oSIST prEN 18235-3:2026

SLOVENSKI STANDARD
01-julij-2026
Zaupanja vredne podatkovne transakcije - 3. del: Zahteve za interoperabilnost
Trusted data transactions - Part 3: Interoperability requirements
Dataspaces - Interoperailität
Dataspaces - Interopérabilité
Ta slovenski standard je istoveten z: prEN 18235-3
ICS:
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD DRAFT
NORME EUROPÉENNE
EUROPÄISCHE NORM
May 2026
ICS 35.030
English version
Trusted data transactions - Part 3: Interoperability
requirements
Dataspaces - Interopérabilité Dataspaces - Interoperailität
This draft European Standard is submitted to CEN members for enquiry. It has been drawn up by the Technical Committee
CEN/CLC/JTC 25.
If this draft becomes a European Standard, CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal
Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any
alteration.
This draft European Standard was established by CEN and CENELEC in three official versions (English, French, German). A
version in any other language made by translation under the responsibility of a CEN and CENELEC member into its own language
and notified to the CEN-CENELEC Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.

Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are
aware and to provide supporting documentation.Recipients of this draft are invited to submit, with their comments, notification
of any relevant patent rights of which they are aware and to provide supporting documentation.

Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without
notice and shall not be referred to as a European Standard.

CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2026 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. prEN 18235-3:2026 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 4
Introduction . 5
1 Scope . 6
2 Normative references . 6
3 Terms and definitions . 6
4 Overview . 9
4.1 Trusted data transactions . 9
4.2 Stages of a data transaction . 10
4.3 Involved systems . 10
5 General requirements . 11
5.1 Objectives . 11
5.2 Requirements . 11
5.2.1 Identifiers . 11
5.2.2 Claims . 11
5.2.3 Claims on represented party . 11
5.2.4 Claims on data space participation . 11
5.2.5 Claims on granted data rights . 12
5.2.6 Data space policies and specifications . 12
5.2.7 Data products and their identification . 12
5.2.8 Data sharing contract . 12
5.3 Evaluation criteria . 12
5.3.1 Issuing, validation, presentation and verification of claims . 12
5.3.2 Data products . 12
5.3.3 Data sharing contracts . 13
5.3.4 Data space policies and specifications . 13
6 Data product description . 13
6.1 Objectives . 13
6.2 Requirements . 13
6.2.1 Provisioning of documentation . 13
6.2.2 Data product metadata publication . 14
6.2.3 Description of the content . 14
6.2.4 Use restrictions and licence terms . 14
6.2.5 Data collection methodology . 14
6.2.6 Data quality and uncertainty . 14
6.3 Evaluation criteria . 15
6.3.1 Availability of a catalogue service . 15
6.3.2 Minimal set of metadata on data products . 15
7 Data model description . 15
7.1 Objectives . 15
7.2 Requirements . 15
7.2.1 Data structure . 15
7.2.2 Data format . 15
7.2.3 Semantic models . 15
7.2.4 Classification scheme . 16
7.2.5 Taxonomies . 16
7.2.6 Code lists . 16
7.3 Evaluation criteria. 16
7.3.1 Minimal set of metadata on data representation . 16
8 Data access . 17
8.1 Objectives . 17
8.2 Requirements . 17
8.2.1 Service endpoint for data access . 17
8.2.2 Terms of use of a service endpoint for data access . 17
8.2.3 Nature of the data transmission . 17
8.2.4 Application Programming Interfaces . 17
8.2.5 Service Level Agreement . 17
8.2.6 Required security mechanisms . 18
8.3 Evaluation criteria. 18
8.3.1 Minimal set of metadata on data access . 18
9 Automated negotiation and execution of data sharing contracts . 18
9.1 Objectives . 18
9.2 Requirements . 19
9.2.1 Discovery and negotiation phase . 19
9.2.2 Data Exchange and sharing phase . 19
9.2.3 Observability of the data sharing contract . 20
9.3 Evaluation criteria. 20
9.3.1 Contract negotiation endpoint . 20
9.3.2 Data transfer control endpoint . 20
9.3.3 Observability storage . 20
Annex A (informative) Implementation of interoperability requirements . 21
A.1 General . 21
A.2 Semantics details . 21
Annex ZA (informative) Relationship between this European Standard and the
interoperability requirements of Regulation (EU) 2023/2854 Article 33 aimed to be
covered . 23
Bibliography . 24
European foreword
This document (prEN 18235-3:2026) has been prepared by the Joint Technical Committee CEN-
CENELEC/ JTC 25 “Data Management, Dataspaces, Cloud and Edge”, the secretariat of which is held by
UNI.
This document is currently submitted to the CEN Enquiry.
This document has been prepared under a standardization request addressed to CEN, CENELEC and ETSI
by the European Commission. The Standing Committee of the EFTA States subsequently approves these
requests for its Member States.
For the relationship with EU Legislation, see informative Annex ZA, which is an integral part of this
document.
Introduction
Individuals and organisations increasingly rely on the availability of data shared by others, for doing
research, taking decisions and developing new products and services.
With the advance of technologies for internet of things (IoT), cloud-edge computing and wireless
networking, data can become available at an ever-larger scale. By adopting artificial intelligence (AI)
technologies new opportunities arise for creating value out of this data.
Although all these technologies bring opportunities, they are also add to the complexity of data sharing:
data are no longer residing in individual silos, but are fragmented across the boundaries of different
organisations and systems. Sharing is needed to unlock the potential, while data can be kept at the source.
Individuals and organisations have specific requirements for data protection, for reasons of privacy,
sensitivity and related legal compliance. They want to make informed choices on the data they use and
the data they share with others.
Within a data space, all participants agree to a set of policies, semantic models, protocols and processes,
defined in and managed by a governance framework. Essential requirements are needed to facilitate the
interoperability of data, data sharing mechanisms, services and the data spaces they can operate in.
Increased interoperability can stimulate openness and scale by lower transaction costs in every aspect of
data sharing: finding the right data, negotiating access to data and ensuring that the controlled sharing is
enforced in a proper way. Achieving interoperability of data and data sharing mechanisms is therefore a
critical element for the sustainable growth of the digital economy; leveraging the technological advances
and achieving the desired benefits, while at the same time meeting the need for increased data
sovereignty.
EN 18235-1 Trusted data transactions — Part 1: Terminology, concepts and mechanisms provides the
terminology, concepts and mechanisms for trusted data transactions. prEN 18235-2 Trusted data
transactions — Part 2: Trustworthiness requirements [1] defines the trustworthiness requirements for
trusted data transactions.
The present document, identifies the interoperability requirements for systems used by data space
participants. Annex A describes the implementation of interoperability requirements.
1 Scope
This document specifies requirements and guidance for the interoperability of data, data sharing
mechanisms, and services within data spaces. It covers requirements, criteria and implementation
guidance on:
— dataset content, use restrictions, licences, data collection methodology, data quality and uncertainty,
and on machine-readable formats to find, access and use of data;
— data structures, data formats, vocabularies, classification schemes, taxonomies and code lists, and
how to describe these elements a publicly available and consistent manner;
— technical means to access the data, such as application programming interfaces, and their terms of
use and quality of service to enable automatic access and transmission of data between parties;
— where applicable, the means to enable the interoperability of tools for automating the execution of
data sharing contracts.
This document is applicable to all organizations participating in dataspaces, regardless of their size or
type.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
EN 18235-1:2026, Trusted data transactions — Part 1: Terminology, concepts and mechanisms
3 Terms and definitions
For the purposes of this document, the terms and definitions given in EN 18235-1:2026 and the following
apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https://www.iso.org/obp/
— IEC Electropedia: available at https://www.electropedia.org/
3.1
identifier
language-independent label, sign or token that uniquely identifies an object within an identification
scheme
[SOURCE: ISO/IEC 19762:2025]
3.2
identification scheme
system for allocating identifiers to registered objects
[SOURCE: ISO/IEC 6523-1:2023]
3.3
uniform resource identifier
URI
compact sequence of characters that identifies an abstract or physical resource
Note 1 to entry: See IETC RFC 3986 (2005).
[SOURCE: ISO/IEC 12785-1:2009]
3.4
semantic model
specification of the meaning of concepts, relationships, and constraints in a given domain, expressed
independently of data structures or data formats
3.5
classification scheme
descriptive information for an arrangement or division of objects into groups based on criteria such as
characteristics, which the objects have in common
EXAMPLE Origin, composition, structure, application, function, etc.
[SOURCE: ISO/IEC 11179-3:2023]
3.6
taxonomy
scheme of categories and subcategories that can be used to sort and otherwise organize itemized
knowledge or information
[SOURCE: ISO 5127:2017, modified: note 1 to entry removed]
3.7
code list
standardized list of code values with a common scope
[SOURCE: ISO/TS 21377:2023]
3.8
agent
active enterprise object that has been delegated something (authorization, responsibility, provision of a
service, etc.) by, and acts for, a party (in exercising the authorization, carrying out the responsibility,
providing the service, etc.)
[SOURCE: ISO/IEC 15414:2015]
3.9
participant agent
agent used to conduct activities in a data space on behalf of a participant
Note 1 to entry: A participant agent is a logical construct and does not necessarily correspond to a single runtime
process
Note 2 to entry: Whilst most interactions take place between participant agents, some interactions with other
systems may be required.
EXAMPLE A participant agent can be implemented by software containing a protocol for exchanging metadata
and a protocol for exchanging claims.
3.10
endpoint
service endpoint
web location where a service can be accessed
3.11
service
logical representation of a set of activities that has specified outcomes, is self-contained, may be
composed of other services, and is a “black box” to consumers of the service
[SOURCE: ISO/IEC 18384-1:2016]
3.12
catalogue service
service that provides access to one or more data catalogues
3.13
discovery service
endpoint of a participant agent to find catalogue services
3.14
data space rulebook
data space governance framework
structured set of principles, processes, standards, protocols, rules and practices that guide and regulate
the governance, management and operations within a data space to ensure effective and responsible
leadership, control, and oversight
Note 1 to entry: ISO/IEC TR 38502:2017 defines governance framework as strategies, policies, decision- making
structures and accountabilities through which the organization’s governance arrangements operate.
[SOURCE: prEN 18235-2]
3.15
claim
statement of something to be true including associated conditions and limitations
Note 1 to entry: The statement of a claim does not mean that the only possible intent or desire is to show it is true.
Sometimes claims are made for the purpose of evaluating whether they are true or false or undertaking an effort to
establish what is true.
Note 2 to entry: In its entirety, a claim conforming to ISO/IEC/IEEE 15026-2 is an unambiguous declaration of an
assertion with any associated conditionality giving explicit details including limitations on values and uncertainty.
It could be about the future, present, or past.
EXAMPLE Attributes of an entity such as its identity, statement of quality, conformity to standards, legal status,
location and so on.
[SOURCE: prEN 18235-2, modified: Note 4 is removed]
3.16
policy
set of rules related to a particular purpose
Note 1 to entry: A rule can be expressed as an obligation, an authorization, a permission or a prohibition.
Note 2 to entry: Policies enable the structured evaluation of claims.
[SOURCE: prEN 18235-2]
3.17
trustworthiness
quality or characteristic of something that is supported by verifiable evidence which can be used to
establish trust
[SOURCE: prEN 18235-2]
3.18
trust framework
set of requirements, rules, roles, responsibilities and assessment mechanisms in support of trust and
trustworthiness
[SOURCE: prEN 18235-2]
4 Overview
4.1 Trusted data transactions
Trusted data transactions pertain to the sharing of data between parties, involving the primary roles of
data provider, data user, and data rights holder, along with other supporting roles as necessary. Data
providers offer data products to data users, who, upon establishing a data sharing contract, gain the right
to access and use these data products.
The concept of a data product is at the core of trusted data transactions, since it bundles all the elements
needed to make data findable, shareable, and usable. Data products combine data, typically in the form
of a dataset, data services, metadata, access and usage policies and can include licensing information. Data
rights holders and data providers rely on data governance processes and supporting systems for the
management of their data products, and data and metadata therein, along the lifecycle of the data product.
Trusted data transactions can happen within the context of a data space. The data space rulebook
provides common rules for participants, which may be generic or domain specific. The data space defines
the applicable trust framework(s), which in turn determine(s) the trust services that are available in the
data space. This allows participants to validate, share, and verify claims between each other on identity,
data space participation, data rights and any other applicable policies.
Agreements between a data provider and data user are recorded in a data sharing contract. During the
sharing or exchange of data, participants ensure that all conditions of the data sharing contract are met.
This is supported by the sharing and verification of claims between participants.
This document defines the requirements for the interoperability of trusted data transactions. The general
requirements for claims, data products and data sharing contracts are covered in Clause 5.2. Detailed
requirements regarding the data product description are covered in Clause 6.2, regarding the data model
description in Clause 7.2, regarding data access in Clause 8.2. Detailed requirements regarding the
automated negotiation, establishment and execution of data sharing contracts are covered in Clause 9.2.
4.2 Stages of a data transaction
During a trusted data transaction, different activities can be identified:
1. Establishing trustworthiness: given the applicable trust frameworks, parties provide evidence to
each other in the form of machine-readable claims. Such claims are presented before and during
trusted transactions with other parties. Claims can be verified using trust services. This results in a
level of trustworthiness.
2. Granting of rights by a data rights holder to a data provider to offer a data product.
3. Data Product Publication, during which activity the data product is published through a catalogue
service.
4. Data Product Discovery, during which a prospective data user queries a catalogue service and
searches for relevant data products. This activity allows the data user to make an assessment
whether the offered data product suits their needs. Discovery services are used to find catalogue
services of data products.
5. Data Sharing Contract Negotiation, during which the data provider and data user agree to the terms
and conditions of the data sharing contract. This can be as simple as agreeing to proposed policies.
More complex negotiation scenarios can be foreseen as well. This activity results in a data sharing
contract.
6. Preparation of the data sharing, relating to activities needed to configure the data access. This
includes the technical set-up of the necessary infrastructure for the sharing of data or use of data
services and the validation of all agreed conditions mentioned in the data sharing contract.
7. Management of the data sharing, relating to the actual start and ending of the sharing of data. Sharing
can take place when the conditions specified in the data sharing contract are met and stop when
these conditions are no longer met. For the purposes of observability and data lineage certain aspects
of the data sharing can be recorded.
Trustworthiness is established at the start of the transaction and is managed during the lifetime of the
data transaction. Participants need to continuously monitor whether any required policies are met. Other
activities occur typically during one of the following phases of a data transaction:
— Granting rights and publication: during this phase typically activities 2 and 3 are performed. It results
in a published data product.
— Discovery and negotiation: during this phase the data provider and data user engage in a process of
discovery of data products and the negotiation of a data sharing contract. This relates to activity 4
and 5. It results in an agreed data sharing contract.
— Data exchange and sharing: During this phase the actual data exchange or sharing takes place,
encompassing the access and usage of the data. The conditions of the data sharing contract are
continuously validated. The phase starts when the contract becomes active and ends when the
contract is terminated.
4.3 Involved systems
Data sharing activities of participants are conducted by participant agents, with most interactions
occurring between these agents. Depending on the set-up within a data space, facilitating services may
be available or sometimes even required to support the process. These services, including trust services,
catalogue services, and discovery services, can play a valuable role in enhancing and streamlining data
sharing activities. This document provides requirements in support of the interoperability of these
systems.
5 General requirements
5.1 Objectives
The objective of this Clause is to provide the general conditions for:
a) setting-up and using participant agents, trust services and other supporting systems and any
required data structures there-in;
b) enabling data users to establish and verify whether the data or data service provided by the data
provider is part of one or more data spaces or not;
c) enabling verification that any required legal and administrative conditions are met.
5.2 Requirements
5.2.1 Identifiers
Entities and objects that are referenced by multiple parties or services shall have a globally unique
identifier.
There are two ways this can be accomplished:
a) using a globally unique scheme to identify the entity or object;
b) using a globally unique scheme to identify the issuing party, in combination with the object or entity
identifier that is unique within the scope of the issuer.
Data space rulebooks may provide further requirements on the syntax and assigning of identifiers.
Identifiers shall meet any further requirements specified in applicable data space rulebooks.
Identifiers based on globally unique schemes shall be in the form of a URI.
5.2.2 Claims
When claims are required, such claims shall be machine readable and verifiable using a trust service
specified in the applicable trust framework.
Claims shall conform to an agreed ontology, defined in the applicable trust framework.
5.2.3 Claims on represented party
In their interactions with participant agents and facilitating services, participant agents shall present a
claim to enable verification of the party on behalf of which it conducts the activities.
5.2.4 Claims on data s
...