Introduction

The EU Data Act, which came into force on January 11, 2024, aims to revolutionize data governance across all economic sectors within the European Union (EU). While primarily focusing on industrial, non-personal data, it also has implications for data protection considerations. It seeks to address the complexities arising from the burgeoning digital economy, particularly in handling data generated by the Internet of Things (IoT) and related services.

This article explores the Data Act in detail, discussing its general requirements, specific provisions, alignment with existing regulations like GDPR, NIS 2 Directive, and the proposed Cyber Resilience Act, its applicability across various sectors, and the implications of non-compliance including potential fines.

Scope of Application

The EU Data Act applies to various entities, including:

1. Manufacturers of Connected Products: This includes companies producing connected cars, smart-home devices, medical devices, and related services that are placed in the EU market.

2. Users of Connected Products or Related Services: Individuals or businesses using connected products or related services within the EU.

3. Public Sector Bodies: EU member states’ public sector bodies, as well as EU institutions, agencies, or bodies, can request data holders to make data available in exceptional cases (e.g., public emergencies).

4. Data Processing Service Providers: Cloud service providers (such as SaaS, PaaS, IaaS) and edge service providers offering services to customers in the Union.

5. Participants in Data Spaces and Smart Contract Vendors: Entities involved in data spaces and those deploying smart contracts for others.

General Requirements of the Data Act

The Data Act sets forth a series of general requirements designed to ensure fair, transparent access to data and foster a competitive digital market:

• Data Accessibility: Ensuring that users and businesses have access to data generated from the products and services they use.

• Data Sharing: Facilitating the sharing of data across different sectors, emphasizing fairness and innovation.

  • Data Sharing with Third Parties: Data holders are obligated to make data available to third parties under data sharing contracts.

  • Data Sharing with Public Sector Bodies: In case of public emergencies, data holders must make data available to public bodies.

• Data Interoperability: Promoting technical standards that ensure data can be easily exchanged and used across various platforms and services.

• Design Requirements and Transparency: Manufacturers must design their products so that data generated or captured by those products are available to users for free and ideally directly.

Specific Provisions of the Data Act

The Data Act includes several specific provisions:

• Data Usage Rights: It defines clear guidelines on who can use data and under what conditions, focusing on protecting the rights of data creators and consumers.

• IoT Device Data: The Act addresses data generated by IoT devices, granting consumers and businesses access to their data, and, in some instances, the ability to share this data with third-party providers.

• Data Portability: Enhancing the right to data portability, making it easier for users to transfer their data between service providers.

Alignment with Other EU Regulations

The Data Act is not an isolated regulation but part of a broader EU legislative framework on data protection and cyber security:

• General Data Protection Regulation (GDPR): The Data Act complements GDPR by adding specific rules for non-personal data and mixed datasets. It ensures that the handling of personal data within the scope of the Data Act still complies with GDPR’s stringent privacy requirements including rights of access and data portability by providing more specific rules. However, requirements regarding personal data processing (including access and use) in the Data Act are subject to compliance with the GDPR.

• NIS 2 Directive: As the NIS 2 Directive focuses on security measures for network and information systems, the Data Act aligns with these requirements by ensuring that data sharing and access provisions include appropriate cybersecurity measures.

• Cyber Resilience Act: Although still in proposal, the Cyber Resilience Act aims to enhance the security of products with digital elements. The Data Act aligns with this prospective regulation by addressing the security aspects of IoT devices and the data they generate.

Data Act and Cyber Resilience Act

The relationship between the European Union's Data Act and the proposed Cyber Resilience Act is an integral part of the EU's strategy to enhance digital security and data management across its member states. Both legislations aim to strengthen the overall digital ecosystem by promoting secure data practices and bolstering the resilience of digital products and services. Here's a detailed look at how these two pieces of legislation interact and complement each other:

Purpose and Objectives

Data Act: The primary objective of the Data Act is to regulate the access, use, and sharing of data generated by connected devices and services. It focuses on ensuring that data generated by IoT devices and similar technologies is accessible and usable in a fair, transparent, and non-discriminatory manner. This includes provisions to prevent the unlawful or unauthorized use of data and to ensure that both businesses and consumers can reap the benefits of the data they generate or collect.

Cyber Resilience Act: While still in the proposal stage, the Cyber Resilience Act is designed to enhance the security of digital products and services. Its primary focus is on setting stringent cybersecurity requirements for manufacturers and providers of products with digital elements, thereby increasing the overall resilience of the EU’s digital infrastructure against cyber threats and attacks.

Complementary Relationship

Data Act and the Cyber Resilience Act are complementary in several ways:

1. Enhanced Security and Compliance: The Data Act ensures that data is accessible and shared according to fair practices, while the Cyber Resilience Act mandates that the devices and services generating or managing this data meet high security standards. This dual approach not only protects data but also the systems through which this data flows.

2. Consumer Protection: Both acts provide strong consumer protection— the Data Act through its focus on data rights and accessibility, and the Cyber Resilience Act through its emphasis on the security of products consumers use. Together, they work to create a safer, more reliable digital environment for consumers.

3. Boosting Innovation: By ensuring that data can be accessed and used securely, these laws help stimulate innovation. The Data Act makes more data available for use in innovative ways, while the Cyber Resilience Act ensures that these innovations are secure and trustworthy.

4. Regulatory Overlap and Coordination: Both acts address the issues of data and cybersecurity within the context of IoT and connected services. Manufacturers and service providers must consider both the data management and security aspects of their offerings, requiring a coordinated approach to compliance that considers both data protection and cyber resilience.

Implementing Compliance

For organizations, the relationship between these two regulations means that compliance cannot be siloed; rather, it requires a holistic approach to data management and cybersecurity:

• Product Development: Companies must integrate robust security features at the design stage of products and services to comply with the Cyber Resilience Act, while also ensuring these products provide the data accessibility and portability required by the Data Act.

• Data Management Policies: Policies must address both the secure handling of data (as required by the Cyber Resilience Act) and the fair and transparent use and sharing of data (as mandated by the Data Act).

• Joint Compliance Strategies: Organizations should develop strategies that address both regulations simultaneously, streamlining processes to ensure all aspects of data handling and cybersecurity are covered.

Data Act and NIS 2 Directive

The relationship between the European Union's Data Act and the NIS2 Directive (Network and Information Systems Directive 2) is another key aspect of the EU's comprehensive approach to strengthening digital security and enhancing the management and utility of data across various sectors. Both of these legislative measures are designed to improve the overall resilience and integrity of the EU’s digital infrastructure, but they do so from slightly different angles, focusing on data governance and cybersecurity respectively. Here’s an in-depth look at how these two regulations relate to each other and work together:

Purpose and Objectives

Data Act: The Data Act focuses on regulating the use and access to data generated by connected devices, services, and other digital interactions. Its main objective is to ensure that data generated within the EU can be accessed and utilized fairly and efficiently, promoting innovation and ensuring that businesses and consumers can benefit from the data they generate.

NIS2 Directive: The NIS2 Directive, which updates and expands the original NIS Directive, aims to enhance the security of network and information systems across the EU. It sets out security requirements for operators of essential services and digital service providers, broadening the scope to include more sectors and increasing the security obligations for these entities.

Complementary Relationship

The Data Act and NIS2 Directive complement each other in the following ways:

• Enhancing Data Security and Governance: While the Data Act ensures the accessibility and fair use of data, NIS2 secures the underlying infrastructure that stores, processes, and transmits this data. Together, they provide a robust framework for the safe handling of data across its entire lifecycle—from generation and storage to distribution and utilization.

• Broadened Sectoral Impact: Both regulations impact a wide range of industries, but while the Data Act primarily targets entities handling data generated from IoT and digital services, NIS2 applies to a broader array of essential services and key digital platforms, encompassing sectors like energy, transport, health, and digital infrastructure.

• Regulatory Synergies: Organizations subject to both regulations must consider their data management practices and cybersecurity measures in tandem. For example, a service provider governed by the NIS2 Directive must not only secure its network and information systems as required but also ensure that its practices around data access and sharing are compliant with the Data Act.

Implementing Compliance

For organizations impacted by both the Data Act and the NIS2 Directive, achieving compliance involves integrating data management and cybersecurity strategies:

• Assessment and Alignment: Businesses need to assess their current practices under both regulatory frameworks. This includes evaluating how data is accessed, shared, and secured within their operations.

• Integrated Risk Management: Implementing an integrated risk management framework that addresses both data governance issues and cybersecurity threats can help ensure compliance with both the Data Act and NIS2.

• Policy and Procedure Updates: Companies may need to update their internal policies and procedures to address the specific requirements of each regulation, ensuring that data management practices are secure and compliant with cybersecurity mandates.

• Technology Investments: Investing in technologies that enhance data governance capabilities and strengthen cybersecurity defenses will be crucial. This could include tools for data encryption, anomaly detection, secure data sharing platforms, and robust cybersecurity solutions.

Applicability Across Industries

The Data Act applies broadly across multiple sectors:

• Technology and IoT: Companies manufacturing IoT devices or providing related services are directly affected.

• Healthcare: Organizations handling health-related data through IoT devices must adhere to the Act’s provisions while ensuring compliance with other specific regulations like GDPR.

• Automotive: For automotive manufacturers, the Data Act impacts how vehicle-generated data is accessed and used.

• Telecommunications and IT Services: These sectors must adapt to the requirements for handling, sharing, and securing data.

Impact of Non-Compliance

The majority of the Data Act’s provisions will apply from September 12, 2025. Non-compliance with the Data Act carries significant risks:

• Fines: Similar to GDPR, the Data Act includes provisions for substantial fines, potentially up to 4% of annual worldwide turnover for businesses that fail to comply with its mandates.

• Reputational Damage: Non-compliance can lead to loss of consumer trust, which is critical in the digital economy.

• Operational Disruptions: Failing to adhere to data access and interoperability requirements can lead to technical and operational inefficiencies.

Conclusion

The Data Act is a significant step forward in regulating the modern digital landscape. By establishing robust guidelines for data access, sharing, and security, it not only protects the interests of consumers and businesses but also fosters an environment conducive to innovation and competition. Organizations across affected industries must take proactive steps to understand and integrate the requirements of the Data Act into their operations to avoid the risks of non-compliance.

Resources for Further Reading and Compliance Guidance

1. Official EU Data Act Text: [Link to EU legislation portal]

2. EU GDPR Portal: Comprehensive resources on GDPR compliance.

3. EU Agency for Cybersecurity (ENISA): Guidelines on NIS 2 Directive and cybersecurity measures.

4. IoT Alliance Europe: Best practices and compliance guides for IoT manufacturers and service providers.

5. Data Protection Authorities: National websites provide specific guidance on integrating GDPR with the Data Act.

6. Navigating the European Data Act: Key provisions, changes, and challenges

7. Details of the EU Data Act (3)—Enforcing the Data Act

8. Details of the EU Data Act (2)—Obligations of Cloud and Other Data Processing Services