← Back to all briefings
Data Strategy 5 min read Published Updated Credibility 40/100

Data Strategy Briefing — November 27, 2023

EU Council’s final approval of the Data Act starts the countdown to 2025 application, requiring executive governance, national implementation planning, and DSAR-aware protocols for data sharing, cloud switching, and public-sector requests.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: On the Council of the European Union formally adopted the Data Act, the final legislative step following the European Parliament’s vote earlier in the month. The regulation will enter into force 20 days after publication in the Official Journal and apply 20 months later, likely in the third quarter of 2025. The Council’s approval signals that Member States must begin preparing national enforcement structures, while businesses must finalize governance, implementation, and DSAR-ready processes for data sharing, interoperability, and cloud switching obligations. The Council also endorsed interpretative statements emphasizing protection of trade secrets, cybersecurity, and alignment with GDPR.

Governance coordination across Member States

The Council’s adoption triggers requirements for Member States to designate competent authorities, set up single information points, and coordinate with the European Data Innovation Board. Organizations operating across the EU should establish governance programs that map obligations to each jurisdiction, identify national contacts, and monitor implementing guidance. Boards should mandate quarterly updates on Data Act readiness, ensuring that data-sharing policies integrate with GDPR compliance, cybersecurity, and DSAR obligations. Establish steering committees involving legal, privacy, product, security, procurement, and government affairs teams to oversee national interactions and stakeholder engagement.

Governance documentation should include playbooks for responding to requests from national authorities, public sector bodies, and data subjects. Ensure alignment with trade secret protections, documenting procedures for withholding or redacting sensitive information while providing sufficient access to comply with the Data Act. Boards should review risk appetite statements that account for potential disputes over data sharing and DSAR handling.

Implementation milestones and national coordination

With the application date approaching, organizations should refine implementation roadmaps initiated after the Parliament’s vote:

  • 2024 Q1–Q2: Engage with national ministries responsible for the Data Act to understand enforcement models and sandbox opportunities. Participate in consultations on interoperability, standard contractual clauses, and certification schemes. Update internal timelines to reflect national guidance.
  • 2024 Q3–Q4: Finalize technical builds for data access interfaces, user authentication, logging, and cloud switching support. Conduct joint testing with strategic partners, including third-party developers authorized to access product data. Coordinate with DSAR teams to ensure portals capture and route Data Act requests appropriately.
  • 2025 H1: Complete contractual updates, roll out customer communications explaining Data Act rights, and train frontline teams. Perform readiness assessments, including mock DSARs, trade secret redaction exercises, and public sector request simulations. Ensure cross-border data transfer safeguards align with the Data Act’s restrictions on unlawful third-country access.

Member States may implement penalties for non-compliance; governance programs should map enforcement powers and appeal mechanisms. Maintain documentation of compliance steps to support investigations or dispute resolution.

DSAR integration and transparency obligations

The Data Act operates alongside GDPR, meaning DSAR processes must handle overlapping rights. Controllers should update privacy notices, DSAR portals, and customer contracts to explain how Data Act access rights work, what data categories are covered, and how trade secrets or confidential information will be protected. Implement verification procedures to ensure that third parties receiving data at a user’s request are authorized and subject to confidentiality agreements. Maintain logs linking Data Act disclosures to DSAR records, enabling accurate reporting to data subjects and regulators.

When individuals invoke both GDPR access rights and Data Act user rights, coordinate responses to avoid inconsistencies. Provide data in machine-readable formats, detail any processing limitations, and document reasons for refusing or delaying access (e.g., protection of trade secrets or cybersecurity risks). Update DSAR templates to include Data Act-specific explanations and escalate complex cases to legal counsel.

Cloud switching, interoperability, and security

Cloud and edge providers must enable switching within 30 days, phase out switching charges, and provide interoperability features. After the Council’s adoption, organizations should finalize migration runbooks, including data mapping, exit processes, and security controls. Ensure that encryption keys, access logs, and monitoring systems remain intact during switching to support DSAR evidence. Participate in standardization initiatives led by the European Commission and relevant standards bodies to shape interoperability specifications.

Security remains a priority; the Council highlighted the need to protect critical infrastructure and maintain cybersecurity. Align Data Act implementations with NIS2 Directive requirements, ensuring that data access interfaces include authentication, authorization, and anomaly detection. Conduct penetration tests focused on data-sharing endpoints and log retention systems used to prove DSAR compliance.

Public sector requests and exceptional need

Member States will define processes for public sector bodies to request data in exceptional circumstances. Organizations must prepare evaluation criteria: verifying legal basis, scope, proportionality, and confidentiality safeguards. Maintain registers of public sector requests, including data categories, response timelines, and DSAR implications. Provide transparency reports summarizing requests and outcomes where permitted.

When public sector requests involve personal data, coordinate with data protection officers to apply GDPR safeguards and inform data subjects when legally feasible. Document decisions to refuse or limit requests, citing specific legal grounds and risk assessments.

International data transfers and trade secret protections

The Council emphasized the need to prevent unlawful third-country access to EU data. Implement technical measures (encryption, pseudonymization, access controls) and legal safeguards (standard contractual clauses, binding corporate rules) to manage cross-border transfers. Maintain inventories of third-country access requests, integrate them with DSAR logs, and establish escalation pathways to data protection officers and legal counsel. Provide DSAR responses that explain safeguards and any restrictions on disclosure due to foreign government access risks.

To protect trade secrets, develop redaction frameworks, confidentiality agreements with data recipients, and monitoring for misuse. Document processes for assessing whether disclosure would undermine intellectual property, and provide partial access or summaries when full disclosure is not possible. Record rationales in DSAR and Data Act logs to support regulatory reviews.

Metrics, assurance, and stakeholder engagement

Track metrics such as volume of Data Act requests, average fulfillment time, number of third-party integrations, DSAR response times involving Data Act data, and public sector request outcomes. Conduct internal audits to test controls, verify contract compliance, and assess alignment with national guidance. Engage stakeholders—industry associations, consumer groups, and regulators—to share lessons learned and obtain feedback on implementation challenges.

Provide regular updates to executive leadership, including heat maps of readiness by business unit and jurisdiction. Prepare for potential supervisory inspections by maintaining evidence repositories, training records, and DSAR case files.

Next steps

Immediately after the Council’s adoption, brief executive leadership, update compliance roadmaps, and allocate resources for 2024 implementation sprints. Within six months of entry into force, complete national engagement plans, update contracts, and finalize technical designs. Before the 2025 application date, validate systems through user acceptance testing, tabletop exercises, and independent assurance. Integrating governance discipline, implementation rigor, and DSAR transparency will position organizations to comply with the Data Act and build trust in data-sharing ecosystems.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • EU regulation
  • Data governance
  • Cloud services
Back to curated briefings