Regulatory Compliance

Legal certainty is essential for building trust in any data space. According to the DSSC Blueprint 2.0, the Regulatory Compliance building block helps define which laws and obligations apply to the design, operation, and participation within a data space. It provides practical guidance on how to apply legal frameworks, assign responsibilities, and remain compliant over time.

Each data space should establish clear procedures for:

  • Recognising regulatory triggers, such as the types of data processed or participant roles involved; Assigning responsibilities, ensuring that each participant understands their legal duties;

  • Embedding compliance mechanisms in operational and technical layers (e.g., through identity assurance, consent management, and traceable authorisation);

  • Maintaining adaptability, allowing the governance body to update rules as regulations evolve.

The complete DSSC description is available here.

While compliance starts with awareness, it must be embedded into both governance and technology. The iSHARE Framework supports these activities through predefined legal provisions and trust-based mechanisms that help participants meet requirements such as GDPR, eIDAS, and sector-specific rules, without duplicating compliance work across the ecosystem. See more details here on the Legal Context.

Data spaces may still need to customise legal interpretation for their domain.

Regulatory Compliance connects closely with other building blocks:

  • Intermediaries & Operators: Some may be subject to the DGA, especially Chapter III rules.

  • Organisation Form & Governance Authority: Business model and legal form must comply with national and EU laws.

  • Participation Management: Onboarding and offboarding must follow data protection policies.

  • Contractual Framework: Contracts need to cover legal requirements like data protection, IP, cybersecurity, and interoperability.

  • Provenance & Traceability: Supports compliance with GDPR and access control requirements.

  • Identity & Attestation Management: Participant verification must follow GDPR and eIDAS 2.0 rules.

  • Use Case Development: Different use cases may be subject to sectoral or national regulations.

The guiding questions can help in the co-creation process and in defining this building block, so please see the next section.

PreviousLegal Building BlocksNextGuiding Questions

Last updated