Data that will be distributed via the EOSC will have different levels of access control depending on Intellectual Property (IP) issues, embargoes prior to publication and personal data protection considerations. In addition, certain types of research may have National Security implications that require additional levels of access control. The only model viable in such an environment is one whereby data security, or more accurately, access control remains with the entity that is ultimately legally responsible for ensuring that the data is properly restricted. This implies a very flexible access control regime, as some data (such as, for example the information underpinning a conventional research publication that does not involve human subjects or touch on National Security issues) should be made open after publication, while information such as human subject research data may need to be explicitly controlled by a data access committee at the organisation that carried out the research. In other cases, a holding entity (for example a data repository) could assume the legal burden for ensuring appropriate access control.