For startups and small providers:

  • Can test business models without notification
  • Enter market faster
  • Scale up, then notify if desired
  • No upfront compliance costs for experimentation

For established providers:

  • Choice to differentiate via trust label
  • Can operate without label if preferred (lower costs)
  • Market decides value of certification

For data users/holders:

  • Can choose certified intermediaries for higher trust
  • Or use uncertified for lower cost/more flexibility
  • Market competition on trust vs. price

DGA Article 12(1) removed; replaced with functional separation requirement

Functional separation means:

  • Data intermediation services must be operationally separate within organization
  • Cannot use data accessed via intermediation for other business purposes
  • Technical and organizational safeguards for separation
  • Audit trails and access controls
  • But NOT a separate legal entity

Savings: €318,750 one-off per provider avoiding separate entity setup

Impact:

Cloud providers can offer data marketplace functionality:

  • Functional separation: Intermediation data isolated
  • Technical measures: Access controls, encryption, logging
  • Governance: Internal walls between teams
  • But: Single legal entity, integrated billing, shared infrastructure

Existing platforms can add data sharing features:

  • E-commerce platform adds supplier data sharing
  • IoT platform adds sensor data marketplace
  • SaaS provider adds customer data portability tools
  • Without spinning off separate company

Example:

Before (separate entity required):

  • Company X operates cloud storage
  • Wants to offer B2B data marketplace
  • Must create Company Y (separate entity)
  • Company Y operates marketplace
  • Company X and Y have formal separation
  • Result: €318,750 setup cost, duplicate infrastructure

After (functional separation sufficient):

  • Company X operates cloud storage
  • Adds data marketplace service (same entity)
  • Implements functional separation (access controls, governance)
  • Result: No separate entity cost, integrated services, still compliant

3. Simplified Monitoring

Continuous monitoring obligation reduced

Lighter regime:

  • Risk-based supervision instead of continuous monitoring
  • Self-assessment with spot checks
  • Periodic reviews instead of constant auditing
  • Proportionate documentation

Savings: €6 million annually across sector

Impact: Lower ongoing compliance costs make market entry viable for more providers

4. Union-Level Registers Only

National registers: Eliminated (multiple Member State registers created confusion)

Union register: Single EU-wide register maintained by Commission

Benefits:

  • One place to find all EU trusted intermediaries
  • No need to check 27 national registers
  • Clearer for cross-border services
  • Less administrative burden

5. Data Altruism Simplifications

Rulebook requirement: Deleted

National policy reporting: Deleted

Simplified registration:

  • Lighter application process
  • Fewer ongoing obligations
  • Focus on genuine public interest purposes

Impact: Encourages voluntary data sharing for research, statistics, public good

Expected Impact

Market Growth

Projected: Up to 36 new providers entering market post-Omnibus

Reasoning:

  • Voluntary regime removes entry barrier
  • Functional separation cuts €318,750 cost
  • Lighter monitoring reduces ongoing burden
  • Trust label provides marketing benefit without mandatory compliance

From 27 providers → 60-65+ providers: More competitive, innovative data sharing ecosystem

New Business Models

Enabled by functional separation:

Integrated data platforms:

  • Cloud + data marketplace
  • IoT + sensor data sharing
  • SaaS + customer data portability
  • Single integrated offering

Freemium models:

  • Basic intermediation without certification (free)
  • Premium certified service with trust label (paid)
  • Market segmentation by trust needs

Niche intermediaries:

  • Sector-specific (health data, agricultural data, mobility data)
  • Geography-specific (local/regional data cooperatives)
  • Purpose-specific (research data sharing only)

Innovation:

  • Experimental models can launch without notification
  • Successful models can upgrade to trusted status
  • Failure fast without heavy compliance sunk costs

More Data Sharing

For research:

  • More data altruism organizations
  • Easier access to shared datasets
  • Better support for data-driven research
  • Public interest benefits

For SMEs:

  • Access to data marketplaces for insights
  • Share data with partners via trusted platforms
  • Participate in data cooperatives
  • Compete with data-rich incumbents

For individuals:

  • More personal data intermediaries
  • Better control over data
  • Monetization opportunities (if desired)
  • Exercise portability rights more easily

Comparison: Before and After

AspectCurrent DGADigital Omnibus
NotificationMandatoryVoluntary (trust label)
Separate entityRequiredNot required (functional separation)
Setup cost€318,750Reduced or eliminated
MonitoringContinuous (€6M/year)Risk-based (lower cost)
RegistersNational + UnionUnion only
Data altruism rulebookRequiredNot required
Market entryHigh barrierLow barrier
Number of providers27 (underwhelming)60-65+ (projected)
Market modelMandatory complianceVoluntary certification

Who Benefits?

Startups and Innovators

Before: Cannot afford €318,750 + €6M/year ongoing costs

After: Launch with functional separation, notify later if desired

Result: More innovation, experimentation, competition

Established Businesses

Before: Must create separate entity to add data intermediation to service portfolio

After: Integrate within existing business with functional separation

Result: More comprehensive service offerings, better customer value

SMEs as Data Intermediary Users

Before: Limited choice (27 providers), high costs passed to users

After: More providers (60+), competitive pricing, diverse options

Result: Better access to data sharing infrastructure

Extended benefits: SMCs also get simplified compliance (see SME and Small Mid-Cap Exemptions)

Data Holders and Users

Before: Limited trusted intermediaries, mandatory regime creates supply constraint

After: More options, trust label differentiates quality, competitive market

Result: Better services, lower costs, more trust options

Society and Public Interest

Data altruism growth:

  • More organizations offering voluntary data sharing
  • Better research data availability
  • Public interest projects (health research, climate science, urban planning)

Data cooperatives:

  • Empower individuals and small businesses
  • Collective bargaining for data
  • Democratic data governance

Practical Guidance

For Aspiring Data Intermediaries

Step 1: Determine if you qualify

You're a data intermediary if you:

  • Facilitate data sharing between data holders and users
  • Act neutrally (don't use data for your own purposes)
  • Provide technical, legal, or commercial intermediation

You're NOT a data intermediary if you:

  • Process data as a controller (use for your own purposes)
  • Simply provide infrastructure (cloud storage without intermediation)
  • Operate outside the EU

Step 2: Choose your path

Option A: Operate without notification

  • Pros: No compliance costs, faster launch, test business model
  • Cons: No trust label, cannot market as "EU trusted intermediary"
  • Best for: Startups, experimental models, low-trust-requirement markets

Option B: Notify and get trust label

  • Pros: Marketing advantage, listed in EU register, customer trust
  • Cons: Compliance obligations, monitoring, transparency reporting
  • Best for: Established providers, high-trust markets (health, financial data)

Step 3: Implement functional separation

Even without notification, best practice:

  • Separate intermediation data from other business data
  • Access controls and encryption
  • Internal policies prohibiting data use for own purposes
  • Audit logging
  • Staff training

Step 4: Consider notification later

Start without notification → Grow → Notify when business case justifies:

  • Customer demand for trust label
  • Competitive differentiation
  • Regulatory comfort
  • Market maturity

For Organizations Using Data Intermediaries

Evaluate trust needs:

High-trust scenarios (health data, financial data, sensitive research):

  • Prioritize EU trusted intermediaries (notified, in register)
  • Verify compliance with DGA standards
  • Check transparency reports and audits

Lower-trust scenarios (non-sensitive B2B data, public data):

  • Consider uncertified intermediaries (lower cost)
  • Assess functional separation measures
  • Contractual safeguards

Due diligence:

  • Does intermediary have conflicts of interest?
  • What are their data use policies?
  • What technical safeguards are in place?
  • What's their incident response capability?
  • Check EU register if trust label claimed

For Data Altruism Organizations

Simplified requirements:

  • No rulebook needed (though transparency about purposes still valuable)
  • Lighter registration process
  • Focus on genuine public interest

Steps:

  1. Define public interest purpose (research, statistics, public good)
  2. Establish transparent data use policies
  3. Implement safeguards for donated data
  4. Register with competent authority (simplified process)
  5. Use European data altruism consent form
  6. Report on use of data (lighter requirements)

Examples:

  • Health data altruism for medical research
  • Mobility data for traffic planning
  • Energy data for sustainability research
  • Educational data for pedagogy improvement

Transition Provisions

Existing DGA Registrations

Automatically transferred to Digital Omnibus regime:

  • No need to re-register
  • Existing registrations remain valid
  • Can continue operating under same terms

Can opt into new regime:

  • Remove separate legal entity (restructure into parent company with functional separation)
  • Benefit from simplified monitoring
  • Lighter ongoing obligations

Grace Period Expected

Likely: 6-12 month transition after Data Act consolidation takes effect

During transition:

  • Existing providers adapt to new requirements
  • New providers can enter under new regime
  • Competent authorities update processes

Risks and Safeguards

Risk: Loss of Trust Without Mandatory Regime

Concern: Voluntary notification means uncertified intermediaries operate

Mitigation:

  • Trust label creates two-tier market (certified vs. uncertified)
  • High-value/sensitive data sharing gravitates to certified intermediaries
  • Market disciplines uncertified providers (reputational risk)
  • Functional separation still required (baseline safeguard)

Risk: Race to the Bottom

Concern: Providers avoid notification to cut costs; market fails

Mitigation:

  • Data holders and users demand trust label for valuable data
  • Regulatory enforcement on functional separation (even for uncertified)
  • GDPR, NIS2, and other regulations provide baseline safeguards
  • Market will support both certified and uncertified segments

Safeguards Maintained

Even under voluntary regime:

Neutrality requirement: Cannot use intermediated data for own purposes (enforced via functional separation)

Transparency: Certified intermediaries must publish transparency reports

Security: Cybersecurity standards apply (NIS2, GDPR security)

Data subject rights: GDPR rights enforceable regardless of certification

Competent authority oversight: Supervision of certified intermediaries continues

Key Takeaways

  1. Notification shifts from mandatory to voluntary (trust label system)
  2. Separate legal entity requirement removed (functional separation sufficient)
  3. €318,750 one-off savings per provider from entity requirement removal
  4. €6 million annual savings across sector from lighter monitoring
  5. Expected 36+ new providers entering market post-Omnibus
  6. From 27 to 60-65+ providers creates competitive market
  7. Trust label differentiates certified intermediaries from uncertified
  8. Data altruism simplified (no rulebook, lighter registration)
  9. Union-level register only (national registers eliminated)
  10. Startups can test models without notification, certify later if desired

The transformation of data intermediation from mandatory compliance to voluntary certification represents a sophisticated regulatory evolution. Instead of forcing all providers through the same heavy regime (which failed—only 27 registered), the Omnibus creates a light baseline (functional separation) with optional certification for those seeking trust differentiation. This approach should unlock the data sharing market's potential while maintaining safeguards for high-trust scenarios. The result: more providers, more innovation, more data sharing, and more economic value—exactly what the Data Governance Act aimed for, but this time with a framework that actually works.