← Back to all briefings
Policy 6 min read Published Updated Credibility 40/100

Policy Briefing – EU Data Act and Cyber Resilience Act

The EU Data Act applies from 12 September 2025, granting users rights to access and share data generated by connected products, prohibiting unfair contractual terms and requiring devices to be designed for data portability. The Cyber Resilience Act introduces mandatory cybersecurity requirements for digital products, with phased obligations starting in 2026 and full enforcement on 11 December 2027. Organisations must design products for data access and cybersecurity, revise contracts, conduct risk assessments and implement secure-by-design practices.

Zeph Tech Research Lead

Research lead, Zeph Tech

Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Context

The European Union’s digital policy landscape is entering a pivotal phase. The Data Act entered into force on 11 January 2024 and will apply from 12 September 2025【198636416272734†L81-L84】. Its goal is to create a fair, innovative data economy by guaranteeing users—both consumers and businesses—access to data generated by their connected products and by preventing manufacturers or service providers from maintaining exclusive control over that data【869370560880741†L26-L36】. In parallel, the Cyber Resilience Act (CRA) is the EU’s first horizontal legislation mandating cybersecurity requirements for products with digital elements. The CRA entered into force in December 2024 and launches a phased implementation that begins with conformity-assessment notifications in June 2026, includes mandatory vulnerability reporting starting 11 September 2026, and culminates in full enforcement on 11 December 2027【763898905869977†L191-L202】. Together, these regulations mark a shift towards secure‑by‑design products and equitable data access across the European economy.

Key Changes and Features

Fair access to data and portability. The Data Act grants users the right to access, use and share data generated by their connected products and services, such as smart appliances, industrial machinery and connected vehicles【869370560880741†L28-L36】. Data holders—typically manufacturers and cloud service providers—must make data available free of charge to the user and, upon request, to third parties designated by the user【869370560880741†L26-L36】. The Act also prohibits unfair contractual terms that could prevent data sharing and directs the European Commission to develop model contractual terms on data access by September 2025【869370560880741†L86-L109】. It empowers public sector bodies to request access to private‑sector data for emergency response, ensuring that such requests are proportionate and that compensation is provided only in non‑emergency scenarios【869370560880741†L116-L133】.

Device and service design requirements. To facilitate portability and interoperability, the Data Act requires connected products and related services to be designed with “access by design” principles. This means products must enable seamless data transfer and switching between providers without lock‑in【869370560880741†L40-L42】. Cloud service providers must remove or reduce contractual and technical barriers to data migration and make pricing for data transfer transparent【869370560880741†L136-L148】. Manufacturers and service providers must also review and revise their contractual frameworks and data governance strategies to meet these obligations【869370560880741†L28-L40】.

Phased security obligations. The Cyber Resilience Act introduces 21 mandatory cybersecurity requirements for manufacturers, importers and distributors of products with digital elements【763898905869977†L92-L99】. It creates a phased implementation: after entering into force in December 2024, conformity‑assessment bodies begin notifying under CRA rules on 11 June 2026; mandatory vulnerability reporting and serious incident notifications start on 11 September 2026; and full enforcement applies from 11 December 2027【763898905869977†L191-L202】. The CRA divides products into risk classes—Default, Important (Class I), Important (Class II) and Critical—with different conformity‑assessment obligations【763898905869977†L191-L202】. Manufacturers must ensure secure‑by‑design development, continuous vulnerability management and lifecycle documentation, and maintain an SBOM (software bill of materials) for each product【763898905869977†L166-L169】【763898905869977†L264-L268】.

Penalties and enforcement. Under the CRA, non‑compliance can result in administrative fines of up to €15 million or 2.5 % of the company’s global annual turnover, whichever is higher【763898905869977†L264-L268】. Regulators may also withdraw or recall non‑compliant products from the EU market【763898905869977†L272-L281】. The Data Act relies on national authorities to enforce obligations and allows for civil remedies against unfair contractual terms. Businesses must align Data Act compliance with existing GDPR obligations, because the Data Act does not override data‑protection rules【869370560880741†L80-L83】.

Implications

Engineering and product teams. For engineers and product managers, the regulations mandate designing IoT devices and cloud services with data portability and cybersecurity as core requirements. Product architectures must expose data interfaces that allow users to retrieve and transfer data easily. Developers need to embed security controls—including secure boot, vulnerability reporting mechanisms and incident response—in product lifecycles. Classification under the CRA’s risk categories will determine whether self‑assessment suffices or third‑party certification is required【763898905869977†L191-L202】.

Legal and contractual frameworks. Contract teams must review existing agreements with suppliers, customers and cloud providers to remove unfair data‑sharing clauses and incorporate model contractual terms once they are published. Organisations should implement standard processes for responding to data‑access requests, both from users and, in emergencies, public authorities【869370560880741†L116-L133】. They must also prepare for potential liabilities under GDPR when personal data is involved【869370560880741†L80-L83】. Corporate governance should reflect the obligation to report vulnerabilities and incidents within the CRA’s timelines and ensure that supply‑chain partners commit to similar standards【763898905869977†L191-L202】.

Business strategy and competition. The Data Act aims to spur competition by preventing incumbent manufacturers from locking users into closed ecosystems. Companies that embrace data sharing and interoperability may unlock new business models—for example, offering maintenance or analytics services based on shared device data. Conversely, organisations that fail to adapt could face fines and reputational damage. The CRA’s penalties, reaching €15 million or 2.5 % of turnover for non‑compliance【763898905869977†L264-L268】, emphasise the business risk of neglecting cybersecurity. Investors and partners will increasingly scrutinise compliance posture when evaluating technology companies.

Recommended Actions

Conduct a gap analysis. Create an inventory of all products and services with digital elements marketed in the EU and classify them according to the CRA’s risk categories【763898905869977†L191-L202】. Assess whether devices enable data access by design and whether contractual terms meet Data Act requirements. Identify missing security features, vulnerability reporting processes and supply‑chain obligations.

Implement secure-by-design practices and documentation. Integrate security testing and vulnerability management throughout product lifecycles. Maintain SBOMs for every product and ensure that third‑party components are monitored for known vulnerabilities【763898905869977†L290-L334】. Design incident‑response procedures that meet the CRA’s reporting timelines. Document data flows and ensure that data‑sharing mechanisms are well defined and transparent.

Prepare for contractual and regulatory changes. Update user terms and supplier contracts to incorporate fair data‑sharing clauses and the forthcoming model contract terms. Develop internal processes to handle user requests for data access and transfers. Align policies with GDPR to ensure lawful processing when personal data is involved and monitor guidance from the European Commission and national authorities【869370560880741†L26-L36】.

Zeph Tech Analysis

The Data Act and the Cyber Resilience Act signal a structural shift in Europe’s approach to digital products. By establishing the right to access data and prohibiting unfair contractual terms, the Data Act treats data generated by connected devices as a shared resource rather than a proprietary asset. This could democratise IoT innovation, enabling smaller service providers to build offerings atop data once locked behind closed platforms. However, compliance will require significant investment from manufacturers and cloud providers, particularly in developing interoperable architectures and revising contractual frameworks【869370560880741†L26-L36】. Meanwhile, the CRA introduces a baseline of cybersecurity requirements across all products with digital elements, closing gaps left by sector‑specific regulations. Its phased rollout gives companies time to adapt, but the combination of strict vulnerability reporting, lifecycle security obligations and high penalties means that cybersecurity can no longer be treated as an afterthought. Together, these regulations reflect the EU’s ambition to build a trustworthy data economy and may serve as templates for other jurisdictions. Organisations operating in the EU should start their compliance journeys now to avoid last‑minute rushes and to leverage data‑sharing opportunities created by the new rules.

Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

Back to curated briefings