oSIST prEN 18235-1:2025

SLOVENSKI STANDARD
01-september-2025
Zaupanja vredne podatkovne transakcije - 1. del: Terminologija, koncepti in
mehanizmi
Trusted data transactions - Part 1: Terminology, concepts and mechanisms
Einführendes Element - Haupt-Element - Ergänzendes Element
Transactions de données de confiance - Partie 1: Terminologie, concepts et mécanismes
Ta slovenski standard je istoveten z: prEN 18235-1
ICS:
01.040.35 Informacijska tehnologija. Information technology
(Slovarji) (Vocabularies)
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD DRAFT
NORME EUROPÉENNE
EUROPÄISCHE NORM
June 2025
ICS 01.040.35; 35.030
English version
Trusted data transactions - Part 1: Terminology, concepts
and mechanisms
This draft European Standard is submitted to CEN members for enquiry. It has been drawn up by the Technical Committee
CEN/CLC/JTC 25.
If this draft becomes a European Standard, CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal
Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any
alteration.
This draft European Standard was established by CEN and CENELEC in three official versions (English, French, German). A
version in any other language made by translation under the responsibility of a CEN and CENELEC member into its own language
and notified to the CEN-CENELEC Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.

Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are
aware and to provide supporting documentation.Recipients of this draft are invited to submit, with their comments, notification
of any relevant patent rights of which they are aware and to provide supporting documentation.

Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without
notice and shall not be referred to as a European Standard.

CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2025 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. prEN 18235-1:2025 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3
Introduction . 4
1 Scope . 5
2 Normative references . 5
3 Terms and definitions . 5
4 Objectives, stakeholders and concepts of trusted data transaction . 9
4.1 Objectives . 9
4.2 Stakeholders . 10
4.3 Concepts . 10
Bibliography . 13
European foreword
This document (prEN 18235-1:2025) has been prepared by Technical Committee CEN/CENELEC JTC 25
“Data Management, Dataspaces, Cloud and Edge”, the secretariat of which is held by UNI.
This document is currently submitted to the CEN Enquiry.
Introduction
Data are now the backbone of the digital economy, enabling economic growth and competitiveness,
fostering innovation, improving public services or advancing scientific research. Seamless and secure
cross-border and cross-industry data flows, within and across data spaces or data ecosystems, have
become crucial for businesses and individuals worldwide. As technologies such as artificial intelligence
(AI) and internet of things (IoT) continue to evolve and spread, the importance of data exchange, data
sharing and data flows will only become more significant.
In its Communication on a European strategy for data of February 29, 2020, the Commission describes
its vision for the data economy, based on European values and fundamental rights and the conviction that
the human being is and should remain at the centre.
Data spaces should foster an ecosystem aiming to facilitate cross-border data flow and harmonizing
regulations across sectors within the EU, ensuring adherence to European rules and values such as
personal data protection, consumer protection, and fair competition.
European strategy for data also seeks to establish clear, practical, and transparent rules for data access
and usage, alongside robust governance mechanisms, while adopting an open yet principled approach to
international data flows
The legal environment around data exchanges and data transactions plays an essential role in the
development of data ecosystems, bringing a trust framework for all stakeholders involved in the
exchange of data. In Europe some of the key regulations are:
— the General Data Protection Regulation (EU) 2016/679 (GDPR), a comprehensive data protection
law enacted by the European Union (EU) to regulate the collection, processing, and storage of
personal data. It applies both to European organisations that process personal data of individuals in
the EU, and to organisations outside the EU that target people living in the EU.
— the Data Governance Act (DGA), which entered in force in the EU in June 2022 and is in application
since September 24, 2023. The DGA is a cross-sectoral instrument that aims to make more data
available by regulating the re-use of certain categories of protected data held by public sector bodies,
by boosting data sharing through the regulation of data intermediaries and by encouraging the
sharing of data for altruistic purposes. Both personal and non-personal data are in scope of the DGA,
and wherever personal data are concerned, the General Data Protection Regulation (GDPR) applies.
In addition to the GDPR, inbuilt safeguards will increase trust in data sharing and re-use, a
prerequisite to making more data available on the market.
— the Data Act, which entered into force in January 2024 and becomes applicable in September 2025.
While the Data Governance Act creates the processes and structures to facilitate data sharing, the
Data Act clarifies who can create value from data and under which conditions and provides legal
clarity for businesses as regards the use of data. The Data Act aims to facilitate the development of
new services leveraging Europe’s wealth of data, but also ensures fairness by regulating the rights
and obligations of all the economic actors involved in sharing data, particularly from Internet of
Things (IoT) devices
Along with reference architectures, trust frameworks and data regulations, the existence of standards
recognized by the community represents another key pillar for developing collaborations around data,
across borders and across industries, easily, effectively while facilitating interoperability.
This document focuses on the subject of trusted data transactions.
1 Scope
This document provides terminology, concepts and a description of mechanisms in the field of data
exchange focusing on trusted data transactions.
Those elements can be used in the development of standards in support of trusted data transactions and
constitute a basis to identify key dimensions and criteria that contribute to the trust in a data transaction
between interested parties.
Therefore, those elements constitute a foundational understanding on which trusted data transactions
can be based, independently of any architectural choices or technical implementation.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https://www.iso.org/obp/
— IEC Electropedia: available at https://www.electropedia.org/
3.1
data
re-interpretable representation of information (3.1) in a formalized manner suitable for communication,
interpretation, or processing
Note 1 to entry: Data can be used for communication, interpretation or processing by humans or automatic means.
Note 2 to entry: Communication, interpretation or processing can include the exchange or sharing of data by one or
more entities.
Note 3 to entry: The reference within this definition is defined in ISO/IEC 5207:2024.
[SOURCE: ISO/IEC 5207:2024, 3.2]
3.2
data user
person or organization authorized to exploit data (3.1)
Note 1 to entry: Data are in the form of data products.
Note 2 to entry: Data consumer is considered as a synonym of data user.
[SOURCE: ISO 5127:2017, modified – Note 1 and Note 2 to entry added]
3.3
data sharing
data exchange
access to the same data (3.1) by more than one authorized entity
Note 1 to entry: Use of the data can be synchronous or asynchronous.
Note 2 to entry: Data can be shared, for example, (i) by allowing access to the original data set, or (ii) by giving a
copy of the data to the interested entity.
Note 3 to entry: The way in which data are shared fundamentally influences the available controls and the
statements needed in a data sharing agreement.
[SOURCE: ISO/IEC 23751, 3.7, modified – “or processing of” deleted, the term “data exchange” added as
a synonym to “data sharing”, and Note 2 to entry modified by removing “, or the execution of operations
over,”]
3.4
data licence terms
terms and conditions of use of a data product (3.5)
Note 1 to entry: Terms and conditions include notions such as, without being limited to, duration, territory, sub-
licensing rights or commercial terms.
Note 2 to entry: Data licence terms are usually defined by the data provider.
3.5
data product
data sharing unit, packaging data (3.1) and metadata (3.11), and any associated licence terms
Note 1 to entry: Data product does not necessarily imply commercial aspects.
Note 2 to entry: Data product can be published in a data product catalogue that is searchable by data users.
Note 3 to entry: In the context of trusted data transactions, a data product will be associated with data licence terms.
3.6
data producer
natural person, legal person, device or any software that generates data (3.1)
3.7
data provider
legal person that has the right or duty to make data available to data users (3.2) through data products
(3.5)
Note 1 to entry: Data provider carries out several activities, i.e.:
—  non-technical, on behalf of a data rights holder, including the description of the data products, data licence
terms, the publishing of data products in a data product catalogue, the negotiation with the data users, and the
conclusion of contracts,
—  technical, with the provision of the data products to the data users.
3.8
data rights holder
natural or legal person that has legal rights or obligations to use, grant access to or share certain data
(3.1), or transfer such rights to others
Note 1 to entry: Data rights holder and data provider represent different roles, that can be carried out by the same
entity or by different entities.
3.9
data space
dataspace
environment designed to establish trustworthiness and enable data sharing (3.3), based on an agreed set
of policies, semantic models, protocols and processes, supported by a governance framework and
facilitating services
Note 1 to entry: Data space enabling services are implemented by one or more infrastructures.
Note 2 to entry: Data spaces enable one or more use cases.
3.10
data transaction
result of an agreement between a data provider (3.7) and a data user (3.2) with the purpose of
exchanging, accessing and using data, in return for monetary or non-monetary compensation
Note 1 to entry: “Data exchange“ and “data access” terms are used in order to describe different mechanisms, like
actual transfer of data or situations where data does not move but where access is provided to different
stakeholders.
Note 2 to entry: Data transactions do not necessarily imply a commercial relationship.
Note 3 to entry: Each data transaction is unique and is treated independently from other data transactions.
3.11
metadata
data defining and describing other data
Note 1 to entry: Metadata can include data descriptions, and data about data ownership, access paths, access rights
and data volatility.
[SOURCE: ISO 8000-2:2022, 3.2.5, modified – Note 1 to entry added]
3.12
data sharing contract
formal and legally binding agreement between data space participants (3.21) in a data sharing process
(3.26), containing policies, terms and conditions for data
...