The Dutch Energy Act, Data Governance and the GDPR: implications for the energy sector

Data exchange and the link with data protection

A central pillar of the Energy Act is the regulation of data exchange within the energy system. Large volumes of data are indispensable for core system processes, including billing, balancing and network management. Part of these data may relate to natural persons and therefore fall within the scope of the GDPR, while other data do not, or only do so in specific contexts. The rules governing these data flows are primarily laid down in Chapter 4 of the Energy Act.

Where personal data are involved, the GDPR applies in full alongside the Energy Act. At the same time, essential system processes must not depend on the consent or willingness of individual users to share data. Data sharing for other purposes generally takes place at the request of the data subject.

Energy data and when they qualify as personal data

Energy data encompass a broad range of information, including metering data, connection details, system data and administrative identifiers. Not all energy data qualify as personal data under the GDPR. Whether data constitute personal data depends on the specific context in which they are processed.

Energy data qualify as personal data where they relate to an identified or identifiable natural person. This includes, for example, household consumption data linked to a specific address or connection. Other data, such as technical characteristics of a meter or aggregated system information, are not personal data in themselves, but may become personal data when combined with other information.

The energy sector also processes large volumes of data relating to legal persons. While such data generally fall outside the scope of the GDPR, the Energy Act nevertheless applies a uniform framework for controlled data use across the sector. This qualification under the GDPR applies irrespective of the categorisation of data under the Energy Act.

Purposes and access to energy data

The purpose‑based access regime described below follows directly from the structure of Chapter 4 of the Energy Act. Although the Energy Act places strong emphasis on data availability for the functioning of the energy system, it simultaneously adopts a restrictive approach to data access. As a rule, energy data may only be accessed by predefined categories of actors and solely for purposes expressly anchored in the statutory framework. This reflects an intention to prioritise system stability, security and legal certainty.

However, this restrictive architecture also narrows the space for the wider use of energy data beyond those system functions. Even where data are aggregated or otherwise removed from individual user contexts, the current framework offers little scope for access by third parties seeking to develop new services, insights or market propositions related to the energy transition. The absence of a mechanism enabling conditional or safeguarded data disclosure outside the core system processes suggests that broader data reuse was not envisaged as part of the legislative design.

From a practical point of view, the current framework significantly limits the commercial use of energy data beyond the legally defined system functions. Access to energy data can be instrumental in enabling flexibility solutions and data‑driven innovation. A more open, but carefully controlled data access regime could potentially have contributed to unlocking such developments. The Energy Act, however, prioritises legal certainty and system control over broader data availability. This means that market participants seeking to develop data driven solutions outside the core system processes face a structurally limited ability to access energy data under the current framework. At the same time, from a data protection perspective, this closed access model is consistent with the GDPR’s principles of purpose limitation and data minimisation.

This connects to a broader discussion at EU level. In its Strategic Roadmap for Digitalisation and AI in the Energy Sector, published on 3 June 2026, the European Commission acknowledges that the framework for the secondary use of energy data — such as reuse for research, analytics or the training of AI models — remains underdeveloped. Public datasets are fragmented, and there is no sector-specific framework for structured energy data pooling. As a result, energy companies and grid operators are reluctant to share data, which slows down the development of AI applications in the energy sector. To address this, the Commission will focus on facilitating the pooling of energy data for AI model training, research and public-interest purposes, establishing trust frameworks for AI in energy, and developing regulatory sandboxes for testing energy AI applications. A key objective set out in the Roadmap is to establish an EU framework for simplified cross-border energy data exchange for smart energy services and AI model training, with an assessment planned in 2026 and development from 2027 onwards.

Legal grounds and rights

While the Energy Act defines mandatory processing activities, it does not in itself constitute an autonomous legal basis under Article 6 GDPR. Where personal data are processed, a valid legal basis under the GDPR is required. In practice, most core energy processes rely on statutory obligations or the performance of tasks carried out in the public interest, as defined in the Energy Act and related regulations. Other legal bases remain available in appropriate cases.

The Energy Act also strengthens data related rights. End users and connected parties are entitled to access their data and to request that data be shared with third parties. For clarity, this concerns individual, user initiated data sharing and does not provide third parties with an autonomous or general right of access to energy data beyond the purposes defined in Chapter 4 of the Energy Act. These rights are extended not only to natural persons but also, by analogy, to legal persons. As a result, entities that are not protected by the GDPR may nevertheless benefit from similar safeguards under energy law.

Regulatory overlap with the GDPR and NIS2

The Energy Act operates within a broader regulatory landscape in which energy regulation, data protection law and cybersecurity legislation increasingly overlap. While Chapter 4 of the Energy Act structures data processing and exchange, compliance obligations may simultaneously arise under the GDPR and, where relevant, the NIS2 regime.

This overlap is particularly visible in relation to incident management. A single event, such as a security incident or data breach, may trigger reporting obligations under multiple legal frameworks. Where energy data are involved, notification duties may arise under the Energy Act. If personal data are affected, GDPR notification requirements apply. Incidents affecting the security or continuity of digital infrastructure may also fall within the scope of NIS2. At present, no harmonised reporting mechanism exists, meaning that a single incident may require multiple separate assessments and notifications.

Supervision reflects this regulatory overlap. The Authority for Consumers and Markets oversees compliance with the Energy Act. The Dutch Data Protection Authority is responsible for oversight where personal data are concerned. Cybersecurity and digital resilience aspects fall under the remit of the Inspectorate for Digital Infrastructure. While these authorities cooperate in practice, their legal mandates remain distinct.

Implications for the energy sector

Overall, the Energy Act reflects how data has become a core element of the regulatory framework governing the energy sector. It establishes clear rules on the collection, use and exchange of energy data, while operating alongside existing regimes for data protection and cybersecurity. Together, these frameworks define the legal boundaries within which market participants must structure their data related activities.

For organisations active in the energy sector, this means that compliance increasingly requires an integrated view of sector specific regulation and horizontal regulatory obligations. The Energy Act clarifies which data may be processed and for which purposes, while the GDPR and NIS2 shape how (personal) data must be protected and how cyber resilience and incidents must be managed. Supervision and enforcement are exercised by multiple authorities, each acting within its own mandate, which further underscores the need for a coordinated compliance approach.

In practice, the Energy Act therefore confirms that participation in the energy market entails operating within a tightly regulated data environment. Understanding how the various regulatory layers interact is key to ensuring lawful data use, managing regulatory risk and maintaining operational continuity within the evolving energy system. This calls for an integrated assessment of compliance with the Energy Act, in particular Chapter 4, alongside obligations under the GDPR and NIS2.