← Back to all briefings
Data Strategy 6 min read Published Updated Credibility 40/100

Data Strategy Briefing — March 14, 2023

The European Parliament’s Data Act mandate advances rules for user data access, fair B2B contracts, public-sector data requests, and cloud switching safeguards ahead of trilogue negotiations.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
3 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: On 14 March 2023, the European Parliament adopted its negotiating mandate on the proposed Data Act, clearing the way for inter-institutional trilogues with the Council and Commission on rules that will unlock industrial data sharing, set portability requirements for cloud services, and codify safeguards for trade secrets and law enforcement access. Companies building connected products and cloud-based services in the European Union must now prepare for obligations spanning business-to-business data sharing, consumer rights, public-sector access during emergencies, and interoperability standards that will reshape digital ecosystems.

Capabilities: Designing data access and sharing frameworks

The Parliament’s position preserves the Commission’s core aim of enabling users of connected products or related services to access and share the data they help generate. Manufacturers will need to provide data—by default free of charge—to users in a timely, easily accessible, and machine-readable format. They must also ensure that data can be transmitted directly to third parties designated by the user, subject to safeguards against unlawful sharing. Contracts limiting user access or imposing unfair terms on SMEs will be unenforceable.

To operationalise these rights, organisations must catalogue datasets generated by IoT devices, machinery, and digital services; classify data as personal, non-personal, or mixed; and implement permissioning workflows that differentiate between user data, by-product data, and derived insights. Technical measures should include secure APIs, logging, throttling, and authentication to ensure that data is shared with verified parties while protecting system integrity. Legal teams will need model terms that comply with fairness requirements, limit liability, and clarify confidentiality obligations.

The Parliament strengthened protections for trade secrets and intellectual property by requiring recipients to implement technical and organisational measures that preserve confidentiality, and by allowing data holders to withhold particularly sensitive information if disclosure would cause serious harm, provided they justify refusals. Companies must therefore coordinate between legal, engineering, and product teams to evaluate what constitutes serious economic harm and document rationale for any restrictions.

Implementation sequencing: Preparing for Data Act compliance

Phase 1 — Assessment and governance. Establish a Data Act readiness programme led by the chief data officer and supported by privacy, security, legal, and product stakeholders. Conduct a regulatory gap analysis comparing existing data access mechanisms to the Parliament’s requirements, including timelines for responding to user requests, data formats, and security controls. Map contractual relationships with distributors, service partners, and platform providers to identify clauses that may need revision once the Data Act takes effect.

Phase 2 — Technical enablement. Build or enhance API gateways that can deliver user-requested data exports with appropriate metadata, quality indicators, and context. Implement consent management interfaces enabling users to designate third-party recipients and revoke permissions. Design throttling and monitoring to detect misuse. For cloud and edge services, inventory dependencies and prepare to support switching, including data portability, functional equivalence documentation, and professional services support for migration.

Phase 3 — Operational rollout. Train customer support teams to handle Data Act requests, escalate complex cases, and coordinate with legal on trade secret assessments. Update incident response plans to address potential misuse of shared data or breaches arising from third-party access. Develop reporting mechanisms for suspected unfair contract terms or non-compliant requests. Coordinate with industry associations to contribute to standardisation efforts that the Data Act mandates for interoperability and smart contract safeguards.

Responsible governance and safeguards

The Parliament clarifies conditions under which public bodies can request data from companies in situations of exceptional need, such as public emergencies or to implement legal mandates. Organisations must establish governance processes to evaluate these requests, ensuring they are necessary, proportionate, and accompanied by compensation where appropriate. Legal teams should prepare templates for data-sharing agreements that specify purpose limitation, retention periods, and security requirements.

Cloud service providers face specific obligations to facilitate switching and multi-cloud deployment, including prohibitions on contractual and commercial lock-ins, mandatory transparency on functional capabilities, and a phased reduction of switching fees to zero within three years of the Data Act’s entry into force. Providers must document interoperability interfaces, provide support for standardised interfaces, and ensure that customers can export data, applications, and metadata without service interruption.

Law enforcement access is circumscribed: the Parliament seeks stronger safeguards to prevent third-country authorities from unlawfully accessing non-personal data held in the EU. Providers must implement notification processes and challenge mechanisms when receiving foreign government orders that conflict with EU or member-state law. Security teams should maintain audit trails of data access, implement encryption, and perform due diligence on third-party recipients to mitigate cross-border risks.

Sector playbooks

Industrial and manufacturing. Equipment makers must prepare to provide machine-generated data to customers and aftermarket service providers. This requires documenting data schemas, ensuring edge devices can transmit data securely, and establishing commercial models—such as tiered service agreements—for value-added analytics. Suppliers should also evaluate liability exposure when sharing data used for predictive maintenance or optimisation.

Automotive and mobility. Vehicle manufacturers will need to support driver and fleet manager requests for telematics data, enabling third-party repair and service providers. They must integrate Data Act workflows with existing EU type-approval regulations, cybersecurity management systems, and UNECE software update requirements. Managing sensitive safety data requires robust controls to prevent tampering or misuse.

Smart home and consumer electronics. Producers of connected appliances must build user interfaces that allow individuals to access usage data and designate third-party service providers. Privacy and consumer protection laws—such as the GDPR and forthcoming AI Act—must be reconciled with Data Act obligations, particularly when sharing combined personal and non-personal data.

Cloud and SaaS providers. Service providers should assess multi-tenant architecture, encryption key management, and support obligations to ensure customers can migrate workloads without breaching security. They must disclose technical limitations that could impede switching and participate in European standardisation efforts for interoperability APIs and data structures.

Measurement, metrics, and assurance

Programme success should be tracked through metrics such as the number of Data Act access requests fulfilled within mandated timelines, percentage of datasets covered by machine-readable exports, customer satisfaction with portability processes, and incidents related to data misuse or confidentiality breaches. Organisations should also monitor the volume and disposition of public-sector data requests, documenting legal analyses and compensation arrangements.

Audit teams must verify that trade secret assessments are consistent, that data-sharing agreements include required safeguards, and that third-party access controls are enforced. Cybersecurity teams should test APIs and data export processes for vulnerabilities, while privacy teams ensure GDPR compliance when personal data is involved. Reporting to executive committees and boards should highlight readiness milestones, residual risks, and resource needs.

As trilogue negotiations progress, companies should maintain scenario plans reflecting potential changes—such as stricter obligations on high-value datasets, additional safeguards for smart contracts, or adjustments to enforcement mechanisms. Early alignment with the Parliament’s mandate enables faster adaptation once the final Data Act text is agreed.

Sources

Zeph Tech helps industrial and digital platforms engineer Data Act–ready governance, APIs, and switching support so European users can control and leverage the data they generate.

Timeline plotting source publication cadence sized by credibility.
3 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • EU Data Act
  • Industrial data sharing
  • Cloud portability
  • Trade secret protection
  • EU digital regulation
Back to curated briefings