Data Strategy — EU regulation

Chapter V of the EU Data Act allows public-sector bodies and EU institutions to request access to privately held data when an exceptional need arises (for example, a declared public emergency or a narrowly scoped non-emergency need that cannot be met otherwise). December 2025 is the first winter season with the Data Act in force and common request templates in circulation, so energy network operators, health platforms, mobility providers, and their processors must be ready to answer cross-border requests without undue delay while protecting trade secrets. Use this playbook with the pillar hub, the Data Act setup guide, and related briefs on cloud switching and connected products.

Scope, triggers, and lawful basis

• Who can request: Competent authorities, EU bodies, and institutions acting under national measures that transpose Articles 14–22. Requests must identify the legal basis, the exceptional need, the data holder, and the time period.
• When data can be requested: (1) Public emergencies such as natural disasters, public health crises, or cybersecurity incidents where timely data needs to mitigate harm; (2) Other exceptional needs where the requested data is not otherwise obtainable in time, needs to perform a specific task in the public interest, and the scope is proportionate.
• Data in scope: Data generated by the use of connected products and related services, including raw telemetry, derived datasets, and necessary metadata. Trade secrets and personal data remain protected; authorities must apply appropriate technical and organizational measures to preserve confidentiality.
• Processor and location neutrality: Chapter V applies regardless of where the processor or cloud instance is located if the data holder offers products or services in a Member State. Contract clauses or non-EU storage must not impede lawful disclosure.

Front-door request handling workflow

Authority → [Intake] → [Eligibility screen] → [Minimize/anonymize] → [Secure transfer] → [Notify/record] → [Close & delete]

Timelines, SLAs, and escalation

• Without undue delay: The Data Act requires prompt handling; set internal SLAs (for example, T+4 hours triage for emergencies, T+24 hours for non-emergency eligibility decisions, T+3 days for fulfillment when data is already structured).
• Escalation ladder: Tie response times to incident command levels used for security events so legal, data, and security leads can mobilize rapidly.
• Repeat-request handling: Where recurring seasonal or regional requests are likely (for example, winter energy load balancing), pre-stage sanitized datasets and automate watermarking to compress turnaround.
• Refusals and narrowing: If a request is disproportionate or risks revealing trade secrets without adequate safeguards, respond with a narrowed alternative and document the rationale aligned to Article 17.

Controls to protect trade secrets and personal data

Operating model and RACI

• Authority intake desk: Owns receipt, authentication, and initial response; maintains 24/7 on-call rotation during emergency periods.
• Legal and privacy: Decides eligibility, drafts narrowing proposals, sets notice strategy, and ensures GDPR lawful bases for any personal data processed.
• Data and security engineering: Designs extraction jobs, applies minimization and integrity checks, and enforces secure transport.
• Risk and audit: Reviews refusal logs, tests scenario drills twice yearly, and validates that compensation calculations align with internal policy and Article 20.

[Q1 cold-weather drill] → [Q2 wildfire/flood drill] → [Q3 supply-chain disruption drill] → [Q4 public-health drill]

Data architecture dependencies

• Inventory and classification: Maintain a current catalog of datasets generated by connected products, including labels for personal data, trade secrets, and critical infrastructure sensitivity. Map each dataset to its storage location and processor.
• Segmentation and throttling: Use read replicas or data lake exports for statutory requests to avoid performance hits on production systems. Apply bandwidth limits during emergency surges.
• Vendor coordination: Where processors hold the data, ensure contracts include obligations to cooperate with lawful requests, maintain equivalent security controls, and provide rapid support for minimization and deletion.
• Interoperable formats: Keep commonly requested datasets exportable in open, machine-readable formats (for example, CSV, JSON, Parquet) with clear data dictionaries so authorities can use the data without repeated clarifications.

Readiness checklist for December 2025

• Finalize the exceptional-need decision tree and publish it in the legal playbook with Article 14–22 citations.
• Deploy a single intake channel with MFA for authorities and automated ticket creation; test the on-call rotation.
• Pre-build extraction templates for top request types (grid telemetry, hospital capacity, mobility heatmaps) with minimization already applied.
• Update customer-facing FAQs and contract appendices to explain statutory sharing duties and safeguards.
• Run an end-to-end drill with a mock cross-border request, from intake through deletion, and capture time-to-fulfill metrics.

Evidence and audit file

• Policy artifacts: Exceptional-need response policy, refusal rationale templates, compensation calculator, and data minimization standards.
• System logs: Intake tickets, role-based access control changes, export logs, and deletion confirmations.
• Training records: Annual training completion for intake, legal, and engineering teams; monthly refreshers during peak seasons.
• Metrics pack: Median time from request to eligibility decision; median fulfillment time by request type; percentage of requests narrowed; incidents of non-compliance (target zero).

Risks if unprepared

• Statutory non-compliance: Delayed or incomplete responses can trigger corrective measures under national enforcement regimes implementing the Data Act.
• Trade-secret leakage: Inadequate minimization or weak transfer controls could expose sensitive designs or customer data.
• Operational disruption: Ad hoc data pulls during emergencies can strain production systems without staging environments and quotas.
• Reputational damage: Poor communication with customers about lawful disclosures may erode trust, especially in cross-border scenarios.

Data Management Implementation

Data management teams should assess how this development affects data collection, processing, storage, and sharing practices. Policy updates should address any new requirements for data handling, consent management, or purpose limitations. Technical setups should align with documented policies and support audit evidence collection demonstrating compliance with data management requirements.

Ongoing monitoring should verify that data processing activities continue to align with documented purposes and comply with applicable requirements as practices evolve.

Exceptional need criteria and safeguards

The Data Act permits public sector data requests only in situations of exceptional need—public emergencies, statistical purposes, or where data is not otherwise accessible. Data holders may refuse requests that lack legal basis or exceed proportionality limits. If you are affected, establish review procedures to verify request legitimacy before disclosure, including legal counsel sign-off for significant requests.

Trade secrets and commercially sensitive data receive additional protection. Public sector bodies must show that requested data cannot be obtained through less intrusive means. Data holders should maintain logs of requests received, basis cited, and response actions to show compliance with safeguard requirements.

Cross-border request handling

Data Act provisions interact with GDPR and national security laws when public sector requests originate from non-EU authorities. Third-country requests must comply with international agreements or receive European Commission adequacy recognition. If you are affected, flag requests from non-EU public bodies for improved legal review and coordinate with relevant data protection authorities before disclosure.