With the EU Data Act in full effect in a few months, I’ve been fascinated by how differently companies are approaching compliance. While many organizations are struggling to understand what this means for their data practices, others are embracing the change as an opportunity. This led me to create a EU Data Act Compliance community-driven project to track and assess how companies are implementing—or failing to implement—EU Data Act requirements in the wild.

“The EU Data Act is set to fundamentally transform the IoT landscape by giving users unprecedented access to their device-generated data.”

In this post, I’ll share both my analysis of the EU Data Act’s key points and how my project is helping create transparency around real-world implementation.

Understanding the EU Data Act

The EU has been at the forefront of digital regulation for years, with GDPR setting a global standard for privacy. Now, the Data Act takes this a step further by focusing on how data is shared, accessed, and monetized across the digital economy. As someone who’s been working in the cloud computing domain for years, I can tell you this is potentially more transformative than GDPR for many businesses. Full EU Data Act Regulation Text

The Data Act is built on core principles that I find particularly compelling:

  • Fairness
  • Transparency
  • Non-discrimination
  • Minimal technical and legal effort on the user’s part

These principles aren’t just regulatory jargon—they represent a fundamental shift in how we think about data ownership and access.

The most interesting example that I can think of in regards to the EU Data Act is a car rental company. Under EU Data Act you are allowed to get the data that the car uploads to cloud services while you rent it. That means that the car company has to somehow provide an API to get the data on a per hour or per minute basis.

Then the rental company has to either provide the rental information to the car company so that you can query the data for the time you rented it or the rental company has to act as middleware to the car company API. And all of that without getting any additional €.

Let’s see how company apply these regulations in reality.

Key Provisions of the EU Data Act

When I first read through the 70 pages of the Data Act, I was struck by how comprehensive it is. Unlike GDPR which focused primarily on personal data, the Data Act targets the broader data economy. Here are the provisions that I believe will have the most significant impact:

Data Access and Sharing

The Data Act fundamentally changes who can access data and under what terms:

  • User Rights to Generated Data: If you’re using a connected device (think smart home systems, industrial IoT, connected vehicles), you now have the right to access data generated by your usage. This is huge - previously, manufacturers could lock this data away.

  • B2B Data Sharing Framework: The Act establishes rules for fair, reasonable, and non-discriminatory terms for business data sharing. I’ve already seen this impact negotiations between data providers and consumers.

  • Protection for Trade Secrets: There are safeguards to protect confidential business information while enabling necessary data sharing. This balance is tricky, and I expect we’ll see litigation around this area.

  • Standardized APIs: The requirement for standardized application programming interfaces for data access will force many companies to redesign their systems. I’ve been advising clients to start this work early as it can be technically complex.

Cloud and Edge Services Regulation

The cloud computing market is directly targeted by these provisions:

  • Service Switching: Cloud providers must remove commercial, technical, and contractual barriers to switching services.

  • Interoperability Requirements: The technical specifications to ensure compatibility between services will be a major headache for proprietary device platforms. Here’s an example of what a compliant API might look like:

{
  "dataExport": {
    "format": "standardized",
    "endpoints": [
      {
        "type": "bulk",
        "uri": "/api/v1/export/bulk",
        "documentation": "https://example.com/docs/export"
      },
      {
        "type": "incremental",
        "uri": "/api/v1/export/incremental",
        "documentation": "https://example.com/docs/incremental-export"
      }
    ]
  }
}
  • Transition Period Protections: Guaranteed functionality during service transitions means providers can’t degrade service during migration periods. From personal experience I am aware that this is not something product managers optimize for.

IoT and Smart Device Provisions

IoT manufacturers face perhaps the biggest adjustment:

  • Transparency Requirements: Manufacturers must disclose what data is collected and how it’s used. I’ve reviewed several IoT products that collect far more data than users realize. This raw and preprocessed data need to be made available to the customer now. It is likely to trigger a shift in the industry to upload less data to reduce costs.

  • User Control: Enhanced user rights to control data collection and sharing will require redesigning many IoT systems from the ground up. Most weren’t built with this level of granular control in mind.

  • Data Portability: The requirements to enable users to port their data between services will be technically challenging for many IoT platforms. Most of the platforms optimize for their own front end application usage requirements instead of making easy access possible on the data layer.

  • Technical Documentation: The detailed documentation requirements for data handling practices will create significant work for technical writers and legal teams. Most of IoT devices have little or no documentation at all what kind of data they are creating and uploading to company servers. Furthermore is another requirement that the data can be easily understood by the customer. A binary data dump without any master data is not compliant anymore.

Implications for Companies

Companies struggle with both technical and business challenges:

Technical Implementation Challenges

The technical hurdles are substantial and shouldn’t be underestimated:

  • Data Architecture Redesign: Many companies need to completely redesign their data architectures. It is not longer enough to enforce tenant separation and authorization on the frontend or application API level. The IAM has to move one level lower to the data layer where it enforces strict tenant seperation on IoT asset level. This leads to one time development efforts, migration efforts for existing services and also ongoing additional costs for maintaining these additional data sources.

  • API Development: The investment in standardized APIs for data sharing is significant. The EU Data Act pushes the API-first strategy that many companies already have and forces teams to operate stable APIs in the open internet.

  • Security Enhancements: The additional security measures to protect data during sharing and transfers are creating new attack vectors that need to be addressed.

  • Documentation Systems: New systems for tracking data flows and usage are becoming essential. Manual documentation is simply not feasible given the scale of most modern data operations.

Business Model Impacts

The business implications may be even more profound:

  • Data Monetization Strategies: The restrictions on exclusive data usage require new approaches to data monetization. Companies need to pivot from selling exclusive data access to offering value-added analytics services instead.

  • Service Pricing: Service providers are adjusting pricing models to account for easier switching. I’m seeing more emphasis on value-added services rather than basic storage and compute. Core services need to be priced in the cost of IoT assets and devices instead of end user SaaS services.

  • Product Design Changes: IoT manufacturers must design products with data sharing capabilities from the ground up. This is forcing a fundamental rethink of product architecture. Slowly product managers get aware of this problem and realize that they have to change their current way of working.

  • Contractual Adjustments: The revision of terms of service and data sharing agreements is keeping legal teams extremely busy.

EU Data Act Compliance Project

After seeing the wide variation in how companies were approaching the EU Data Act, I decided to create a structured way to track and assess implementation efforts. I started the EU Data Act Compliance project foremost to structure the EU Data Act landscape for myself. Let’s see if it can serve as a community-driven resource for understanding how the EU Data Act is being implemented in practice as well.

Why I Started This Project

For users, my project helps:

  • Understand which companies are truly providing the data access they’re entitled to
  • Compare implementation approaches across different providers
  • Make informed decisions about which products respect their data rights

For companies, the project offers:

  • Visibility into industry best practices
  • Benchmarking against competitors
  • Insights into innovative compliance approaches

Assessment Framework

To ensure consistent evaluation, I’ve developed a comprehensive framework for assessing EU Data Act implementation:

CategoryWhy It’s ImportantExamples
Provides clear guidance on data usageExplains in easy terms how users can access their data under EU Data ActDocumentation on how to get data exists
Timely Data Access ImplementationEnsures compliance with the legal requirement to make data available without undue delay.Data access latency, SLAs for data requests, automation of access processes
Readily Available Data MechanismsDefines how data is made accessible without disproportionate effort, in a structured and usable format.Embedded APIs, local device access, cloud dashboards
Data Access TypesDetermines how data can be retrieved and integrated into downstream systems. Information about rate limits.Batch downloads, REST APIs, WebSockets, SQL queries, Kafka streams
Data Format & StructureAffects interoperability and ease of use for third parties and users.JSON, CSV, XML, Avro, Protobuf
Metadata Availability & QualityMetadata is needed to interpret data correctly, especially for repair, analytics, or legal use.Timestamp, sensor type, unit of measurement, device ID
Granularity of Access PermissionsSupports privacy, user control, and compliance with GDPR and trade secret protection.Role-based access, per-sensor permissions, time-scoped access
User Information & Transparency ToolsEnsures users are informed of their rights and the nature of available data, enhancing trust and usability.Web portals, mobile apps, QR-code access to data catalogs
Security & Confidentiality MeasuresProtects data integrity and privacy, especially for trade secrets and personal data.Encrypted channels, access logs, NDA enforcement mechanisms
Update & Lifecycle CommunicationKeeps users informed when changes affect data access or availability, fulfilling transparency obligations.Change logs, email notifications about firmware updates
Support for Data PortabilityFacilitates switching between services and competition, a core aim of the Data Act.Export to standard formats, integration with data intermediation services
Dispute Handling & User Request ChannelsDemonstrates readiness to resolve access issues and uphold users’ rights.Ticket systems, in-app request handling, escalation to dispute bodies

Real-World Implementation Example

Here’s an example of how I’m documenting real implementations:

EU Data Act Implementation: Tibber

  • Website: Tibber
  • API Docs: Tibber API
  • Industry: Energy
  • IoT Products: Energy Consumption Tracking Devices
  • Date: 2025-04-09

Implementation Status:

  • Timely Data Access: Real-time API access with <2s latency
  • Readily Available Data Mechanisms: Self-Service access without delay
  • Data Access Types: GraphQL API Endpoint with rate limit of 100 requests in 5 minutes per IP address
  • Data Format & Structure: Standard JSON format with detailed schema documentation
  • Metadata Availability: Complete metadata including timestamps and units
  • Access Permissions: Granular control to the user of Tibber
  • User Information & Transparency: Easy to use API with good documentation
  • Security & Confidentiality: Personal access token and OAuth
  • Update & Lifecycle Communication: tbd
  • Support for Data Portability: Data reuse is possible because of open data formats and leveraging OAuth authentication
  • Dispute Handling: tbd

Key Points:

  • Strengths: Very supportive to enable reuse of data across platforms. Many home automation integrations exist.
  • Improvement Areas: none

This simple example shows how an company with a data centric mindset performs already quite well in regards to the EU Data Act. It serves as benchmark for other companies which have to adopt the EU Data Act as well.

Compliance Strategies

Having different use cases at work and for the EU Data Act Compliance project evaluated a two step approach to compliance looks most feasible.

Short-term Compliance

These are the immediate actions I recommend:

  • Data Mapping: Start with a comprehensive inventory of data assets and flows. You can’t comply with regulations for data you don’t know you have. I typically use a template like this:
Data CategorySourceStorage LocationProcessing PurposeAccess ControlsRetention Period
Device telemetryIoT devicesCloud databasePerformance monitoringRole-based24 months
User preferencesMobile appLocal databasePersonalizationEncryptedUntil account deletion

  • Gap Analysis: Conduct a thorough assessment of current practices against Data Act requirements. I’ve found that even departments with strong GDPR compliance often have significant gaps when it comes to the Data Act.

  • Policy Updates: Revise privacy policies and terms of service to reflect new rights and obligations. This is not just a legal exercise - the policies need to accurately reflect your actual practices. If you harvest PII in your data that is relevant to the EU Data Act you need to make sure that you also comply to data privacy regulations when exposing this data.

  • Staff Training: Educate teams on new data handling requirements. This is often overlooked, but critical - your engineers and product managers need to understand these requirements. In my experience most of the teams have not even heard of the requirements that the EU Data Act defines.

Long-term Strategic Adaptation

For sustainable compliance, these longer-term strategies are essential:

  • Compliant-by-Design: Incorporate Data Act requirements into product development lifecycles. Make sure that involved teams understand that they need to make all collected and transmitted data available under the EU Data Act. This may reduce the amount of collected data to the neccessary use cases instead of dumping everything they can get into cloud services.

  • Data Governance Frameworks: Establish robust governance structures for ongoing compliance. I still try to understand who’s the best role to be overall responsibility to enforcing compliance and accepting risks to the EU Data act.

  • Interoperability Planning: Develop a strategic approach to system interoperability. This often requires significant architectural changes and should be planned over multiple development cycles. It also involves a commitment to open standards and even the involvement in designing standards.

Global Impact

In my international work, I’m already seeing the global ripple effects:

  • Regulatory Inspiration: I’ve been in discussions with people in non-EU countries who are closely studying the EU approach. We see similiar requirements on data access in countries like India and Australia. I expect similar regulations to appear in these jurisdictions within the next years.

  • Market Access Requirements: Compliance is becoming a prerequisite for accessing the EU market. Smaller companies and companies with a clear data strategy have a big advantage compared to huge enterprises when it comes to applying the EU Data Act to their daily operations.

Conclusion

After spending the last months of beeing partially involved in EU Data Act compliance, I’ve come to see the regulation as both a challenge and an opportunity. Yes, compliance requires significant investment and business model adjustments. But it also pushes companies toward more sustainable, transparent data practices that can build trust and create new value.

The companies that will thrive under this new regime are those that view data regulation not as a burden but as a catalyst for innovation. I’ve already seen departments develop new products and services that leverage the data sharing requirements in creative ways. Without the push from the EU Data Act these projects would not have been a priority.

For those just starting their compliance journey, my advice is simple: start with a thorough understanding of your data landscape, prioritize high-risk areas, and build compliance into your processes rather than treating it as a one-time project.

I invite you to contribute to the EU Data Act Compliance community-driven project. Whether you’re a user wanting to share your experience with a particular company’s implementation or a business looking to showcase your innovative approach, your input helps create transparency in this evolving landscape.

I’ll continue to update this analysis as we see how enforcement develops and as companies adapt to this new regulatory landscape. If you have specific questions or want to contribute to the project, feel free to reach out.

Cheers

Lars

AI Use Disclamer: I used Cline to define the high level post structure with the claude-3-7-sonnet-20250219 model. The content itself is written by me and is my personal opinion. ChatGPT generated the cover image based on the first paragraphs of this post.