PolicyEU Data Act and Cyber Resilience Act
Two major EU regulations are converging: the Data Act (September 2025) and Cyber Resilience Act (phased through 2027). Connected products need data portability and security-by-design. If you are shipping IoT or smart devices into Europe, plan for both.
Fact-checked and reviewed — Kodi C.
Context
The European Union’s digital policy environment is entering a key phase. The Data Act entered into force on 11 January 2024 and will apply from 12 September 2025. Its goal is to create a fair, new data economy by guaranteeing users—both consumers and businesses—access to data generated by their connected products and by preventing manufacturers or service providers from maintaining exclusive control over that data. In parallel, the Cyber Resilience Act (CRA) is the EU’s first horizontal legislation mandating cybersecurity requirements for products with digital elements. The CRA entered into force in December 2024 and launches a phased setup that begins with conformity-assessment notifications in June 2026, includes mandatory vulnerability reporting starting 11 September 2026, and culminates in full enforcement on 11 December 2027. Together, these regulations mark a shift toward secure‑by‑design products and equitable data access across the European economy.
Key Changes and Features
Fair access to data and portability. The Data Act grants users the right to access, use and share data generated by their connected products and services, such as smart appliances, industrial machinery and connected vehicles. Data holders—typically manufacturers and cloud service providers—must make data available free of charge to the user and, upon request, to third parties designated by the user. The Act also prohibits unfair contractual terms that could prevent data sharing and directs the European Commission to develop model contractual terms on data access by September 2025. It helps public sector bodies to request access to private‑sector data for emergency response, ensuring that such requests are proportionate and that compensation is provided only in non‑emergency scenarios.Device and service design requirements. To help portability and interoperability, the Data Act requires connected products and related services to be designed with “access by design” principles. This means products must enable smooth data transfer and switching between providers without lock‑in. Cloud service providers must remove or reduce contractual and technical barriers to data migration and make pricing for data transfer transparent. Manufacturers and service providers must also review and revise their contractual frameworks and data governance strategies to meet these obligations.
Phased security obligations. The Cyber Resilience Act introduces 21 mandatory cybersecurity requirements for manufacturers, importers and distributors of products with digital elements. It creates a phased setup: after entering into force in December 2024, conformity‑assessment bodies begin notifying under CRA rules on 11 June 2026; mandatory vulnerability reporting and serious incident notifications start on 11 September 2026; and full enforcement applies from 11 December 2027. The CRA divides products into risk classes—Default, Important (Class I), Important (Class II) and Critical—with different conformity‑assessment obligations. Manufacturers must ensure secure‑by‑design development, continuous vulnerability management and lifecycle documentation, and maintain an SBOM (software bill of materials) for each product.
Penalties and enforcement. Under the CRA, non‑compliance can result in administrative fines of up to €15 million or 2.5 % of the company’s global annual turnover, whichever is higher. Regulators may also withdraw or recall non‑compliant products from the EU market. The Data Act relies on national authorities to enforce obligations and allows for civil remedies against unfair contractual terms. Businesses must align Data Act compliance with existing GDPR obligations, because the Data Act does not override data‑protection rules.
Implications
Engineering and product teams. For engineers and product managers, the regulations mandate designing IoT devices and cloud services with data portability and cybersecurity as core requirements. Product architectures must expose data interfaces that allow users to retrieve and transfer data easily. Developers need to embed security controls—including secure boot, vulnerability reporting mechanisms and incident response—in product lifecycles. Classification under the CRA’s risk categories will determine whether self‑assessment suffices or third‑party certification is required.Legal and contractual frameworks. Contract teams must review existing agreements with suppliers, customers and cloud providers to remove unfair data‑sharing clauses and incorporate model contractual terms once they are published. Teams should implement standard processes for responding to data‑access requests, both from users and, in emergencies, public authorities. They must also prepare for potential liabilities under GDPR when personal data is involved. Corporate governance should reflect the obligation to report vulnerabilities and incidents within the CRA’s timelines and ensure that supply‑chain partners commit to similar standards.
Business strategy and competition. The Data Act aims to spur competition by preventing incumbent manufacturers from locking users into closed ecosystems. Companies that embrace data sharing and interoperability may enable new business models—for example, offering maintenance or analytics services based on shared device data. Conversely, teams that fail to adapt could face fines and reputational damage. The CRA’s penalties, reaching €15 million or 2.5 % of turnover for non‑compliance, emphasize the business risk of neglecting cybersecurity. Investors and partners will now scrutinise compliance posture when evaluating technology companies.
Recommended Actions
Conduct a gap analysis. Create an inventory of all products and services with digital elements marketed in the EU and classify them according to the CRA’s risk categories. Assess whether devices enable data access by design and whether contractual terms meet Data Act requirements. Identify missing security features, vulnerability reporting processes and supply‑chain obligations.Implement secure-by-design practices and documentation. Integrate security testing and vulnerability management throughout product lifecycles. Maintain SBOMs for every product and ensure that third‑party components are monitored for known vulnerabilities. Design incident‑response procedures that meet the CRA’s reporting timelines. Document data flows and ensure that data‑sharing mechanisms are well defined and transparent.
Prepare for contractual and regulatory changes. Update user terms and supplier contracts to incorporate fair data‑sharing clauses and the forthcoming model contract terms. Develop internal processes to handle user requests for data access and transfers. Align policies with GDPR to ensure lawful processing when personal data is involved and monitor guidance from the European Commission and national authorities.
Analysis summary
The Data Act and the Cyber Resilience Act signal a structural shift in Europe’s approach to digital products. By establishing the right to access data and prohibiting unfair contractual terms, the Data Act treats data generated by connected devices as a shared resource rather than a proprietary asset. This could democratise IoT innovation, enabling smaller service providers to build offerings atop data once locked behind closed platforms. However, compliance will require significant investment from manufacturers and cloud providers, particularly in developing interoperable architectures and revising contractual frameworks. Meanwhile, the CRA introduces a baseline of cybersecurity requirements across all products with digital elements, closing gaps left by sector‑specific regulations. Its phased rollout gives companies time to adapt, but the combination of strict vulnerability reporting, lifecycle security obligations and high penalties means that cybersecurity can no longer be treated as an afterthought. Together, these regulations reflect the EU’s ambition to build a trustworthy data economy and may serve as templates for other jurisdictions. Teams operating in the EU should start their compliance journeys now to avoid last‑minute rushes and to use data‑sharing opportunities created by the new rules.Continue in the Policy pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
AI Policy Implementation Guide
Coordinate governance, safety, and reporting programmes that meet EU Artificial Intelligence Act timelines and U.S. National AI Initiative Act mandates while sustaining product…
-
Digital Markets Compliance Guide
Implement EU Digital Markets Act, EU Digital Services Act, UK Digital Markets, Competition and Consumers Act, and U.S. Sherman Act requirements with cross-functional operating…
-
Semiconductor Industrial Strategy Policy Guide
Coordinate CHIPS and Science Act, EU Chips Act, and Defense Production Act programmes with capital planning, compliance, and supplier readiness.
Coverage intelligence
- Published
- Coverage pillar
- Policy
- Source credibility
- 86/100 — high confidence
- Topics
- Cyber Resilience Act · Policy · Data Act · EU Data Act · EU regulation
- Sources cited
- 3 sources (digital-strategy.ec.europa.eu, skadden.com, getastra.com)
- Reading time
- 6 min
Comments
Community
We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.
No approved comments yet. Add the first perspective.