This building block aims to guide the data space governance authority in applying legal rules to a data space's design and operation. Specifically, it helps to properly define some participant roles and responsibilities, establish internal policies, and continuously monitor the regulatory compliance of a data space. In addition, it assists data space participants in understanding their rights and obligations under regulatory frameworks that are relevant to their role in a data space or to a specific data transaction. It also provides guidance on relevant legislation to those interested in setting up or joining a data space, including developers, policymakers and others.

Key elements of this building block include:

• Triggers: Elements, criteria or events (e.g. data type, nature of participant or domain) that have occurred in a particular context of a data space and signals that a specific legal framework must or should be applied.

• Data space requirements: Regulatory provisions that explicitly refer to data spaces.

• Additional legal considerations: This element highlights other important legal considerations to be aware of when setting up or operating a data space, e.g. cybersecurity law. 

• Tools enabling regulatory compliance within a data space: Technical tools or techniques designed to address certain legal requirements (such as secure processing environment, privacy-enhancing technologies etc.).

• Regulatory Compliance Flowcharts: A step-by-step guidance helping to assess the applicability of a specific legal framework and to determine the requirements to be addressed by specific entities. The main objective of this element is to operationalise the triggers and structure the interplay of the above-mentioned elements. In the future, these flowcharts will become part of the Legal Compass which will reflect more in detail on the relationship between decisions taken in the business, technical or governance of a data space and compliance with particular legal requirements.

The Regulatory Compliance building block encompasses a range of activities designed to ensure compliance with relevant regulatory frameworks. These activities involve understanding the legal requirements for data spaces and ensuring that all elements and functions of the data space comply with the regulatory framework. Regulatory compliance is an ongoing practice throughout the data space lifecycle. 

Implementing the Regulatory Compliance building block requires the data space governance authority to identify the legal rules relevant to its operation. 

The graphic below (Figure 1) shows a sector-agnostic mapping of legislation that could apply to data spaces, data space participants or the data and services offered by data space participants. It constitutes a preliminary analysis allowing for the identification of provisions relevant to the data space as a whole or in particular circumstances. An example of this is the AI Act, which is not likely to be directly applicable to a data space but could be relevant because data used to train high-risk AI systems or general-purpose AI systems may be sourced through data spaces. Depending on the context, the legal frameworks in Figure 1 may apply simultaneously.

While it falls outside the remit of the blueprint to provide an exhaustive listing of such legal frameworks, it is fitting to highlight a number of EU frameworks of particular importance to data spaces. However, it is up to the sectoral data spaces to do a further mapping and identify additional legal requirements from sectoral legislation*. In addition, relevant national legislation must be analysed accordingly.

Open

Figure 1. EU Legal Frameworks applicable to data spaces development and operation.

The main objectives of this building block revolve around:

• Guiding data space initiatives on organising compliance with relevant legislation and ensuring that regulatory compliance is maintained throughout the lifecycle of data space development;

• Supporting data space governance authorities in identifying relevant legal issues that may warrant the adoption of strategies, procedures and mechanisms to facilitate compliance within the data space; 

• Helping identify legal entitlements to data, and the rights and obligations of data space participants in relation to them;

• Providing an overview of additional resources to help data spaces and data space participants assess their obligations under EU law (e.g., guidelines adopted by the European Commission or relevant competent authorities).

The Regulatory Compliance building block is composed of five interrelated elements: 

• Triggers,

• Data space requirements,

• Additional legal considerations,

• Tools enabling regulatory compliance in a data space,

• Regulatory Compliance Flowcharts.

 This building block focuses on analysing EU legal frameworks that are relevant to all data spaces. Given the possible impact of the European Health Data Space Regulation (EHDS-R), as well as the planned implementing acts establishing interoperability of HealthData@EU infrastructure with other relevant data spaces, an analysis of the impact of the EHDS-R, despite its sectoral nature, has been included in this legislative framework. You can read about the EHDS impact on other (relevant) common European data spaces in “Data Space Requirements” section of this building block.

Navigating the complexity of regulatory frameworks requires developing an approach to address the legal requirements stemming from them. This process starts with identifying elements, criteria, and/or events in the data space that flag the need, within particular contexts, to apply or comply with a particular framework. 

An element, criterion or event that has occurred in a particular context of a data space is referred to as a 'trigger' for the purposes of this building block. It signals that a particular legal framework must or should be applied.

The triggers may be classified into different categories, such as: 

• Types of data: This category pertains to data that is available in a certain context. Depending on the precise kinds of data, it may trigger the need to comply with, for example, the GDPR or Data Act requirements.

• Types of data space participants: Another category pertains to the legal status of participants. Depending on that legal status, such as being a public or specific private body, different regulations may apply. For example, the Data Governance Act regulates the operation of data intermediation services providers or data altruism organisations, which might be active as data space participants.

• Types of use cases: A third category is about domains and/or use cases, such as health, mobility, etc., where domain-specific regulations would apply.

The figure presented below (Figure 2.) visualises the triggers that have been chosen as a priority for this version of the Blueprint. The criterion for selection was based on the necessity to address specific aspects of the operation of these elements within the governance or contractual framework of a data space.

While the current classification of data types within the EU digital regulatory framework lacks methodological consistency, a key distinction is usually made between personal and non-personal data. However, it is important to remember that this distinction is imperfect and should often be subject to a broader discussion about the category that certain data will fall under. 

While the EU data framework seeks to create a single market for data, increasing its availability for use in the economy and society, certain categories of data may be subject to particular protection regimes, imposing restrictions or specific conditions on access or processing. These “protection” regimes include:

• Personal data protection: According to GDPR, Charter of Fundamental Rights of the European Union of the Treaty on the Functioning of the European Union (TFEU), the protection of natural persons regarding the processing of personal data is a fundamental right. Thus, personal data protection legislation aims to provide data subjects with relevant rights and adequate organisational and technical safeguards. Due to the particularly sensitive aspect of special categories of data, and significant risks to the fundamental rights and freedoms that their processing might pose, they enjoy specific protection under the GDPR.  The special categories of data mentioned in Figure 3 are discussed in more detail in a subpage regarding types of data as a trigger.  

• Intellectual property and trade secrets: Besides the categories related to the potential identifiability of an individual, there are legal frameworks granting protection to certain datasets due to the specific attributes they possess. These are primarily intellectual property rights (namely copyright), sui generis database rights, or rights granted to trade secret holders. The classification of certain datasets as either personal or non-personal data or the nature of the ownership of (private/public) datasets does not impact the potential application of other protection regimes, in which the originality and individuality of the work, substantial investment or secrecy of a dataset, among others, are relevant. Thus, there might be datasets containing personal data (e.g., customer information) that are kept by an entity as a trade secret, or personal data databases that enjoy the copyright and/or sui generis database protection. In these situations, the data protection principles and data subjects’ rights provided by the GDPR will still be applicable. 

Open

Figure 3. Protection regimes over data(sets)

The EU data legislation (notably Data Act, Data Governance Act, Open Data Directive, Regulation on the free flow of non-personal data) is meant to bring about a shift in the accessibility of data, opening up considerably more data for use by a variety of parties. That being said, the “access” regime largely depends on the nature of a data holder, imposing different requirements on the access to:

• Privately-held data: This includes categories of data governed by specific legal frameworks, mainly the Data Act. It imposes requirements on certain entities, such as the obligation to make product and related services data (IoT data) accessible to users (as specified in Article 3 of the Data Act) or to provide data based on an exceptional need expressed by a public sector body (Business-to-government; B2G) (as specified in Article 14 of the Data Act).

• Data held by public sector bodies (PSB): These types of data can be distinguished based on their level of openness to the general public. High-value datasets are of particular importance for society, the environment and the economy, therefore they can be re-usable for any purpose. On the other hand, the Data Governance Act (DGA) outlines the conditions under which public sector bodies can allow the reuse of certain protected data (for example, data protected on grounds of commercial confidentiality, including business, professional and company secrets).  

Open

Figure 4. Access regimes with regards to the data

Knowing that navigating a long document of descriptions can be challenging, we direct the reader to the sub-pages of the Blueprint, as we want to keep this building block accessible and user-friendly. Within the subpages, the reader will be able to see the description and assessment of impact of the legal requirements concerning different types of triggers.

Click here if you want to read more about data as a trigger: Types of data

Some data space participants will simultaneously be entities whose very existence or specific functions in the ecosystem have been regulated by law and who may have specific requirements imposed on them. The data space participants fall into two main groups: private and public entities. EU regulations, both horizontal and sectoral, as well as various national laws, impose specific rights and obligations depending on whether an entity operates as a public sector organisation, a private company, or a consumer. In the latest EU data regulatory frameworks, the distinction between private and public entities is becoming blurred, introducing rules that apply to entities from both sectors under certain conditions. This is evident for, for instance, data intermediation service providers under the Data Governance Act (DGA). When they facilitate the sharing of non-public sector data to establish commercial relationships, they are subject to the same legal regime as any other data intermediary, provided they offer a ‘service’. Therefore, the dichotomy of participant types should be presented within the spectrum below, from the types of participants considered (most likely) to fall under the category of private entities on the left side (such as gatekeepers), through the borderline or uncertain cases in the middle (such as data altruism organisations), to the types of participants falling under the category of public entities (such as public sector bodies).

Open

Figure 5. Types of participants in the data space.

Click here if you want to read more about participant as a trigger: Types of participants

Although several EU regulations apply broadly to data spaces, specific sectoral regulations may also impact the development of a particular use case. While a complete catalogue of all use cases for individual sectoral data spaces is not feasible, we highlight selected opportunities below for using data to develop different technologies, using the infrastructure of common European data spaces and noting specific legal requirements that may be triggered.

In some situations, it will be important to analyse the sectoral regulations and the broader, horizontal framework. A good example of mapping the legal landscape for developing specific use cases could be the overview prepared by the Green Deal Data Space.

Click here if you want to read more about examples of domain-specific use cases: Types of Use Cases

Open

Figure 6. Overview of the examples of domain-specific use cases.

The category of data space requirements encompasses legislation that directly regulates data spaces. While the current list of such regulations is limited, there could be various legislative proposals aimed at specific sectoral data spaces, such as the case of the proposed European Health Data Space. 

A key piece of legislation that directly regulates data spaces is the Data Act. This act requires data space participants who offer data or data services to meet essential requirements to ensure data interoperability, effective data-sharing mechanisms, and the proper functioning of common European data spaces.

Whereas the Data Act specifically targets participants of data spaces, the obligations of Article 33 of the Data Act, by their very nature, should be considered as intrinsically linked to the infrastructure and governance framework of the data space. The essential requirements to facilitate interoperability should be addressed by the data space governance authority at the level of the data space, taking into account available (harmonised) standards and any potential further delegated acts or guidance adopted by the European Commission. Adequate implementation of the building blocks related to Data Interoperability (Data Models, Data Exchange and Provenance & Traceability building blocks) should also ensure compliance with the provisions of Article 33 of the Data Act. Currently, however, on the basis of art. 3(4) Data Act, the Commission requested relevant European standardisation organisations to draft harmonised standards that satisfy the essential requirements laid down in paragraph 1 of this Article.

The European Health Data Space Regulation is currently the only legal instrument setting in place a common European data space. It aims to establish a pan-European infrastructure for trustworthy health data sharing for primary and secondary use. In the context of secondary use, the Regulation also addresses the importance of connecting various common European data spaces, especially by providing interoperability between the European Health Data Space and data spaces from other sectors, such as the environmental, social, and agricultural sectors that may be relevant for additional insights on health determinants. According to art. 52 (12) EHDS, Member States and the Commission shall seek to ensure interoperability of HealthData@EU with other relevant common European data spaces as referred to in the Data Governance Act and Data Act. In addition, by implementing acts, the European Commission may set out common specifications for the interoperability and architecture of HealthData@EU with other relevant common European data spaces.

In addition to the legal frameworks outlined above relevant to specific data types, participants and domains, it's crucial to consider additional legal aspects stemming from, for instance, cybersecurity legislative frameworks. Ensuring robust cybersecurity measures is essential to protect data integrity and privacy promotes fair access and innovation within the data space. These considerations play a vital role in maintaining a secure and equitable environment for data management and sharing.

Within a data space ecosystem, participants assume distinct roles which may come with a number of general or specific legal requirements. The absence of established compliance practices for new legislative frameworks related to the data economy adds complexity, particularly given their interaction with the pre-existing body of regulation (both with a general or digital economy-specific scope, sector-specific and national laws).

Given this complexity and the numerous interconnected decisions within a data space, efficiently addressing certain requirements may warrant using technical tools, aside from the commonly deployed organisational and contractual measures. Such technical tools could vary from tools that assist in identifying relevant requirement to (partially) automating compliance. A number of technical tools are already available that could support compliance within the data spaces. Yet, there is a growing need for automated compliance solutions, which offer greater scalability, efficiency, continuous compliance monitoring, as well as accountability and transparency in reporting. Although automated solutions may have one common purpose - ensuring regulatory compliance by implementing/fulfilling certain legal requirements - they can differ based on the type of legal requirement they aim to implement through automatic means. Currently, there are 4 projects funded by the Horizon Europe Programme which aim to help companies and public sector to easily comply with existing and emerging regulation, creating value on data assets that they possess or that they acquire from the market, More information about the projects can be found via this link.

As highlighted above, regulatory compliance within a data space requires not only mapping relevant regulations but also identifying “triggers”, data space requirements or other legal considerations. They help to determine which aspects, elements or criteria in the development or operation of a data space must be aligned with specific legal provisions.

The Regulatory Compliance Flowcharts (“decision trees”) presented below provide a simplified guidance for data space governance authority, as well as data space participants to identify relevant triggers within the data space development and operation, that should be addressed in a relevant manner.

Once the applicability of a given framework or requirement is identified, the flowcharts refer the entity to potential “check list” with additional questions to be considered to effectively address the requirements associated with the existence of a trigger. In certain circumstances, flowcharts may also provide additional resources to help better understand the compliance requirements. However, they do not aim to definitively assign roles - instead, they aim to provide guidance on appropriate organizational, legal, or technical tools to help relevant entities independently determine their responsibilities.

The visuals presented below are not a reflection of decisions that specific entities must make but rather illustrates how existence of particular "triggers" might condition the further actions that need to be taken (Figure 7, 8, 9 and 10).

Open

Figure 7. “Personal data as a trigger” flowchart.

Open

Figure 8. “Trade secret-protected data(sets) as a trigger” roadmap.

Open

Figure 9. “Access Regimes and Exceptions” flowchart.

Open

Figure 10. “Data intermediation service provider (DISP)” flowchart.

Given the broad regulatory landscape and the diverse provisions that apply to different elements of the data space, the Regulatory Compliance building block will be closely interconnected with all aspects of the Blueprint. It is always important to consider regulatory compliance, as it ensures that all components of the data space adhere to legal requirements and helps mitigate potential risks.

Some of the key interlinkages are highlighted below:

• Intermediaries and Operators: Some data space intermediaries may qualify as providers of data intermediation services subject to the DGA. Chapter III of the DGA is, therefore, highly relevant to data spaces. In future versions of the Blueprint, it will be important to consider the potential application of the provisions of Chapter III of DGA to different categories of data space intermediaries and data space governance authorities.

• Organisational Form and Governance Authority: The choice of business model and legal form may require compliance with certain legal frameworks and regulatory requirements. For example, form and minimum contents are regulated by the national law of the respective European Union Member State or by European Union law.

• Participation Management: onboarding and offboarding data space participants requires putting relevant data protection policies in place.

• Contractual Framework: Legal provisions might require addressing certain aspects in the specific clauses of the General Terms & Conditions (for example, data protection, intellectual property or cybersecurity and risk management policies, as well as technical standards required by law, especially regarding interoperability).

• Provenance & Traceability: Implementing this building block should facilitate compliance with the IP data protection rules (for example, compliance with transparency requirements from the GDPR, implementation of the access logging policies and access control, etc.).

• Identity And Attestation Management: Onboarding and offboarding participants into a data space, if it involves the processing of personal data of data subjects, can be considered as separate purposes for processing, around which appropriate steps must be taken to ensure that the processing of personal data complies with the GDPR. The European Digital Identity Regulation (eIDAS 2.0) governs the verification of participants and attestations of identity. It creates a European internal market for trust services by ensuring they work across borders and have the same legal status as their traditional paper-based equivalents.

• Use Case Development: Different horizontal and sectoral/national regulations may apply depending on the use case being developed. This version of the Regulatory Compliance Building Block highlights some sectors (and thereby possible use cases) with specific regulations that would be relevant to consider.

Given the complexity of data spaces, which involve multiple actors and fit into a variety of existing legal and emerging digital policy frameworks, it is challenging to analyse each regulation in a way that sets uniform obligations for all common European data spaces. Therefore, future versions will continue to provide more user-centric guidance to help navigate the legal landscape.

Future versions of this building block will cover:

• Regulatory compliance flowcharts based on other triggers and data space requirements described in the building block;

• Mapping and analysing other categories and types of triggers such as contracts and technology/technical tools (for example, secure processing environment, blockchain, etc.);

• Regulatory compliance checklists for data space governance authority.

• European Commission (2024), Second staff working document on data spaces | Shaping Europe’s digital future. https://digital-strategy.ec.europa.eu/en/library/second-staff-working-document-data-spaces

• Dietrich M., Gutiérrez David M., (2024), D4.2 Final Governance Requirements and Endorsed Governance Scheme, Green Deal Data Space and Foundation and its Community of Practice (GREAT). D4.2-Final-Governance-Requirements-and-Endorsed-Governance-Scheme.pdf (greatproject.eu)

• Drexl, J. (2018), Data Access and Control in the Era of Connected Devices. Data Access and Control in the area of connected devices (beuc.eu)

• Leistner, M., & Antoine, L. (2022). IPR and the Use of Open Data and Data Sharing Initiatives by Public and Private Actors. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.4125503

• Bobev, T., Dessers, V. K., Ducuing, C., Fierens, M., Palumbo, A., Peeters, B., & Stähler, L. (2023). White paper on the definition of data intermediation services. SSRN. https://doi.org/10.2139/ssrn.4589987

• Zingales, N. (2021). Data Collaboratives, Competition Law and the Governance of EU Data Spaces (SSRN Scholarly Paper 3897051). https://doi.org/10.2139/ssrn.3897051

• Zenner K., Scott Marcus J., Sekut K., (2024) A dataset on EU legislation for the digital world. (n.d.). https://www.bruegel.org/dataset/dataset-eu-legislation-digital-world

• De Noyette E., (2024), Trade Secrets in the EHDS. Trade secrets in the EHDS - CiTiP blog (kuleuven.be)

• Penedo, A. C. (2024). The Regulation of Data Spaces under the EU Data Strategy: Towards the ‘Act-ification’ of the Fifth European Freedom for Data? European Journal of Law and Technology, 15(1). https://ejlt.org/index.php/ejlt/article/view/995

• Mylly, U.-M. (2024). Trade secrets and the Data Act. IIC - International Review of Intellectual Property and Competition Law, 55(3), 368–393. https://doi.org/10.1007/s40319-024-01432-0

• Centre for Information Policy Leadership (2024), Data Sharing Obligations Under the DMA: Challenges and Opportunities. data_sharing_obligations_under_the_dma_-_challenges_and_opportunities_-_may24.pdf (informationpolicycentre.com) 

• Directorate-General for Research and Innovation (European Commission) (2024). Improving access to and reuse of research results, publications and data for scientific purposes: Study to evaluate the effects of the EU copyright framework on research and the effects of potential interventions and to identify and present relevant provisions for research in EU data and digital legislation, with a focus on rights and obligations. Publications Office of the European Union. https://data.europa.eu/doi/10.2777/633395

• Wisselink, Dr. F., Steinbuss, S., & Koen, P. (2024). Data Spaces for the Al Act – Analysis of the Standardization Request Regarding the European Al Act in the Context of Data Spaces (Version 1.0). International Data Spaces Association. https://doi.org/10.5281/ZENODO.10839129

• Publications Office of the European Union., Capgemini Invent., & European Data Portal. (2020). High-value datasets: Understanding the perspective of data providers. Publications Office. https://data.europa.eu/doi/10.2830/363773

• The new “Generative AI and Data Spaces" white paper of the Strategic Stakeholder Forum is now available - News - Data Spaces Support Centre

• Brodahl L., De Boel L., Jużak J., (2022), Belgian Data Protection Authority Clarifies Key Rules on Biometric Data Processing. Belgian Data Protection Authority Clarifies Key Rules on Biometric Data Processing | The Data Advisor (wsgrdataadvisor.com)

• Agencia Española Protección de Datos (2023), Approach to Data Spaces From GDPR Perspective. approach-to-data-spaces-from-gdpr-perspective.pdf (aepd.es)

• European Union Agency for Cybersecurity (2024), Engineering Personal Data Protection in EU Data Spaces. (n.d.). [Report/Study]. https://www.enisa.europa.eu/publications/engineering-personal-data-protection-in-eu-data-spaces ENISA report

• Palumbo A., (2024) Data Spaces As Enablers For AIA Compliance, https://data-week.eu/wp-content/uploads/2024/06/FINAL-slides_Session-Value-Creation.pdf

• European Data Protection Board (2025), Guidelines 01/2025 on Pseudonymisation, edpb_guidelines_202501_pseudonymisation_en.pdf

• Relevant guidelines, recommendations and best practices are issued by the European Data Protection Board and national data protection authorities. The latter are tasked with supervision of compliance.