On September 12th, the European Union takes a major step towards a more unified digital economy with the official launch of the EU Data Act. The landmark legislation is set to revolutionise how data is shared and used across different sectors, giving individuals and businesses greater control over their connected devices and the information they generate. As the new rules come into effect, they will create significant opportunities and new obligations for a wide range of industries, from manufacturing to smart devices.
Act in brief
The EU Data Act aims to clarify who can create value from data and under what conditions. It’s a key part of the European Union’s data strategy, designed to make more data available for use by businesses and researchers, especially in the industrial sector.
George Tziahanas, Vice President of Compliance at Archive 360, explains: “Regulation is always about balance: enabling innovation while ensuring responsibility. The EU Data Act will open up valuable new data paths, but with that openness comes new obligations for how organisations govern and protect information.
“For organisations, the challenge isn’t simply moving or sharing data – it’s ensuring defensibility throughout. That means minimising and classifying data, so only what the Act requires is disclosed, preserving metadata and legal holds across transfers, and avoiding portability traps that erode governance.”
Key provisions of the Data Act
The act focuses on several important areas to ensure a balance between data access and the rights of data producers.
Access to data for users: It gives users of connected products and services—from smartwatches to industrial machinery—the right to access the data they generate. This means you can’t be locked into a single provider. For example, if you own a smart washing machine, you can access the data it produces and share it with a third-party repair service, rather than being forced to use the manufacturer’s service. This promotes competition in the aftermarket.
Sharing data with businesses: The act requires companies to make data available to other businesses, but with important safeguards. This is particularly relevant for the Internet of Things (IoT). A key rule is that data must be made available for free to individual users, but if a company requests it, the original data holder can charge a reasonable fee, excluding sensitive personal data. It also prohibits data holders from using unfair contractual terms to block access.
Public Sector access to data: The law enables public sector bodies to access private sector data in exceptional circumstances, such as during a public emergency like a natural disaster. This provision allows authorities to use data to better coordinate rescue efforts or predict and mitigate future disasters.
Interoperability and switching: The Data Act aims to make it easier for customers to switch between different data processing services, such as cloud providers. It introduces measures to prevent vendor lock-in and encourage interoperability, making the data services market more open and competitive.
Jane Smith, Field Chief Data & AI Officer, EMEA, ThoughtSpot, said the move will help with transparency as well as more effective AI adoption for businesses, commenting: “This new regulation creates tension, but also an opportunity for AI. These new obligations around data portability and access create pressures for organisations, but access to high-quality data, built on a foundation of compliance, also enables AI to thrive.
“This is a chance to help enterprises take complex datasets from a range of platforms or devices, and generate insights with a complete view of the full picture. They can use AI to make faster, better decisions, with full trust that the information they have is accurate and, most importantly, explainable.
She concluded: “Some might argue that regulation kills innovation, but history shows that regulation legitimises industry and fuels adoption. The bigger risk for AI is the absence of regulation.”
Tim Pfaelzer, Senior Vice President and General Manager EMEA at VeeamTim Pfaelzer, Senior Vice President and General Manager EMEA at Veeam, a global market leader in data resilience, said timing was essential – and that the current climate was ripe for new regulations and governance: “The EU Data Act is coming into effect at a crucial point in time. While many organisations have embraced hybrid environments for their flexibility, many have done so at the expense of data portability – making it harder to move, access and secure data.
“With new requirements not only on data portability, but also accessibility, the Act highlights why flexibility needs to be a key consideration, built into operations from the ground up and embedded within data resilience plans. Organisations may have robust resilience plans, but if data is restricted beyond the point of use, not only will it create operational inefficiencies, but could also leave them in breach of the incoming Act.”
Cloud management at source
While the EU Data Act doesn’t directly target data centres, it does impact the services they host and their clients’ operations. Data centre managers will have to implement new protocols to handle user-generated data. They’ll also need to focus on interoperability, data portability and new security and compliance measures. These steps include:
Data portability and interoperability: Data centres will be essential in facilitating the seamless flow of data. They’ll need to support new technical standards that enable users to easily move their data between different services and cloud providers without penalty. This could lead to a greater emphasis on standardised APIs and data formats.
Security and compliance: The act adds a new layer of compliance and security requirements. Data centre clients, who are the “data holders,” will be responsible for providing user access, but the technical burden often falls on the underlying infrastructure. Data centres will need to ensure their platforms have the necessary security and logging capabilities to meet these new regulatory standards.
Increased demand for services: The push for greater data sharing could lead to a boom in data-driven services, increasing the demand for data centre capacity. This includes services related to IoT, AI and industrial data analytics, all of which require significant computing power and storage.
New revenue streams: Data centre providers might find new opportunities by offering specific services that help their clients comply with the Data Act, such as data management platforms, secure data sharing environments, or consulting services on interoperability.
Tziahanas said: “Handled in the right way, the Act becomes more than a compliance exercise. It’s an opportunity to embed responsible governance into data-sharing and cloud-exit strategies, enabling organisations to reduce risk while innovating with confidence.”
Pfaelzer added: “Taking proactive action now won’t just benefit organisations with compliance today, but tomorrow as well. As portability and data sovereignty become increasingly central to digital operations, having secure yet accessible data will be a key differentiator – both in terms of compliance, but also as a competitive advantage.”