EU data rooms on the rise: What companies need to know now from a legal perspective

The exchange and use of data across company and sector boundaries is becoming increasingly important in economic and regulatory terms. At the same time, traditional models of data sharing are reaching their limits in view of sensitive information, competitive interests, and complex legal requirements. Against this backdrop, so-called "data rooms" are becoming the focus of European digital and data policy. They are intended to enable controlled, secure, and interoperable data exchange without companies losing sovereignty over their data. With the ongoing development of sectoral data rooms and the introduction of highly regulated structures such as the European Health Data Space (EHDS), data rooms are increasingly evolving from voluntary cooperation models to legally relevant regulatory frameworks. For companies, this raises the question of what legal requirements, obligations, and strategic actions are associated with this development.

I. Function of "data rooms"

Data rooms are intended to serve as infrastructure for the controlled, cross-company exchange of data between economic and public actors. Unlike traditional data transfers, data is not collected centrally or permanently transferred, but remains with the respective data owner. It is used via technically secure access mechanisms that allow the scope, purpose, and duration of data use to be bindingly defined.

For companies, data rooms thus fulfill a key function at the interface between cooperation and control. They make it possible to make data accessible for external use without revealing trade secrets or jeopardizing one's own competitive position. At the same time, they create standardized structures for bringing together data from different sources in an interoperable manner – for example, along complex supply and value chains.

In practice, data rooms address three key areas of application in particular. First, they facilitate data exchange within networked production and supply chains, for example to meet transparency, sustainability, or traceability requirements. Second, they form the basis for new data-based business models in which companies can provide and monetize data on a temporary, purpose-specific, or usage-dependent basis without losing complete control over the data. Third, data rooms support the fulfillment of regulatory obligations by enabling structured, traceable, and legally compliant access to relevant data.

II. Landscape of (European) data rooms

1. Sectoral data rooms

In Europe, a large number of sectoral data rooms have recently been announced and gradually established as part of the European data strategy. These data rooms are tailored to specific economic sectors or areas of society and are being developed at different stages of maturity. There is no uniform organizational form; rather, existing data infrastructures, platforms, and initiatives are gradually being integrated into sectoral data spaces and linked together via common governance and interoperability structures.

The central sectoral data spaces include, in particular, data spaces for industry and manufacturing, mobility, energy, agriculture, finance, the environment, tourism, media, education, research, and public administration. The European Commission refers to these as "Common European Data Spaces," which are intended to form a European single market for data.

In the industrial sector, the European manufacturing and industrial data space is being shaped primarily by industry-specific initiatives. Based on the architecture and governance specifications of Gaia-X, data spaces are being created that enable data exchange along industrial value chains. Prominent examples include Catena-X for the automotive industry and Manufacturing-X as a cross-industry initiative for the manufacturing industry. These data spaces focus on industrial use cases such as supply chain mapping, traceability, quality data, maintenance information, and product-related sustainability data.

In addition to industry, other sectoral data spaces are in various stages of development. The mobility data space bundles data from transport, logistics, and infrastructure and links to existing national and European mobility platforms. The energy data space addresses data on generation, grid operation, and consumption in the context of the energy transition. The agricultural data space aims to facilitate the exchange of farm, machinery, and environmental data between agricultural businesses, manufacturers, and public authorities. In addition, there are data spaces for environmental and climate data, financial data, media and cultural data, and tourism and education data.

These business-related data spaces are supplemented by sectoral data spaces with a strong public focus. These include, in particular, data spaces for science and research, which aim to exchange and reuse research data, as well as data spaces for public administration, such as for procurement, legal, or administrative data. These data spaces are often closely linked to existing European infrastructures and serve to harmonize and improve access to public data sets.

2. EHDS

With the Regulation on the European Health Data Space (EHDS), the EU has created its first sector-specific data space with a directly binding legal framework. The Regulation entered into force on March 26, 2025, and key obligations will apply from March 26, 2027 (we reported).

The EHDS aims to standardize the structuring, exchange, and use of electronic health data across the EU for both medical care (primary use) and research, innovation, and policy-making (secondary use). Unlike other sectoral data spaces, the EHDS is not designed as a voluntary cooperation infrastructure, but as a binding regulatory data space order.

However, its core component is the introduction of binding interoperability requirements for electronic health records (EHR systems). Manufacturers and providers of such systems must ensure that their products support the European exchange format specified by the Commission and comply with the technical requirements for security, access control, and logging. Conformity must be demonstrated by means of appropriate declarations and labels. For certain digital health and wellness applications, additional transparency and information requirements apply if interoperability with EHR systems is claimed.

At the data provision level, the EHDS requires data owners such as hospitals, medical practices, and other healthcare providers to make electronic health data available in a structured, interoperable manner for the intended purposes. For secondary use, processing is only permitted in pseudonymized or anonymized form. Access to this data is provided via national health data access points, which review and approve applications based on legally defined criteria.

The use of health data is strictly limited in terms of content. Research, innovation, statistical evaluations, and certain AI applications are permitted; marketing purposes or the development of products that pose a health risk are expressly excluded. Data processing must take place in secure, controlled environments and is subject to comprehensive logging and information requirements.

III. Legal framework

Data rooms do not operate in a legal vacuum, but are embedded in a multi-layered European legal framework that increasingly standardizes access to data, its use, and the organizational design of data ecosystems. Both horizontal data protection regulations and sector-specific requirements, which apply cumulatively depending on the data room, are decisive in this context.

The central starting point remains general data protection law. Insofar as personal data is processed in data rooms, the provisions of the GDPR apply without restriction, in particular with regard to lawfulness, purpose limitation, data minimization, and transparency. In many data rooms, therefore, a clear separation between personal and non-personal data is necessary; for secondary use, pseudonymization or anonymization requirements are regularly added. In addition, requirements for technical and organizational measures as well as for the logging of accesses must be taken into account.

This forms the basis for specific European data legislation. The Data Governance Act creates a regulatory framework for trustworthy data sharing, in particular by regulating data intermediary services and data altruism structures. For data spaces, this means that certain actors – such as operators or intermediaries – may be subject to regulatory requirements regarding neutrality, transparency, and governance. At the same time, the Data Governance Act promotes the creation of structured data access, in particular for the reuse of protected public data.

The Data Act supplements this framework by clarifying access and usage rights to data and establishing binding requirements for the interoperability of data spaces (we reported). It addresses industrially generated data in particular and obliges data owners to provide or make data available under certain conditions. Also relevant for data spaces are the requirements for fair contract terms, the protection of trade secrets, and technical interfaces that are intended to enable switching between data processing services.

In addition, sector-specific legal acts are of considerable importance. The EHDS exemplifies that individual data spaces can be designed with detailed obligations through their own regulations, for example, regarding data formats, access points, permissible uses, or secure processing environments. Comparable developments could also emerge in other areas, such as in the context of environmental, mobility, or financial data.

Cross-cutting considerations also include requirements under competition law and the protection of trade secrets. Data rooms must be designed in such a way that they do not enable the exchange of information that restricts competition and that sensitive company information remains adequately protected. This applies in particular to governance structures, access rules, and the design of common standards.

IV. Conclusion and outlook

Data rooms are increasingly evolving from experimental cooperation models to structural components of the European digital and data order. While sectoral data rooms have so far been largely shaped by funding projects and industry-specific initiatives, ongoing regulation at the European level is leading to a significant consolidation of legal requirements. The European Health Data Space, at the latest, makes it clear that data spaces are not only infrastructure, but can also represent binding legal regulatory frameworks.

For companies, this development means that data rooms can no longer be understood exclusively as voluntary innovation spaces. Rather, depending on the industry and use case, direct or indirect participation and adaptation obligations are emerging, for example through interoperability requirements, standardized data formats, or regulatory access mechanisms. Even where there is no explicit legal obligation, data spaces have a de facto binding effect, for example as a prerequisite for integration into supply chains or data-based cooperation models.

Against this background, it is advisable to engage in strategic consideration of the relevant data spaces at an early stage. This initially involves the systematic identification of those sectoral data spaces that are already important for one's own business model today or are likely to be important in the future. On this basis, existing data stocks, IT systems, and interfaces should be reviewed to determine the extent to which they are interoperable, standardizable, and legally usable.

This article was created in collaboration with our student employee Emily Bernklau.