← Back to all briefings
Data Strategy 7 min read Published Updated Credibility 40/100

Data Strategy Briefing — December 22, 2023

With the EU Data Act published in the Official Journal, organisations must elevate governance for data-sharing rights, launch implementation tracks covering device data access, cloud switching, and B2G requests, and align DSAR and contract operations with the regulation's timelines.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Regulation (EU) 2023/2854, known as the Data Act, was published in the Official Journal on 22 December 2023. The regulation enters into force on 11 January 2024 and will apply progressively from September 2025, reshaping how data generated by connected products and related services is accessed, shared, and monetised. The Data Act grants users—both consumers and businesses—the right to access data generated by their devices, mandates fair contractual terms between data holders and data recipients, establishes rules for business-to-government (B2G) data requests, and introduces obligations for cloud and edge service providers to facilitate switching. Boards and data leaders must now design governance, implementation, and data subject interaction strategies that align with these sweeping changes.

The Data Act operates alongside the GDPR, Digital Markets Act, and sector-specific rules, aiming to create a thriving European data economy while preventing lock-in and unfair practices. It applies to manufacturers of connected products, providers of related services, data processing service providers, data holders, and public sector bodies requesting data in exceptional circumstances. Compliance requires cross-functional coordination between legal, privacy, product, engineering, procurement, and customer success teams.

Governance priorities for boards and executive leadership

Boards should initiate a Data Act steering committee to oversee readiness. The committee should inventory connected products, digital services, datasets generated, contractual arrangements, and data monetisation strategies. Governance documentation must classify actors: data holders (entities with the right to grant access), data recipients, users, and public sector requesters. Risk registers should capture potential impacts on business models, intellectual property, trade secrets, and security. Board-level briefings should cover application timelines—including the 20-month grace period, sector-specific delays, and obligations that apply immediately upon entry into force, such as preventing abusive contract terms for SMEs.

Executive leadership must ensure that accountability is clear. Chief product officers should own device data design decisions, chief legal officers should manage contractual frameworks, and chief privacy/data officers should integrate Data Act rights with GDPR processes. Governance charters should describe how disputes will be escalated, how interactions with supervisory authorities will be handled, and how lessons from pilot data sharing agreements will inform enterprise policies. Boards should demand quarterly updates on readiness metrics, regulatory engagement, and market developments.

Stakeholder engagement is critical. Organisations should establish advisory forums involving customers, partners, and industry associations to gather feedback on data sharing demands, opt-out preferences, and acceptable compensation models. Documenting these engagements demonstrates accountability and supports defensible pricing and access conditions.

Implementation roadmap: user access, contractual frameworks, and technical enablement

Implementation begins with user access mechanisms. Manufacturers and service providers must design interfaces—dashboards, APIs, or mobile apps—that allow users to access, download, or transmit data generated by their connected products "without undue delay, free of charge and, where applicable, continuously and in real time." Technical teams should map data flows, determine formats, and identify security controls to prevent unauthorised access. Data minimisation should guide which derived or inferred data is excluded, consistent with the Act's focus on raw and pre-processed data necessary for the product's functionality.

Data sharing with third-party data recipients requires scalable authorization workflows. Users must be able to grant permission to recipients through clear, granular consent mechanisms, with options to revoke at any time. Systems should log permissions, scope (data categories, duration, frequency), and revocation history. APIs should support secure authentication (OAuth 2.0, eIDAS-based identity), rate limiting, and monitoring to detect misuse. Organisations must verify recipients' compliance with confidentiality, security, and lawful use obligations before enabling access.

Contractual frameworks need substantial revision. The Data Act prohibits unfair terms imposed on micro, small, and medium-sized enterprises (SMEs), such as clauses that exclude liability for intentional misconduct or allow unilateral data use extensions. Legal teams should review standard contracts, licensing agreements, and platform terms to remove or adjust clauses that could be deemed unfair. New template agreements should define permitted uses, data security requirements, compensation models, and dispute resolution mechanisms. Contracts must also address intellectual property and trade secrets, ensuring that safeguards—such as confidentiality agreements, secure processing environments, and redaction—protect sensitive assets.

Cloud and edge service providers face switching obligations. Providers must enable customers to switch to other services or deploy on-premises without facing obstacles such as unjustified delays, data export fees, or technical barriers. Implementation roadmaps should define interoperability standards, data export formats, API documentation, and testing procedures for switching journeys. Providers must also remove egress fees by January 2027 and implement safeguards against unlawful third-country access, including transparency on foreign government requests and contractual commitments to challenge unlawful access.

B2G data sharing requires dedicated processes. Public sector bodies can request data from private entities during public emergencies or when needed to perform a specific task in the public interest. Organisations must establish assessment procedures to verify the legality, necessity, and proportionality of requests; implement secure transmission mechanisms; and maintain logs of data provided, conditions applied, and retention limits. Where compensation is allowed, finance teams should calculate cost-based fees and document the rationale.

Security and privacy safeguards must accompany implementation. Organisations should integrate Data Act obligations into security policies, ensuring role-based access controls, encryption, monitoring, and incident response cover user and recipient access channels. Data protection impact assessments (DPIAs) should be updated to include Data Act processing scenarios, especially when new APIs expose larger data surfaces. Incident response plans should incorporate protocols for revoking access, notifying affected users, and communicating with regulators in case of misuse.

DSAR alignment and customer support

The Data Act introduces rights complementary to GDPR DSARs. Users can demand that data holders share their data directly with a third-party recipient, which requires coordination with DSAR teams. Organisations should extend DSAR portals to include Data Act requests, offering options for self-service API tokens, one-time exports, or continuous sharing. Case management systems must track user identity verification, data scope, recipients, and response times, ensuring alignment with the Act's requirement for prompt delivery.

When DSARs involve both personal data under GDPR and product data under the Data Act, workflows must integrate to avoid inconsistent responses. DSAR teams should collaborate with product and engineering groups to identify which data qualifies as user-generated, which is derived, and which contains trade secrets or IP requiring redaction. Responses should explain any limitations, referencing relevant Data Act provisions and offering appeals or complaint channels.

Customer support must be trained to handle Data Act queries, including revocations, disputes with data recipients, and concerns about security or misuse. Support scripts should guide agents through verification, logging, and escalation to legal or security teams. Metrics such as request volumes, average fulfilment time, revocation rates, and incidents of misuse should feed into governance dashboards and inform product design improvements.

Data governance, monitoring, and reporting

Organisations should update data governance frameworks to include Data Act datasets, metadata, and lineage. Data catalogues must record ownership, access rights, retention policies, and restrictions. Data stewards should monitor usage analytics to detect anomalies, such as data recipients exceeding authorised frequency or accessing unapproved datasets. Automated alerts and periodic audits will help ensure compliance.

Monitoring extends to contractual and regulatory obligations. Compliance teams should maintain a register of Data Act requests (user-driven, recipient-driven, B2G), contractual agreements, switching tests, and public sector interactions. Internal audit plans should include testing of user access interfaces, contractual fairness reviews, and switching simulations. Findings should be reported to the board with remediation plans.

Transparency is encouraged. Organisations may publish trust centre updates describing Data Act compliance measures, statistics on data-sharing requests, and safeguards for trade secrets. Public sector interactions, particularly during emergencies, should be documented with clarity on scope and safeguards to maintain public trust.

Preparation for enforcement and ecosystem engagement

The Data Act designates national competent authorities and envisions cooperation through a European Data Innovation Board. Organisations should identify their lead authority based on establishment and monitor guidance on registration, reporting, and dispute resolution. Legal teams must stay abreast of implementing acts defining interoperability standards, smart contract requirements, and switching obligations.

Engaging with industry groups, standards bodies, and data spaces will support compliance. Participation in pilot projects can provide insight into consent dashboards, API standards, and compensation models. Organisations should also coordinate with partners to harmonise approaches to Data Act requests, ensuring consistent user experiences across ecosystems.

By implementing robust governance, user-centric access mechanisms, and DSAR-integrated support, organisations can comply with the Data Act while unlocking new value propositions in the European data economy.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • EU regulation
  • Data governance
  • Cloud services
Back to curated briefings