Data Strategy — EU regulation

Regulation (EU) 2023/2854, known as the Data Act, was published in the Official Journal on 22 December 2023. The regulation enters into force on 11 January 2024 and will apply progressively from September 2025, reshaping how data generated by connected products and related services is accessed, shared, and monetised.

The Data Act grants users—both consumers and businesses—the right to access data generated by their devices, mandates fair contractual terms between data holders and data recipients, establishes rules for business-to-government (B2G) data requests, and introduces obligations for cloud and edge service providers to help switching. Boards and data leaders must now design governance, setup, and data subject interaction strategies that align with these sweeping changes.

The Data Act operates alongside the GDPR, Digital Markets Act, and sector-specific rules, aiming to create a thriving European data economy while preventing lock-in and unfair practices. It applies to manufacturers of connected products, providers of related services, data processing service providers, data holders, and public sector bodies requesting data in exceptional circumstances. Compliance requires cross-functional coordination between legal, privacy, product, engineering, procurement, and customer success teams.

Governance priorities for boards and executive leadership

Boards should initiate a Data Act steering committee to oversee readiness. The committee should inventory connected products, digital services, datasets generated, contractual arrangements, and data monetization strategies.

Governance documentation must classify actors: data holders (entities with the right to grant access), data recipients, users, and public sector requesters. Risk registers should capture potential impacts on business models, intellectual property, trade secrets, and security. Board-level briefings should cover application timelines—including the 20-month grace period, sector-specific delays, and obligations that apply immediately upon entry into force, such as preventing abusive contract terms for SMEs.

Executive leadership must ensure that accountability is clear. Chief product officers should own device data design decisions, chief legal officers should manage contractual frameworks, and chief privacy/data officers should integrate Data Act rights with GDPR processes. Governance charters should describe how disputes will be escalated, how interactions with supervisory authorities will be handled, and how lessons from pilot data sharing agreements will inform enterprise policies. Boards should demand quarterly updates on readiness metrics, regulatory engagement, and market developments.

Stakeholder engagement is critical. Teams should establish advisory forums involving customers, partners, and industry associations to gather feedback on data sharing demands, opt-out preferences, and acceptable compensation models. Documenting these engagements shows accountability and supports defensible pricing and access conditions.

Implementation roadmap: user access, contractual frameworks, and technical enablement

Implementation begins with user access mechanisms. Manufacturers and service providers must design interfaces—dashboards, APIs, or mobile apps—that allow users to access, download, or transmit data generated by their connected products "without undue delay, free of charge and, where applicable, continuously and in real time." Technical teams should map data flows, determine formats, and identify security controls to prevent unauthorized access. Data minimization should guide which derived or inferred data is excluded, consistent with the Act's focus on raw and pre-processed data necessary for the product's functionality.

Data sharing with third-party data recipients requires flexible authorization workflows. Users must be able to grant permission to recipients through clear, granular consent mechanisms, with options to revoke at any time. Systems should log permissions, scope (data categories, duration, frequency), and revocation history. APIs should support secure authentication (OAuth 2.0, eIDAS-based identity), rate limiting, and monitoring to detect misuse. Teams must verify recipients' compliance with confidentiality, security, and lawful use obligations before enabling access.

Contractual frameworks need significant revision. The Data Act prohibits unfair terms imposed on micro, small, and medium-sized enterprises (SMEs), such as clauses that exclude liability for intentional misconduct or allow unilateral data use extensions.

Legal teams should review standard contracts, licensing agreements, and platform terms to remove or adjust clauses that could be deemed unfair. New template agreements should define permitted uses, data security requirements, compensation models, and dispute resolution mechanisms. Contracts must also address intellectual property and trade secrets, ensuring that safeguards—such as confidentiality agreements, secure processing environments, and redaction—protect sensitive assets.

Cloud and edge service providers face switching obligations. Providers must enable customers to switch to other services or deploy on-premises without facing obstacles such as unjustified delays, data export fees, or technical barriers. Implementation roadmaps should define interoperability standards, data export formats, API documentation, and testing procedures for switching journeys. Providers must also remove egress fees by January 2027 and implement safeguards against unlawful third-country access, including transparency on foreign government requests and contractual commitments to challenge unlawful access.

B2G data sharing requires dedicated processes. Public sector bodies can request data from private entities during public emergencies or when needed to perform a specific task in the public interest. Teams must establish assessment procedures to verify the legality, necessity, and proportionality of requests; implement secure transmission mechanisms; and maintain logs of data provided, conditions applied, and retention limits. Where compensation is allowed, finance teams should calculate cost-based fees and document the rationale.

Security and privacy safeguards must accompany setup. Teams should integrate Data Act obligations into security policies, ensuring role-based access controls, encryption, monitoring, and incident response cover user and recipient access channels. Data protection impact assessments (DPIAs) should be updated to include Data Act processing scenarios, especially when new APIs expose larger data surfaces. Incident response plans should incorporate protocols for revoking access, notifying affected users, and communicating with regulators in case of misuse.

DSAR alignment and customer support

The Data Act introduces rights complementary to GDPR DSARs. Users can demand that data holders share their data directly with a third-party recipient, which requires coordination with DSAR teams. Teams should extend DSAR portals to include Data Act requests, offering options for self-service API tokens, one-time exports, or continuous sharing. Case management systems must track user identity verification, data scope, recipients, and response times, ensuring alignment with the Act's requirement for prompt delivery.

When DSARs involve both personal data under GDPR and product data under the Data Act, workflows must integrate to avoid inconsistent responses. DSAR teams should collaborate with product and engineering groups to identify which data qualifies as user-generated, which is derived, and which contains trade secrets or IP requiring redaction. Responses should explain any limitations, referencing relevant Data Act provisions and offering appeals or complaint channels.

Customer support must be trained to handle Data Act queries, including revocations, disputes with data recipients, and concerns about security or misuse. Support scripts should guide agents through verification, logging, and escalation to legal or security teams. Metrics such as request volumes, average fulfillment time, revocation rates, and incidents of misuse should feed into governance dashboards and inform product design improvements.

Data governance, monitoring, and reporting

Teams should update data governance frameworks to include Data Act datasets, metadata, and lineage. Data catalogs must record ownership, access rights, retention policies, and restrictions. Data stewards should monitor usage analytics to detect anomalies, such as data recipients exceeding authorized frequency or accessing unapproved datasets. Automated alerts and periodic audits will help stay compliant.

Monitoring extends to contractual and regulatory obligations. Your compliance team should maintain a register of Data Act requests (user-driven, recipient-driven, B2G), contractual agreements, switching tests, and public sector interactions. Internal audit plans should include testing of user access interfaces, contractual fairness reviews, and switching simulations. Findings should be reported to the board with remediation plans.

Transparency is encouraged. Teams may publish trust center updates describing Data Act compliance measures, statistics on data-sharing requests, and safeguards for trade secrets. Public sector interactions, particularly during emergencies, should be documented with clarity on scope and safeguards to maintain public trust.

Preparation for enforcement and ecosystem engagement

The Data Act designates national competent authorities and envisions cooperation through a European Data Innovation Board. Teams should identify their lead authority based on establishment and monitor guidance on registration, reporting, and dispute resolution. Legal teams must stay abreast of implementing acts defining interoperability standards, smart contract requirements, and switching obligations.

Engaging with industry groups, standards bodies, and data spaces will support compliance. Participation in pilot projects can provide insight into consent dashboards, API standards, and compensation models. Teams should also coordinate with partners to harmonize approaches to Data Act requests, ensuring consistent user experiences across ecosystems.

By implementing strong governance, user-centric access mechanisms, and DSAR-integrated support, teams can comply with the Data Act while enableing new value propositions in the European data economy.

Related articles

Curated signals from the same pillar or overlapping topics.

Data Strategy · Credibility 73/100 · November 27, 2023

Data Strategy — EU regulation

EU Council’s final approval of the Data Act starts the countdown to 2025 application, requiring executive governance, national setup planning, and DSAR-aware protocols for data sharing, cloud switching, and public-sector…

Data Strategy · Credibility 73/100 · November 9, 2023

Data Strategy — EU regulation

The European Parliament’s adoption of the Data Act demands governance structures for data sharing, setup timelines, and DSAR-compatible transparency covering IoT access, cloud switching, and public sector requests.

Data Strategy · Credibility 73/100 · March 15, 2024

Data Strategy — EU regulation

EU institutions reached a provisional agreement on the European Health Data Space, setting governance for primary and secondary health-data use across Member States.

Data Strategy · Credibility 73/100 · April 24, 2024

Data Strategy — Healthcare interoperability

The European Parliament approved the European Health Data Space, launching final negotiations on secondary-use permits, EHR certification, and cross-border infrastructure build-outs that land in 2025.

Data Strategy · Credibility 73/100 · June 9, 2024

Data Strategy — EU regulation

The EU's High-Value Datasets implementing act deadline hit in June 2024. Public sector bodies across the EU need to make geospatial, environmental, meteorological, statistical, company, and mobility data available for…

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Data Strategy Operating Model Guide

  Design a data strategy operating model that satisfies the EU Data Act, EU Data Governance Act, U.S. Evidence Act, and Singapore Digital Government policies with measurable…

• Data Interoperability Engineering Guide

  Engineer interoperable data exchanges that satisfy the EU Data Act, Data Governance Act, European Interoperability Framework, and ISO/IEC 19941 portability requirements.

• Data Stewardship Operating Model Guide

  Establish accountable data stewardship programmes that meet U.S. Evidence Act mandates, Canada’s Directive on Service and Digital, and OECD data governance principles while…

Coverage intelligence

Published

December 22, 2023

Coverage pillar

Data Strategy

Source credibility

73/100 — medium confidence

Topics

EU regulation · Data governance · Cloud services

Sources cited

3 sources (eur-lex.europa.eu, digital-strategy.ec.europa.eu, iso.org)

Reading time

7 min

References

1. Regulation (EU) 2023/2854 of the European Parliament and of the Council — Official Journal of the European Union
2. The Data Act explained — European Commission
3. ISO 8000-2:2022 — Data Quality Management — International Organization for Standardization