oSIST prEN 18352:2026

SLOVENSKI STANDARD
01-maj-2026
Okvir kakovosti za notranje upravljanje podatkov za udeležence v podatkovnih
prostorih
Quality framework for internal data governance for participants in data spaces
Qualitätsrahmen für die interne Datenverwaltung für Teilnehmer an Datenräumen
Ta slovenski standard je istoveten z: prEN 18352
ICS:
35.240.01 Uporabniške rešitve Application of information
informacijske tehnike in technology in general
tehnologije na splošno
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD DRAFT
NORME EUROPÉENNE
EUROPÄISCHE NORM
March 2026
ICS 35.240.01
English version
Quality framework for internal data governance for
participants in data spaces
Qualitätsrahmen für die interne Datenverwaltung für
Teilnehmer an Datenräumen
This draft European Standard is submitted to CEN members for enquiry. It has been drawn up by the Technical Committee
CEN/CLC/JTC 25.
If this draft becomes a European Standard, CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal
Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any
alteration.
This draft European Standard was established by CEN and CENELEC in three official versions (English, French, German). A
version in any other language made by translation under the responsibility of a CEN and CENELEC member into its own language
and notified to the CEN-CENELEC Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.

Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are
aware and to provide supporting documentation.Recipients of this draft are invited to submit, with their comments, notification
of any relevant patent rights of which they are aware and to provide supporting documentation.

Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without
notice and shall not be referred to as a European Standard.

CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2026 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. prEN 18352:2026 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents      Page
European foreword . 5
Introduction . 6
1 Scope . 7
2 Normative references . 7
3 Terms and definitions . 7
3.1 General. 7
3.2 Roles . 9
3.3 Data sharing . 9
4 Principles for data governance in the context of data space participation . 11
4.1 Trust as a foundation . 11
4.2 Continuity of internal data governance . 11
4.3 Ethics in data management and use . 11
4.4 Respect for data rights and responsibilities . 11
4.5 Cross-border consistency . 11
4.6 Fitness for purpose. 11
4.7 Alignment with legal, contractual, and operational rules. 11
4.8 Proportionality and scalability . 11
4.9 Commitment to continuous quality improvement . 11
5 Data space participants roles and processes . 12
5.1 Overview of the type of roles involved in data space operations . 12
5.2 Data Space Governance Authority . 12
5.3 Data Provider . 12
5.4 Data User . 13
5.5 Data Space Technological Provider . 13
5.6 Data Rights Holder . 13
6 Overview of the Process Reference Model . 14
7 Data space governance processes . 14
7.1 Establishment of the data space strategy . 14
7.1.1 Purpose . 14
7.1.2 Outcomes . 15
7.1.3 Activities . 15
7.1.4 Involved roles . 18
7.2 Establishment of data space rulebook . 18
7.2.1 Purpose . 18
7.2.2 Outcomes . 19
7.2.3 Activities . 19
7.2.4 Involved roles . 20
7.3 Establishment of internal organizational structures for the data space . 21
7.3.1 Purpose . 21
7.3.2 Outcomes . 21
7.3.3 Activities . 21
7.3.4 Involved roles . 24
7.4 Data space risk optimization . 24
7.4.1 Purpose . 24
7.4.2 Outcomes . 24
7.4.3 Activities . 25
7.4.4 Involved roles . 26
7.5 Data space value optimization . 27
7.5.1 Purpose . 27
7.5.2 Outcomes . 27
7.5.3 Activities . 27
7.5.4 Involved roles . 28
8 Data space management processes . 29
8.1 Data space management . 29
8.1.1 Purpose . 29
8.1.2 Outcomes . 29
8.1.3 Activities . 30
8.1.4 Involved Roles. 31
8.2 Data product management . 32
8.2.1 Purpose . 32
8.2.2 Outcomes . 32
8.2.3 Activities . 33
8.2.4 Roles . 34
8.3 Data product requirements management . 34
8.3.1 Purpose . 34
8.3.2 Outcomes . 34
8.3.3 Activities . 35
8.3.4 Roles . 36
8.4 Management of trustworthiness requirements . 36
8.4.1 Purpose . 36
8.4.2 Outcomes . 36
8.4.3 Activities . 36
8.4.4 Roles . 37
8.5 Management of data product metadata requirements . 38
8.5.1 Purpose . 38
8.5.2 Outcomes . 38
8.5.3 Activities . 38
8.5.4 Roles . 40
8.6 Trusted data sharing management . 41
8.6.1 Purpose . 41
8.6.2 Outcomes . 41
8.6.3 Activities . 41
8.6.4 Roles . 45
8.7 Data sharing contract management . 45
8.7.1 Purpose . 45
8.7.2 Outcomes . 45
8.7.3 Activities . 45
8.7.4 Roles . 47
9 Data product quality management processes . 48
9.1 Data product quality planning . 48
9.1.1 Purpose . 48
9.1.2 Outcomes . 48
9.1.3 Activities . 48
9.1.4 Roles . 49
9.2 Data product quality control and monitoring . 50
9.2.1 Purpose . 50
9.2.2 Outcomes . 50
9.2.3 Activities . 50
9.2.4 Roles . 52
9.3 Data product quality assurance . 53
9.3.1 Purpose . 53
9.3.2 Outcomes . 53
9.3.3 Activities . 53
9.3.4 Roles . 55
9.4 Data product quality improvement. 55
9.4.1 Purpose . 55
9.4.2 Outcomes . 55
9.4.3 Activities . 55
9.4.4 Roles . 57
10 Supporting processes . 57
10.1 Change management . 57
10.1.1 Purpose . 57
10.1.2 Outcomes . 57
10.1.3 Activities . 58
10.1.4 Roles . 59
11 Process Assessment Model . 59
11.1 Overview . 59
11.2 Process assessment according to ISO/IEC 33000 series. 60
11.2.1 Overview of the Process Assessment Model . 60
11.2.2 Capability Levels . 60
11.2.3 Measurement (Scoring) of Process Attributes . 63
11.2.4 Evidence of Process Implementation . 65
11.3 Organizational Maturity Model . 65
11.3.1 Set of Processes for Maturity Level 1 – Basic . 67
11.3.2 Set of Processes for Maturity Level 2 – Managed . 67
11.3.3 Set of Processes for Maturity Level 3 – Established. 67
11.3.4 Set of Processes for Maturity Level 4 – Predictable . 68
11.3.5 Set of Processes for Maturity Level 5 – Innovating . 68
Annex A (informative) Example of application . 69
Annex B (informative) Processes and data space participants . 83
B.1. Processes and data spaces participants . 83
Bibliography . 85
European foreword
This document (prEN 18352:2026) has been prepared by Technical Committee CEN/TC JTC 25 “Data
management, Dataspaces, Cloud and Edge”, the secretariat of which is held by UNI.
This document is currently submitted to the CEN Enquiry.
Introduction
Data are considered a key asset for organizations. Its value increases when data are shared between
organizations to support their business purposes. Data spaces are environments enabling trusted data
sharing between participating parties, based on an agreed governance framework, along with an agreed
set of policies, semantic models, standardized protocols, processes, and facilitating service.
In order to optimize investment in data sharing and define how organizations participate in a data space,
a common way of working, not necessarily agreed by all participants, is established in the rulebook of a
data space. The data governance processes of organizations require a certain level of maturity, when
engaging in data spaces.
In addition, considering that participants can engage with multiple data spaces, they should tailor their
own data governance processes for every data space to be able to support the rules across the various
data space rulebooks. This adaptation is carried out through the organization’s internal data governance
processes.
This document establishes a framework for the quality management of internal data governance
processes of organizations participating in data spaces. Organizations can use this framework in two
ways:
— As a reference to guide and support the design and institutionalisation of how data space participants
define their involvement in each data space. This includes either, if applicable, contributing to the
establishment of a specific data space rulebook or adapting their own way of working to an existing
one, thereby enabling their actions and interoperability within the data space. According to their role,
data participants can use this framework to align their internal data space governance processes with
the rulebook governing a given data space.
— As a reference to assess the current level of quality of these processes based on evidence derived
from their interactions within a data space. The objective is to assess how well their established
processes are able to manage the aspects related to their engagement in data spaces  . It can be
assumed that well-defined processes contribute to the development of high-quality data space, and
the corresponding rulebooks or to high-quality internal adaptations to existing rulebooks, depending
on the participant’s role within the data space.
The framework consists of two components:
— The Process Reference Model identifies the data governance, data management, data quality
management, and supporting processes that can be used as a reference to describe the expected
organizational behaviours when participating in data spaces. These processes apply regardless of the
organization’s role or stage of interaction with the data space. Some processes can be relevant during
the pre-operational stage, during operation, or after operational engagement. Each process is
described in terms of its purpose, expected outcomes (i.e. the transformations an organization
experiences when executing its customised version of the process), related activities, and the
involvement of participants by role within the data space. The definitions of the processes provided
in this document are generic. The tailoring or customisation of these processes according to
organizational roles is outside the scope of this document. The processes described represent regular
organizational activities related to data space participation.
— The Process Assessment Model specifies the elements required to assess the internal quality of the
implemented processes. The assessment of quality is based on objective evidence obtained from the
behaviour of data space participants in their regular activities within the data space.
1 Scope
This document defines a framework for assessing the quality of data governance and data management
practices for participants in data spaces. It specifies the core principles, processes, and assessment
elements that enable organizations to manage, monitor, and improve their data governance and data
management practices.
The framework comprises two components:
— Process Reference Model: Defines key processes for data governance and data product
management of data space participants, including its fundamental principles, structure, detailed
process definitions, links to broader data governance, and required implementation measures.
— Process Assessment Framework: Outlines a model to evaluate process capability by establishing
six distinct quality levels expressed in terms of capability levels, describing the corresponding
profiles and guiding the systematic assessment.
This document is intended to support data governance and data management professionals, IT managers,
quality assurance officers, and regulatory bodies.
This document is applicable to organizations of all types and sizes.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
prEN 18235-2, Trusted data transactions - Part 2: Trustworthiness requirements
prEN 18235-1, Trusted data transactions - Part 1: Terminology, concepts and mechanisms
3 Terms and definitions
For the purposes of this document, the terms and definitions given in EN 18235-1 and prEN 18235-2
apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https://www.iso.org/obp/
— IEC Electropedia: available at https://www.electropedia.org/
3.1 General
3.1.1
metadata
data defining and describing other data
Note 1 to entry: Metadata can include data descriptions, and data about data ownership, access paths, access rights
and data volatility.
[SOURCE: EN 18235-1]
3.1.2
data space
dataspace
environment enabling trusted data sharing between participating parties, based on an agreed
governance framework, along with an agreed set of policies, semantic models, standardised protocols,
processes, and facilitating service
Note 1 to entry: Data space enabling services are implemented by one or more infrastructures
Note 2 to entry: Data spaces enable one or more use cases.
[SOURCE: EN 18235-1]
3.1.3
data space rulebook
dataspace rulebook
structured set of principles, processes, standards, protocols, rules and practices that guide and regulate
the governance, management, and operations within a data space to ensure effective and responsible
leadership, control, and oversight
Note 1 to entry: ISO/IEC TR 38502:2017 defines the governance framework as the strategies, policies, decision-
making structures, and accountabilities through which the organization’s governance arrangements operate.
Note 2 to entry: This concept is equivalent to that of “data governance system” from UNE 0077 and COBIT 2019. It
involves defining and customising a set of processes and their components for a specific context.
[SOURCE: prEN 18235-2, modified — Note 2 to entry added]
3.1.6
data sharing contract
formal and legally binding agreement between data space participants in a data sharing process,
containing policies, terms and conditions for data sharing and use
Note 1 to entry: A data sharing contract usually contains information about access to data, including its metadata,
and data use.
Note 2 to entry: A data sharing contract is usually much more specific than a data sharing agreement which is often
broader and often at an organizational level.
Note 3 to entry: Terms and conditions for data use include the Data Rights Holder’s permission.
[SOURCE: EN 18235-1, modified – Note 3 to entry added]
3.1.7
process
set of interrelated or interacting activities that transforms inputs into outputs
[SOURCE: ISO/IEC/IEEE 12207:2017]
3.1.8
data governance
organizational function accountable for the effective, efficient, and acceptable use of data within the
organization, essential for the execution of the business strategy
3.1.9
management
system of controls and processes required to achieve the strategic objectives set by the organization's
governing body
[SOURCE: ISO/IEC/IEEE 21840:2019, 3.1.5, modified - Note 1 to entry removed]
3.1.10
data management
development, execution, and oversight of plans, policies, programmes, and practices that deliver, control,
protect, and enhance the value of data and information assets throughout their lifecycle
3.1.11
data quality
degree to which the characteristics of data satisfy stated and implied needs when used under specified
conditions
[SOURCE: ISO/IEC 25012:2008]
3.1.12
data quality management
data management activities concerning the assurance and enhancement of data quality
3.2 Roles
3.2.1
data space candidate
candidate
party interested in joining a data space as a data space participant
Note 1 to entry: To become a data space participant, the candidature shall be formally approved.
3.2.2
Data Space Governance Authority
DSGA role
set of activities provided by one or more parties that establishes, governs, manages and enforces the
technical policies and business rules of a data space
[SOURCE: ISO/IEC DIS 20151:2025]
3.3 Data sharing
3.3.1
data sharing
data exchange
access to the same data by more than one authorized entity
Note 1 to entry: Use of the data can be synchronous or asynchronous.
Note 2 to entry: Data can be shared, for example, (i) by allowing access to the original data set, or (ii) by giving a
copy of the data to the interested entity.
Note 3 to entry: The way in which data are shared fundamentally influences the available controls and the
statements needed in a data sharing agreement.
[SOURCE: EN 18235-1]
3.3.2
data use
handling or dealing with data for a specific purpose
[SOURCE: EN 18235-1]
3.3.3
data transaction
result of an agreement between a data provider and a Data User with the purpose of exchanging,
accessing and using data, in return for monetary or non-monetary compensation
Note 1 to entry: “data exchange” and “data access” terms are used in order to describe different mechanisms, like
actual transfer of data or situations where data does not move but where access is provided to different
stakeholders.
Note 2 to entry: Data transactions do not necessarily imply a commercial relationship.
Note 3 to entry: Each data transaction is unique and shall be treated independently of other data transactions.
[SOURCE: EN 18235-1, Note 1, 2 and 3 to entry added.]
3.3.4
governance framework
strategies, policies, decision-making structures and accountabilities through which the organization’s
governance arrangements operate
[SOURCE: ISO/IEC TR 38502:2017, 3.1]
3.3.5
data transaction
result of an agreement between a data provider and a Data User with the purpose of exchanging,
accessing and using data, in return for monetary or non-monetary compensation
Note 1 to entry: “Data exchange” and “data access” terms are used in order to describe different mechanisms, like
actual transfer of data or situations where data does not move but where access is provided to different
stakeholders.
Note 2 to entry: Data transactions do not necessarily imply a commercial relationship.
Note 3 to entry: Each data transaction is unique and shall be treated independently of other data transactions.
[SOURCE: EN 18235-1, Note 2 and 3 to entry added.]
3.3.6
governance framework
strategies, policies, decision-making structures and accountabilities through which the organization’s
governance arrangements operate
[SOURCE: ISO/IEC TR 38502:2017, 3.1]
4 Principles for data governance in the context of data space participation
4.1 Trust as a foundation
Data governance in data spaces should be based on secure, transparent, and accountable data sharing
practices that foster trust among participants.
4.2 Continuity of internal data governance
Participation in data spaces should build upon existing internal data space governance frameworks,
which are to be extended and adapted rather than replaced.
4.3 Ethics in data management and use
The use of data should avoid misuse, decontextualised application or practices that cause harm and
should not involve opaque exploitative practices:
— Data use will observe always compliance of the human rights, stated laws and corporate values.
— Data use does not include automated decision-making that results in discrimination unless
appropriate safeguards are in place.
— The risks arising from secondary or aggregate uses are assessed.
— Data space participants act in a fair and non-harmful manner, even in circumstances where
applicable regulations or contractual provisions do not explicitly prohibit certain uses.
4.4 Respect for data rights and responsibilities
Data shall be managed in accordance with applicable rights, including those of the participant, third-party
data owners, and personal data, ensuring lawful and responsible processing.
4.5 Cross-border consistency
Internal data governance shall support compliance across jurisdictions, ensuring transparency,
interoperability, and lawful data sharing in cross-border data space participation.
4.6 Fitness for purpose
Data shared within data spaces should meet quality and documentation standards appropriate to its
intended use, enabling informed decision-making and responsible reuse.
4.7 Alignment with legal, contractual, and operational rules
Data governance practices shall be aligned with applicable legal requirements, contractual agreements,
and operational or community rules defined by the data space or its participants.
4.8 Proportionality and scalability
Governance approaches should be proportionate to the size, role, and capacity of the participant, with
simplified, scalable practices available to support small- and medium-sized organizations. Therefore, the
contents of this document are designed to be a framework, which can also be condensed into simpler
guidelines adapted especially to SMEs.
4.9 Commitment to continuous quality improvement
Internal data governance should be subject to regular assessment and enhancement, supported by a
maturity or growth model that enables progressive improvement over time.
5 Data space participants roles and processes
5.1 Overview of the type of roles involved in data space operations
Different actors fulfil distinct roles throughout the lifecycle of the data space. Engagement management
constitutes a fundamental element for achieving the expected outcomes by data space participants. To
formalize their involvement, every data participant undertakes onboarding and offboarding processes
and establishes rules governing data transactions and service provision.
Four principal types of roles are distinguished:
1. Candidates interested in joining a data spaces.
2. Data participants who have completed the onboarding process are designated as members of a data
space. These participants can assume roles such as Data Providers, Data Users, or Data Rights
Holders. These roles can overlap (e.g. Data Provider can also be the Data Rights Holder for a specific
data product).
3. Data space governance authorities, comprising several organizations responsible for decision-
making within the data space.
4. External participants, who provide services to the data space without participating in or exploring
the data spaces themselves.
NOTE This document introduces a reference for the various processes that the data space participants
could tailor to define their way of working with the data space. Not necessarily every data space participant
needs to execute and tailor these processes. Annex B introduces recommendations for the various types of data
space participants to identify which processes are more relevant to them.
5.2 Data Space Governance Authority
The Data Space Governance Authority assumes the following roles:
a) The body or entity responsible for designing, implementing, monitoring, and updating the
governance framework of the data space and ensuring compliance by all participants. The data
governance framework forms part of the overall data space rulebook.
b) Acts as the driver of the data sharing and exploitation environment.
c) Holds responsibility for the governance and management of the data space, aiming to minimize
barriers to sharing through the proposal of standard frameworks and solutions, and where
appropriate, the establishing data space rulebooks.
d) Promotes community development around the data space by articulating diverse business models,
including bilateral data monetisation, facilitation of meeting points, commercialisation of products
or services, and altruistic open data release.
The interests of the Data Space Governance Authority are legitimacy and the growth of the ecosystem.
5.3 Data Provider
The Data Provider assumes the following roles:
a) Offer data products, which can include downloadable data sets or data services, within the context of
rights and obligations defined by the data space promoter, as established in the data space rulebook.
b) Specify their requirements regarding digital data control over the data and request appropriate
security mechanisms, while accepting consensus on the use of standard frameworks and solutions.
c) Select their revenue generation models, which can include free access to data, freemium access
deployment, temporary or continuous licensing agreements, dynamic cost systems, collaborative
exchange, or altruistic sharing.
The interests of the Data Provider are to provide data and the maintenance of control over data products.
5.4 Data User
The Data User assumes the following roles:
a) Design their use of data by reusing data products offered within the data space to fulfil their business
needs.
NOTE “Business needs” is intended to mean any needs that are important to the Data User at a personal
or professional level.
b) Act directly as Data Provider s or indirectly through Data Provider intermediaries on behalf of
organizations with lesser capabilities.
c) Consume data by reusing it within a trusted context, consistently respecting the security, trust, and
digital data control requirements established by the data space promoter and following the
procedures defined in the data space rulebook.
The interests of the Data User are the quality of data products, with particular attention to usability
including the reduction of friction with other participants and the need to place trust in Data Provider s.
5.5 Data Space Technological Provider
The Data Space Technological Provider assumes the following roles:
a) Integrate and maintain the technological solution that enables the deployment and operation of the
data space infrastructure under the guidance of the data space promoter.
b) Develop, configure, and parameterise the technological solution supporting the data lifecycle within
the data space, in accordance with the data space rulebook, which is created on the basis of
governance and management guidelines and considers privacy-enhancing technologies.
c) Operate under a definition in which the term data space technology provider is distinct from that of
a technology service provider.
The interests of the data space technology provider are technical feasibility and stability.
5.6 Data Rights Holder
The Data Rights Holder assumes the following role:
a) Holds the rights to data and decides the terms and conditions under which their data can be shared
and used within the data space.
The interests of the Data Rights Holder are legal protection and risk control.
6 Overview of the Process Reference Model
The Process Reference Model contains all the processes that are suitable for governing and managing a
data space along with the required ones for data product quality management and some supporting
processes.
All processes are described by means of a purpose, a
...