prEN 18235-2

SLOVENSKI STANDARD
01-februar-2026
Zaupanja vredne podatkovne transakcije - 2. del: Zahteve za zanesljivost
Trusted data transactions - Part 2: Trustworthiness requirements
Vertrauenswürdige Datentransaktionen - Teil 2: Anforderungen an die
Vertrauenswürdigkeit
Ta slovenski standard je istoveten z: prEN 18235-2
ICS:
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD DRAFT
NORME EUROPÉENNE
EUROPÄISCHE NORM
December 2025
ICS 35.030
English version
Trusted data transactions - Part 2: Trustworthiness
requirements
Vertrauenswürdige Datentransaktionen - Teil 2:
Anforderungen an die Vertrauenswürdigkeit
This draft European Standard is submitted to CEN members for enquiry. It has been drawn up by the Technical Committee
CEN/CLC/JTC 25.
If this draft becomes a European Standard, CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal
Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any
alteration.
This draft European Standard was established by CEN and CENELEC in three official versions (English, French, German). A
version in any other language made by translation under the responsibility of a CEN and CENELEC member into its own language
and notified to the CEN-CENELEC Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.

Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are
aware and to provide supporting documentation.Recipients of this draft are invited to submit, with their comments, notification
of any relevant patent rights of which they are aware and to provide supporting documentation.

Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without
notice and shall not be referred to as a European Standard.

CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2025 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. prEN 18235-2:2025 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 4
Introduction . 5
1 Scope . 6
2 Normative references . 6
3 Terms and definitions . 6
3.1 General. 6
3.2 Trust . 6
3.3 Data sharing . 7
4 Principles for trusted data transactions. 8
4.1 Introduction . 8
4.2 Phases of a data transaction . 8
4.3 Data rights . 8
4.4 Data product . 9
4.5 Data quality . 9
4.6 Data provenance and data lineage . 9
4.7 Observability and traceability of data transactions . 9
4.8 Data spaces . 10
4.9 Interoperability across data spaces . 10
4.10 Trust frameworks . 10
4.11 Trust policy dimensions . 11
5 Trustworthiness requirements . 11
5.1 Introduction . 11
5.2 General requirements . 11
5.2.1 Overview . 11
5.2.2 Identification of participants . 11
5.2.3 Policies, claims and evidence . 12
5.2.4 Operational and legal aspects of policies, claims and evidence. 13
5.2.5 Trust frameworks . 13
5.2.6 Data spaces . 13
5.3 Grant rights . 14
5.3.1 Overview . 14
5.3.2 Claims of granted data rights . 14
5.4 Publication . 15
5.4.1 Overview . 15
5.4.2 Verification of publication rights . 15
5.4.3 Catalogue metadata of the data product . 15
5.4.4 Data catalogue requirements . 16
5.5 Discovery . 16
5.5.1 Overview . 16
5.5.2 Verification of rights and access control . 17
5.5.3 Discovery service requirements . 17
5.5.4 Discovery service recommended features . 17
5.6 Negotiation . 17
5.6.1 Overview . 17
5.6.2 Claims on delegated rights . 18
5.6.3 Recording of the data usage contract . 18
5.7 Data sharing . 18
5.7.1 Overview . 18
5.7.2 Identification, authentication and authorization . 18
5.7.3 Observability of data transactions . 18
5.8 Data access and usage . 19
5.8.1 Overview . 19
5.8.2 Verification of access rights . 19
5.8.3 Usage of data. 19
5.8.4 Observability . 19
Annex A (informative) Trust frameworks . 20
Annex ZA (informative) Relationship between this European Standard and the
interoperability requirements of Regulation (EU) 2023/2854 aimed to be covered 23
Bibliography . 24
European foreword
This document (prEN 18235-2:2025) has been prepared by Technical Committee CEN/CLC JTC 25 “Data
Management, Dataspaces, Cloud and Edge”, the secretariat of which is held by UNI.
This document is currently submitted to the CEN Enquiry.
This document has been prepared under a standardization request addressed to CEN and CENELEC by
the European Commission. The Standing Committee of the EFTA States subsequently approves these
requests for its Member States.
For the relationship with EU Legislation, see informative Annex ZA, which is an integral part of this
document.
Introduction
Sharing of data can have significant commercial, financial, privacy and other impacts on all stakeholders
involved. Therefore, it is important to identify the requirements for trustworthiness of data transactions.
Data transactions can take place in many different organisational set-ups, requiring an interplay between
data rights holders, data providers, data users and any involved data intermediaries facilitating the
sharing of data, through technical, legal or other means.
Agreements between these actors are established in data usage contracts, containing policies, terms and
conditions for the sharing of data between two or more participants. Data usage contracts can be bound
by commonly established technical and legal agreements (i.e. policies, semantic models, protocols and
processes). In data spaces, such agreements are managed by a Data Space Governance Authority (DSGA)
and documented in the data space rulebook, providing the common trust context and supporting services
for data sharing.
prEN 18235-1 (Trusted data transactions - Part 1) provides the terminology, concepts and mechanisms
for trusted data transactions. This document (Trusted data transactions - Part 2) defines the
trustworthiness requirements for trusted data transactions.
1 Scope
This document provides trustworthiness requirements and guidance for data space participants in
support of trusted data transactions.
Specifically, it defines a set of foundational principles for trusted data transactions, and establishes
general requirements and guidance that apply to all phases of a trusted data transaction, and specific
requirements for each phase of a trusted data transaction.
This document applies to all types of organizations participating in data spaces, regardless of their type
or size.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the terms and definitions given in prEN 18235-1 and the following
apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https://www.iso.org/obp/
— IEC Electropedia: available at https://www.electropedia.org/
3.1 General
3.1.1
principle
fundamental truth, proposition or assumption that serves as foundation for a set of beliefs or behaviours
or for a chain of reasoning
[SOURCE: ISO/IEC 5259-5:2025]
3.2 Trust
3.2.1
claim
statement of something to be true including associated conditions and limitations
Note 1 to entry: The statement of a claim does not mean that the only possible intent or desire is to show it is true.
Sometimes claims are made for the purpose of evaluating whether they are true or false or undertaking an effort to
establish what is true.
Note 2 to entry: In its entirety, a claim conforming to ISO/IEC 15026-2 is an unambiguous declaration of an assertion
with any associated conditionality giving explicit details including limitations on values and uncertainty. It could be
about the future, present, or past.
Note 4 to entry: Interoperability aspects of data models, taxonomy and semantics will be addressed in Part 3.
EXAMPLE attributes of an entity such as its identity, statement of quality, conformity to standards, legal status,
location and so on
[SOURCE: ISO/IEC TR 15443-1:2012, modified with note 3 and note 4 added]
3.2.2
evidence
information supporting a claim
3.2.3
policy
set of rules related to a particular purpose
Note 1 to entry: A rule can be expressed as an obligation, an authorization, a permission or a prohibition.
Note 2 to entry: Policies enable the structured evaluation of claims.
[SOURCE: ISO 19101-2:2018]
3.2.4
reconciliation
process of evaluating and demonstrating that the claims and evidences satisfy the requirements of the
policy in consideration
3.2.5
trustworthiness
quality or characteristic of something that is supported by verifiable evidence which can be used to
establish trust
3.2.6
trust framework
set of requirements, rules, roles, responsibilities and assessment mechanisms in support of trust and
trustworthiness
3.2.7
data integrity
property that data has not been altered or deleted by unauthorised parties
3.3 Data sharing
3.3.1
interoperability
ability of two or more systems or applications to exchange information and to mutually use the
information that has been exchanged
[SOURCE: ISO/IEC 22123-1:2023]
3.3.2
data space rulebook
data space governance framework
structured set of principles, processes, standards, protocols, rules and practices that guide and regulate
the governance, management and operations within a data space to ensure effective and responsible
leadership, control, and oversight
Note 1 to entry: ISO/IEC TR 38502:2017 defines governance framework as strategies, policies, decision-making
structures and accountabilities through which the organization’s governance arrangements operate.
[SOURCE: DSSC Data Spaces Blueprint v2.0, modified – Note 1 to entry added]
3.3.3
data quality
degree to which a set of inherent characteristics of data fulfils requirements
[SOURCE: ISO 8002:2022, 3.8.1, modified – Note to entry removed]
3.3.4
observability
ability to monitor and verify the state and behaviour of a trusted data transaction
3.3.5
traceability
ability to log and track a trusted data transaction throughout its lifecycle
Note 1 to entry: Traceability enables compliance, accountability, dispute resolution, and proof of execution.
Note 2 to entry: Traceability ensures compliance with legal and ethical standards, allowing stakeholders to follow
the flow of data transactions while preserving trust and security.
3.3.6
data lineage
description of the entire history of data, including its creation, transformation, and the processes it
undergoes
Note 1 to entry: Data lineage provides a comprehensive map of how data evolves during its lifecycle.
3.3.7
data provenance
information on the place and time of origin, derivation or generation of data, proof of authenticity of the
data, or a record of past and present ownership of the data
[SOURCE: ISO/IEC 5259-1:2024, 3.16, modified – “data set” replaced with “data”]
4 Principles for trusted data transactions
4.1 Introduction
The objective of this clause is to define the overarching principles that serve as foundation for the detailed
requirements in Clause 5.
4.2 Phases of a data transaction
As identified in Part 1, there are six activities (derived from three phases) of a data transaction:
(i) grant rights, (ii) publication, (iii) discovery, (iv) negotiation, (v) data sharing, and (vi) data access and
usage.
Trust is established during all phases of a trusted data transaction, involving all relevant participants,
each with defined roles specific to the phase.
4.3 Data rights
Data rights holders should have sufficient control over how their data are accessed and used through
technical or legal means.
NOTE Agreed data usage policies and relevant regulations can apply.
4.4 Data product
Data rights holders and data providers should rely on data governance processes and systems to manage
their data products (and data and metadata therein) along the lifecycle of the data product.
4.5 Data quality
Data quality is a multi-dimensional concept relating to aspects such as accuracy, integrity, completeness,
and the provenance of the data. If data are not tailored to its intended purpose, it can fail to generate
meaningful outcomes, regardless of its inherent quality. Data quality can be managed through technical
means and appropriate data governance processes.
The quality of a data product is critical to ensuring trust in the transaction. The data quality of a data
product should be accurately described using metadata, enabling to verify that the data are suited to the
purpose or application in which the data will be used.
NOTE Regulations or data spaces can impose rules for the expected quality of certain types of data products.
4.6 Data provenance and data lineage
Data provenance captures details about who created the data, when and how, including the context of
data generation (e.g. environmental conditions, tools, and methodologies used). It also documents
certifications, licenses, and regulatory attributes to ensure compliance with legal and ethical standards.
A tamper-resistant provenance scheme enhances trust and auditability, allowing stakeholders to verify
the authenticity, integrity, and legitimacy of data sources across trusted transactions.
Data lineage involves tracking transformations, merges, and derivations, establishing a relationship
between raw data and processed outputs. A comprehensive data lineage framework ensures that data
usage stays aligned with regulatory requirements and quality and transparency standards.
Parties involved in trusted data transactions should implement robust data governance processes to
ensure that metadata within the data product includes all necessary information to guarantee accurate
data provenance (origin and historical record) and data lineage (lifecycle and transformations).
4.7 Observability and traceability of data transactions
Observability ensures that data transactions can be monitored and diagnosed, providing insights into
system behaviour, performance, security threats and potential failures by continuously collecting and
analysing relevant signals.
It ensures that data sharing systems are working correctly, in compliance with shared values, enhancing
confidence among stakeholders.
Key functions include, without being limited to:
— anomaly detection,
— root cause analysis when issues occur, and
— real-time insights into data transaction performance.
Traceability ensures that data transactions can be tracked, logged, monitored, and verified throughout
their lifecycle, providing an audit trail for accountability, compliance, and dispute resolution.
Traceability provides transparency, helping participants and regulators ensure that data usage aligns
with policies, ethical guidelines, and contractual agreements.
Key functions include, without being limited to:
— ensuring accountability by tracking who performed what action and when,
— providing a complete audit trail for compliance,
— enabling verification of contractual and regulatory adherence, and
— supporting non-repudiation, ensuring data transactions cannot be denied.
By incorporating traceability functions, participants can ensure accountable and secure data
transactions.
NOTE Traceability can be applied to transactions within a data space as well as to transactions across different
data spaces.
Participants involved in data transactions should rely on data governance processes and systems to
ensure their data transactions are observable and traceable.
4.8 Data spaces
Data spaces are not giant data warehouses or data lakes hosted in a shared, centralized storage. Metadata
and claims are being exchanged during the negotiation process. If and how the data are physically
transferred depends on the agreement between individual parties.
Participants of a data space adhere to a common governance framework, documented in a data space
rulebook. The governance framework defines all policies and services which apply and defines the
relevant trust framework for each of them.
Trusted data transactions can be facilitated by data spaces: When parties are participants of the same
data space, implying adherence to the common data space rulebook, this facilitates trusted data
transactions.
4.9 Interoperability across data spaces
Parties can choose to adhere to the rulebooks of multiple different data spaces when they wish to share
data across different domains or contexts. Data space governance authorities can facilitate this by
defining interoperable policies, services and associated trust frameworks.
Interoperability across data spaces can be achieved by using common terminologies for expressing
policies, adopting common protocols and services as well as associated trust frameworks. Interoperable
data space rulebooks can facilitate connections between participants and services across different data
spaces.
NOTE Added interoperability can be achieved by creating multiple specific instantiations of an overarching
rulebook or by creating explicit links between multiple rulebooks.
4.10 Trust frameworks
Trust frameworks provide a way to establish trust between participants in a data transaction. In defining
a trust framework, the following elements are specified:
— the rules a participant in a data transaction must comply with,
— the semantic models of the trust information exchanged, and
— the processes and technical standards adopted to perform and possibly automate compliance checks.
A data space shall rely on one or more trust frameworks.
A data space may combine and/or extend trust frameworks to fit their needs, or alternatively define its
own trust framework, as long as the result complies with the requirements for trust frameworks in Clause
5.
The use of interoperable trust frameworks can help to create synergy effects across different domains,
enabling connections across data spaces.
4.11 Trust policy dimensions
Trusted data transactions are inherently complex, as they encompass a wide variety of use cases, business
models, IT architectures while adhering to laws and regulations across multiple jurisdictions.
Trust policies for data transactions should address three dimensions: Legal, operational and technical.
While the three dimensions rely on one another, separation of these three dimensions helps to enable
reuse and interoperability in different contexts.
Example: Policies in trusted data transactions can define dataspace membership policies, access to offers,
data contract policies or data usage policies.
5 Trustworthiness requirements
5.1 Introduction
The primary objective of this clause is to define a comprehensive set of trustworthiness requirements for
trusted data transactions, taking the principles discussed in Clause 4 as a basis.
To this end, the clause is structured around the six activities (derived from three phases) of a data
transaction identified in Part 1:
(i) grant rights,
(ii) publication,
(iii) discovery,
(iv) negotiation,
(v) data sharing, and
(vi) data access and usage.
5.2 General requirements
5.2.1 Overview
This clause covers general trustworthiness requirements that apply to all phases of a trusted data
transaction, addressing the role of trust frameworks and data space governance authorities.
5.2.2 Identification of participants
5.2.2.1 General
Verification of the identity of participants is a critical process in establishing trust, ensuring that all
participants in a data transaction are known to each other. Automated verification relies on digital
evidence of the participant’s identity.
5.2.2.2 Eviden
...