24th November 2025

Estimated reading time : 7 Minutes

How the EU Data Act Is Reshaping Data Management and Compliance Across Europe

The European Union’s legislative focus on the digital economy continues its powerful trajectory. Following the landmark General Data Protection Regulation (GDPR), the EU Data Act has emerged as the next crucial pillar, dramatically redefining who controls and can use the vast amounts of data generated by connected products—the Internet of Things (IoT).

For Chief Data Officers (CDOs), CIOs, Chief Compliance Officers, and their leadership teams across Europe’s banking, healthcare, telecom, and manufacturing sectors, the EU Data Act is not a distant legislative concept; it is an imminent operational mandate. With most provisions applying from September 2025, the Act compels a fundamental shift from data hoarding to data sharing on fair, reasonable, and non-discriminatory (FRAND) terms.

This legislation is designed to unlock the estimated 80% of European industrial data that remains unused, projecting an increase in the EU’s GDP by €270 billion by 2028 (European Commission estimates). The message is clear: the future of data management in Europe is open, competitive, and user-centric. Compliant organizations are poised to lead the next wave of innovation, while those that delay preparation face significant risk of competitive disadvantage and regulatory fines.

What is the EU Data Act and How Does it Differ from GDPR?

The EU Data Act is a comprehensive regulation that establishes harmonized rules for the fairness of data access and use. Its primary objective is to facilitate a competitive European data economy by ensuring that value generated by data from connected devices and related services is distributed fairly among all actors.

Key Objectives:

Empower Users: Give users (both consumers and businesses) of connected products greater control over the data their products generate.
Boost Competition: Enable third-party service providers (like repair shops or aftermarket services) to access data, fostering innovation and competition against original manufacturers.
Enhance Data Portability: Make it easier and faster for customers to switch between cloud and edge service providers, ending vendor lock-in.

EU Data Act vs. GDPR: A Critical Distinction

While the GDPR remains the gold standard for protecting personal data, the EU Data Act broadens the scope significantly.

The crucial point for compliance: The EU Data Act is “without prejudice to the GDPR.” If the data generated by a connected product is personal data, the rules of the GDPR still apply, and in the event of a conflict, GDPR prevails. This creates a complex dual-compliance challenge for legal and IT teams that must ensure data is shared transparently while protecting individual privacy.

Key Provisions and Requirements Defining EU Data Compliance

The mandate to implement the EU Data Act requires a detailed understanding of its core mechanisms, particularly in the context of cross-border data sharing EU and industrial data sets.

1. User Rights to Data Access and Sharing (B2C & B2B)

The most transformative provision is the right of the user—whether a consumer or a company—to access the data generated by a connected product (e.g., a smart home device or an industrial robot) and to instruct the data holder (usually the manufacturer or service provider) to share it with a third party.

Access by Design: Connected products must be designed to make this data easily accessible to the user.
Fair Compensation: Data holders may receive reasonable compensation from third-party data recipients (excluding SMEs) for the costs incurred in making the data available, but this must be set under Fair, Reasonable, and Non-Discriminatory (FRAND) terms.
Trade Secret Safeguards: The Act includes measures to protect trade secrets and intellectual property, requiring both data holders and recipients to implement technical and organizational measures to preserve confidentiality.

2. Mandatory Business-to-Government (B2G) Data Sharing

The Act introduces new obligations for private-sector data holders to make data available to public sector bodies in situations of exceptional need, such as:

Public Emergencies: Responding to natural disasters, pandemics, or major cyber incidents.
Non-Emergency Situations: For the fulfillment of a specific public-interest task mandated by law (e.g., official statistics).

3. Interoperability and Cloud Switching

To break vendor lock-in and foster a competitive European cloud market, the Act mandates new rules for providers of data processing services (IaaS, PaaS, SaaS):

Ease of Switching: Providers must remove technical, commercial, and contractual barriers to switching, including a gradual elimination of switching charges by January 2027.
Data Portability: Customers must be able to switch between providers and export their data, metadata, and service-specific IP without undue delay.
Minimum Contractual Terms: Contracts must include mandatory provisions on quality of service, security, and data portability.

How It’s Transforming Data Management Across Europe

The implementation of the EU Data Act is sparking significant operational, technical, and strategic shifts within enterprises, fundamentally rewriting established norms for data management in Europe.

1. Operational and Technical Overhaul

CDOs and CIOs are faced with the immediate need to map and re-engineer their technical infrastructure to meet the Act’s “access by design” principle.

Data Mapping and Inventory: Companies must undertake a comprehensive inventory of all data generated by their connected products, categorizing it as personal, non-personal, or mixed, and identifying trade secrets.
API Development: New, secure, and easily accessible APIs and data interfaces must be built to allow users and third parties to access data in a structured, commonly used, and machine-readable format.
Data Lineage and Quality: As data flows to external parties, the need for robust data lineage and quality assurance mechanisms becomes paramount. Any failure in data quality or security while sharing can lead to significant liabilities.

2. Strategic and Financial Realities

The cost of non-compliance and the push for modernization are already impacting enterprise IT budgets.

Increased Technology Spend: According to IDC, driven by increasing regulatory complexity, global IT security spending will approach $300 billion by 2026. A significant portion of this investment will be directed towards enhancing data governance frameworks, security, and compliance technologies to manage the new sharing obligations.
Unlocking New Value: The Act compels businesses to treat data not as a static asset to be protected, but as a fluid resource for ecosystem development. Sharing telematics data with an insurance firm, for instance, can lead to premium reductions for a corporate fleet, creating a new B2B value chain.

3. Shift in Data Ownership Mindset

For decades, the manufacturer of a connected product held de facto exclusive control over the data it generated. The EU Data Act shatters this paradigm, moving control towards the user. This strategic shift requires businesses to re-evaluate their entire business model:

Moving from Data Exclusivity to Service Superiority: The competitive edge will move away from solely controlling the data to providing the best services built upon shared data. Manufacturers must now compete with aftermarket providers, forcing an acceleration of innovation in their core service offerings.
Standardization and Interoperability: To comply with the cloud switching provisions and facilitate cross-border data sharing EU, businesses will be pushed toward adopting interoperability standards, reducing the cost and complexity of integrating services across the supply chain.

Compliance Challenges for European Enterprises

Navigating the intersection of the EU Data Act and existing data laws presents a labyrinth of challenges for CDOs, CIOs, and legal teams.

1. The Conflict of Dual-Compliance

The coexistence of the Data Act’s mandate to share and the GDPR’s principle of data minimisation is the single greatest compliance hurdle.

“When a connected product generates mixed data (both personal and non-personal), the data holder must find a mechanism to share the non-personal data while either anonymizing the personal data or relying on a lawful basis for processing, which is a complex technical and legal exercise.”

Legal teams must create new policies for handling and classifying mixed datasets, while IT must build technical solutions for granular anonymization or pseudonymization in real-time before data is released to a third party.

2. Safeguarding Trade Secrets During Data Sharing

While the Act provides safeguards for trade secrets, proving that sharing specific data would seriously prejudice the commercial position of the data holder is an active risk management problem. Enterprises must implement:

Strict Access Protocols: Define precise, auditable methods for third-party data access.
Contractual Transparency: Clearly define the scope, purpose, and duration of the third party’s data use in new FRAND contracts.

3. Cloud Vendor Lock-In and Migration Complexity

For CIOs, the obligation to easily facilitate cloud switching by 2027 necessitates a review of all current cloud service contracts. The challenge lies in migrating massive, complex, and potentially proprietary industrial datasets without incurring astronomical egress fees or suffering service disruption—a non-trivial, multi-year migration project for many established enterprises.

Strategic Opportunities in the New Data Landscape

The EU Data Act is not just a regulatory burden; it is a catalyst for data-driven innovation and trust-building that can deliver a significant competitive advantage.

1. Monetizing the Data Ecosystem

Instead of viewing data sharing as a loss, leading organizations are leveraging the Act to create new revenue streams via data products and services.

Value-Added Services: Manufacturers can offer a premium Data as a Service (DaaS) layer on top of the raw data, providing analytics, security, and context that third parties would pay for, effectively moving up the data value chain.
Joint Innovation: Partnerships formed by B2B data sharing can lead to co-created products. For example, a heavy machinery manufacturer sharing operational data with a specialized AI predictive maintenance company could result in a joint, high-margin maintenance contract for the end user.

2. Building a Trust-Based Data Advantage

In a market increasingly scrutinized by regulations like GDPR and the EU Data Act, transparency becomes a core differentiator.

Enhanced Customer Loyalty: Organizations that proactively offer secure, transparent, and easy-to-use data access platforms will build deep trust with their business customers, improving Customer Lifetime Value (CLV).
Establishing Industry Standards: Early movers can influence the development of data governance frameworks and industry-specific codes of conduct, positioning themselves as thought leaders and trusted partners in the new data economy.

How Businesses Can Prepare for the EU Data Act Now

Effective compliance with the EU Data Act requires a proactive, cross-functional strategy involving legal, IT, and business leadership. The window for preparation is closing rapidly ahead of the September 2025 application date.

1. Establish a Cross-Functional Task Force

Mandate: Appoint the CDO, CIO, and CCO/General Counsel to lead a Data Act Task Force.
Action: Conduct a Data Asset Audit to map all data generated by connected products, classify its nature (personal/non-personal/mixed), and clearly identify who the “user” is for each product line.

2. Re-engineer Data Infrastructure for Access and Portability

Action: Prioritize the development of secure APIs for real-time and continuous data sharing. Implement robust authentication and authorization controls for all data recipients.
IT Focus: Invest in data governance technologies for automated data lineage, quality monitoring, and anonymization/pseudonymization to manage the GDPR/Data Act overlap.

3. Review and Update Contracts and Business Terms

Legal Action: Overhaul all standard B2B and B2C contracts for connected products and cloud services to ensure compliance with the FRAND terms, B2G access rules, and the prohibition of unfair contractual terms.
Strategy: Develop a clear, justifiable pricing model for data access fees to ensure they are demonstrably “reasonable and non-discriminatory.”

Conclusion: The Next Era of Trusted Data Ecosystems

The EU Data Act is more than just another piece of European legislation; it is a profound declaration that the industrial data generated in Europe belongs to its users and must be mobilized to fuel competition and innovation. This regulation completes the EU’s data strategy, building a comprehensive framework that demands both privacy (GDPR) and access (Data Act).

For decision-makers navigating EU data compliance, the time for strategic planning is now. The Act introduces a permanent competitive force, rewarding those who can securely, efficiently, and transparently manage and share their data assets. Organizations that act now to embed EU Data Act requirements into their data governance frameworks will not only achieve compliance but will also establish themselves as leaders in the next era of trusted data ecosystems in Europe.

Navigating the complexities of dual-compliance, building API infrastructure, and re-engineering data processes requires specialized expertise. This is where strategic partnerships become vital. Viaante, as an expert Data Management provider, offers the necessary services and technological solutions to help European enterprises establish the secure, compliant, and interoperable data ecosystems.

Organizations that act now to master the new rules of data access and sharing will lead the next era of trusted data ecosystems in Europe.