Data mediation services are not yet a well-known phenomenon, but may become so in the future. These services are part of the Data Governance Act (DGA), which aims to increase Europe's data economy. Almost two years after its enactment, we can take initial stock. There are currently 24 mediation services registered in the European Union, 8 of which are from the Netherlands. In part 2 of Dossier DGA, I examine what these services do, what they give us and what they mean for our privacy.
At part 1 I discussed the commercial reuse of protected government information.
The goal of the DGA is to increase the trust of data subjects and data holders, making them more likely to share data. Rules from the DGA should accomplish this. Chapter III on data mediation services is one of the pillars of the DGA, along with the commercial reuse of protected public information (Chapter II), data altruism (Chapter IV) and a European Data Innovation Committee (Chapter VI).
Data mediation services are independent intermediaries that connect data objects and data holders on the one hand and data users on the other. An example is a marketplace where companies can sell datasets to each other in order to develop new products. These platforms should counterbalance Big Tech platforms that often already have enough data. This would make it easier for small and medium-sized companies in particular to innovate and develop products.
The DGA distinguishes between three types of data mediation services. The Joint Research Centre of the European Commission then specifies these three types with a number of concrete applications:
Data Governance Act
Mediation services between data holders and potential data users, especially in the business-to-business (B2B) field.
Mediation services between data subjects and data users. This mainly concerns business-to-customer (B2C) relationships. This mainly concerns business-to-customer (B2C) relationships.
Data cooperatives that help individuals or SMEs exercise their rights or negotiate with potential data users.
Joint Research Centre
Data marketplaces: for example, where agricultural data can be traded.
Data pools: common data pools where multiple companies in the same supply chain exchange information with each other.
Personal Information Management Systems (PIMS): websites where users can manage, withdraw and organize their data across organizations.
Data cooperatives: democratic control over data through learning, focused on collective decision-making about the use of data.
Data trusts: a neutral entity that manages data on behalf of data subjects based on legal principles.
Data unions: collective unions that negotiate rights to personal data, often for platform users.
While this is worded quite broadly, it does not include cloud storage, data analytics, Web browsers and e-mail services. Marketplaces with copyrighted data, PSD2 services and "consolidated tape" platforms (containing stock market information) are also not included. Thus, the main intention is to put data users in contact with data holders -or subjects-and not to transfer rights to the data mediation services. Data mediation services must register before they are allowed to operate.
A look at the EU registry shows us that at this moment (June 27, 2025) 24 services are registered from 6 different countries, 8 of them from the Netherlands. Especially lately it is going fast. At the end of 2024 there were still 11 organizations registered, none of them from the Netherlands. This is also partly because only in November 2024 the Netherlands designated the Autoriteit Consument & Markt ACM) as the competent authority for data mediation services from the DGA. In February 2025, the ACM approved the first Dutch organization and thus the first registration. The eight Dutch organizations approved range from a commercial trading platform for public space data to an ID app backed by a Dutch foundation.
The preceding examples are initiatives that can make quite an impact on the privacy of data subjects. Without adequate safeguards, there may be risks to data subjects in these data mediation services. The EDPB and the EDPS highlight this in their joint opinion on the proposed regulation. In their view, the mandatory registration system in the proposal - which has now entered into force - "does not provide for a sufficiently rigorous screening procedure of these services." They see more in similar accountability and compliance tools as in the AVG. Think codes of conduct or certification mechanisms.
The current registration mechanism is as follows. Services must first register with competent authorities, such as the ACM. Then they can start working throughout the EU if they meet the conditions for intermediary services under Chapter III. In doing so, the ACM can ask the Autoriteit Persoonsgegevens (AP) for an opinion on whether the applicant meets the conditions from the DGA regarding the protection of personal data. After confirmation by the ACM, data mediation services may also use a logo that they are an approved provider.
The most important condition for building trust is that mediation services are neutral. They may make money from and use data from the mediation service itself, but they may not make money from the data traded on the platform. Nor may there be a conflict of interest with other (commercial) activities they undertake. For example, the mediation service must be offered through a separate legal entity and the commercial terms of the mediation service must not depend on the use of other services at the company. There are also a number of other requirements, such as interoperability, security, continuity, transparency, a reporting requirement and logging of activities. The question is whether these are sufficient safeguards for the privacy of data subjects.
The way the ACM will supervise these data mediation services after registration is also not yet clear. What can organizations expect with regard to this supervision? Will the ACM regularly and physically monitor these organizations to ensure that they are not secretly using the data obtained from mediation services to develop their own products? This is indeed necessary to increase trust in these services.
The European Commission opted for this "certification" of data intermediaries in its proposal for good reason. The remaining options were (1) a suitability check on the legal requirements for mediation services by competent authorities or (2) mandatory certification by private certification organizations. Both options yield about the same amount of economic growth for companies. It would give data mediation companies 25% to 50% more revenue and customers and an acceleration of up to 50% in business growth.
In contrast, the second option may have a disproportionate impact on SMEs and startups. Indeed, for the first option, certification costs are a one-time €20,000 - €50,000 and then €20,000 - €35,000 per year. The second option costs companies a one-time €35,000 to €75,000 and then €20,000 - €50,000 per year. How much this will generate on an annual basis across the EU is not clear from the study supporting the Impact Assessment. That is because there is too little quantitative economic data to calculate the impact on the economy with any certainty. Only the underlying estimates used by Deloitte show that the total economy growth for data mediation services in the EU is about €70 million over the period 2024 to 2028, not counting the costs to businesses and regulators. Given the total expected growth in the data economy from the introduction of the DGA of €7.2 billion to €10.9 billion, this is therefore a drop in the bucket.
Although data mediation services should counterbalance Big Tech's data platforms, the impact seems very limited almost two years after enactment. The DGA should increase the trust of data subjects and data holders in data mediation services so that more data is shared faster and more frequently. It is not yet clear whether this trust is actually being generated. The EDPB and EDPS criticize the method of certification, which could be better aligned with the AVG. Supervision of data mediation services also needs to be more clearly surrounded so that data can be shared on these platforms with confidence. The increase in registrations shows that the system is slowly starting to work, but trust is thus the key word with the DGA and also the factor that is going to determine the success of mediation services. In September 2025, the European Commission will come up with a review of the DGA, along with the Open Data Directive and Data Directive. That should show whether it has succeeded.
