Skip to content
Close
SEARCH
Contact Us
Contact Us

AI Governance and Compliance

AI Governance

AI Maturity Model

AI Management System

AI Governance Tooling and Technologies

Regulatory Compliance

AI Trust for Goverments

AI Embeded in Products and Software

AI Trust Mark

AI Embedded in Products

Digital Trust

Other Services

Trainings and Workshops

AI Trust Hub

ai_academy_1 (1)

AI Academy

Learn More

Regulations

EU AI Act (Europe)

NIST RMF 1.0 (USA)

United Kingdom

United Arab Emirates

Medical Devices Regulation (EU)

Ethics Guidelines for Trustworthy AI

All Regulations


 

Standards

ISO/IEC 42001

ISO/IEC 42005

ISO/IEC TR 24027

ISO/IEC TR 24028

ISO/IEC TR 24029-1

ISO/IEC 22989

EU Harmonized Standards

COBIT Framework

All Standards

Webinars

Our Webinars


Other Resources

AI Trust Hub

eu_ai_act_1 (1)

Webinars

Learn More
ai_trust_hub_1

AI Trust Hub

Learn More

Explore Our Insights

Digital Trust

AI Trust

Data Privacy

AI Maturity

AI Safety and Robustness

EU AI Act

ISO/IEC 42001

Cybersecurity

Nemko Digital News

AI - Artificial Intelligence

AI Trust

EU AI Act

GPAI Code of Practice

Korean AI Trust Mark

Webinar Announcements

About us

About
Nemko Digital Learn about us here

careers-2

Careers
Contribute towards responsible AI

EU Data Act

The EU Data Act: Turning IoT Data Compliance into a Competitive Advantage

The EU Data Act reshapes IoT data rules. Learn compliance requirements, 2026 deadlines, and how to turn obligations into business opportunities.

The EU Data Act is now in force and it’s rewriting the rules for connected products—who can access IoT data, how it must be shared, and what “fair” terms look like. With the 2026 access-by-design deadline ahead, smart compliance can become a real market advantage.

The Data Act is a landmark EU regulation that is actively redefining the data economy. Since becoming fully applicable on September 12, 2025, it has established harmonized new rules on fair access to and use of data, with profound implications for businesses that manufacture or use connected products and other connected devices. This article provides a clear analysis of the regulation and actionable guidance for turning compliance into a strategic opportunity.

 

Understanding the Data Act: A New Framework for Data Value

 

EU Data act
a

Now in full effect, the Data Act aims to unlock the vast potential of industrial data by clarifying who can create value from it and under what conditions. It addresses long-standing barriers, such as data silos and unfair contractual terms, by establishing a more equitable and competitive data market. The regulation is built on the principle that users—both individuals and businesses (consumers and professional users alike)—who generate data through their use of connected products should have a greater say in how that data is used, including clearer access rights and user rights around sharing and portability.

For manufacturers and providers of IoT devices, this represents a fundamental shift. The era of exclusive control over device-generated data has ended, replaced by a user-centric model that mandates access, portability, and fairness by design—covering both personal data (where GDPR applies) and non-personal data generated by connected products. As the regulatory landscape matures, initiatives led by the European Commission, like the European Commission's Digital Omnibus Package, proposed in late 2025, aim to further streamline and simplify the rules, consolidating several data-related laws into a more unified framework within the broader EU data policy and broader data strategy. (This is also part of the wider European Union regulation ecosystem shaped by institutions such as the European Parliament.)

 

Core Obligations for IoT Device Manufacturers and Data Holders

The Data Act introduces several critical obligations that require careful planning and implementation. These duties are designed to empower users and foster a more open data ecosystem, directly impacting how IoT products are designed, sold, and managed by manufacturers, service providers, and other organizations acting as data holders or data users.

The regulation introduces a user-centric access and sharing regime that fundamentally reshapes existing and future business models of data holders. Data holders may no longer use or share data generated by the product without a contractual agreement with the user.

 

Key obligations are summarized below:

Access by Design Products must be engineered to make data directly and securely accessible to users by default. This critical requirement applies to all new products placed on the market from September 12, 2026.
Data Access & Portability Upon request, data holders must provide users with access to their data free of charge, in a machine-readable format, and in real-time where feasible.
Third-Party Data Sharing Data holders are required to share data with third parties designated by the user (a third-party data recipient). This must be done under fair, reasonable, and non-discriminatory (FRAND) terms.
Fair Contractual Terms The Act prohibits the use of unfair contractual terms that are unilaterally imposed on smaller enterprises (SMEs), ensuring a more balanced negotiating position and fair access.
Transparency Users must be informed upfront about the type, volume, and nature of the data their device will generate and the terms under which it can be accessed.

 

These requirements compel businesses to move beyond a purely technical compliance mindset. They necessitate a strategic reassessment of data governance, product development lifecycles, and commercial relationships—especially where related services depend on access to valuable data generated by connected products, or where a companion user app serves as the access channel. For a deeper dive into the regulatory landscape, it is useful to compare its principles with other significant legislation like the EU AI Act.

 

The Road to Enforcement: 2025-2026 Developments

With the September 2025 application date now passed, the Data Act has moved from theory to practice. Across the EU, Member States are actively establishing national enforcement bodies and penalty structures as part of practical Data Act compliance. For instance, Malta was among the first to designate its competent authorities, with penalties for significant infringements reaching up to 5% of an undertaking's annual turnover. Germany followed with a draft implementation act in late 2025, proposing a tiered penalty system with fines up to €5 million for serious breaches. This demonstrates a clear and growing enforcement reality for non-compliant businesses.

Furthermore, the European Commission is already refining the digital rulebook. In November 2025, it introduced the Digital Omnibus Package, a legislative proposal aimed at simplifying and aligning key regulations, including the Data Act. This initiative seeks to consolidate several data-related laws into a single, more coherent framework, strengthen trade secret protections, and clarify rules for business-to-government data sharing during public emergencies. These developments signal a dynamic regulatory environment where staying informed is crucial—particularly for businesses handling international data requests, operating in emerging sector-specific data platforms, or planning for participation in European data spaces.

Data Act Critical Timeline and Enforcement
Fig. 1: The Data Act enforcement timeline—with September 2026 as the critical compliance deadline

 

The Strategic Imperative: From Compliance Burden to Business Opportunity

While the Data Act introduces stringent compliance challenges, it also creates significant opportunities for forward-thinking organizations. By embracing the regulation’s principles, businesses can not only mitigate risk but also unlock new avenues for growth and innovation.

1. Enhance Customer Trust and Value: Transparency is a cornerstone of the Data Act. By providing users with clear information and control over their data, businesses can build deeper trust and loyalty. Empowering customers with data access can also enable them to derive more value from their products, strengthening the customer relationship and supporting data rights current expectations in the market.

2. Foster a Competitive Aftermarket Ecosystem: The mandate to share data with third parties will stimulate a vibrant market for repair, maintenance, and other ancillary such services. While this introduces competition, it also creates partnership opportunities. Manufacturers can position themselves as central players in this new ecosystem, offering certified data-sharing solutions or value-added analytics services—potentially working with data intermediaries or specialized partners where appropriate.

3. Drive Innovation through Data Collaboration: The regulation encourages a more collaborative data environment. By developing secure and efficient data-sharing mechanisms, businesses can participate in broader data spaces, leading to new insights, improved products, and innovative services that would be impossible to develop in a siloed data environment. This can also create commercial opportunities for new business models, including a-service offerings built on compliant access and portability.

4. Strengthen Cybersecurity Posture: The Act’s emphasis on secure data access aligns with broader trends in digital trust and resilience. Investing in robust security measures to comply with the Data Act will also improve a company’s overall cybersecurity landscape, a critical asset in today’s digital world—especially when working with external recipients or cloud service providers.

 

Navigate the Data Act with Confidence

The transition to Data Act compliance requires a proactive and strategic approach. With enforcement now a reality and the critical September 12, 2025, deadline for "access by design" fast approaching, organizations must act decisively. This involves conducting a thorough assessment of products, data flows, and contractual agreements to identify gaps and risks, and developing a clear implementation roadmap that covers technical redesigns, process updates, and staff training—aligned with key principles such as transparency, security, and fairness.

Navigating this complex regulatory environment can be challenging, but it is a journey that can lead to a more resilient, competitive, and trusted business model. At Nemko Digital, we provide the expert guidance and verification needed to transform compliance obligations into a source of competitive advantage. By leveraging robust frameworks like AI management systems, you can ensure your operations are not only compliant but also primed for success in the new data economy—particularly where connected products, vehicle data, switching and portability (switching obligations), or intersections with other regimes (e.g., GDPR or the database directive) are relevant.

To learn more about how the Data Act is transforming businesses, consider exploring expert insights and discussions in our EU Data Act webinar.

Future-Ready Solutions

Nemko Digital’s AI governance and regulatory compliance experts help organizations navigate current and upcoming regulatory frameworks, ensuring readiness for the future.

Contact Us

Future-ready solutions

Nemko Digital’s AI governance and regulatory compliance experts help organizations navigate current and upcoming regulatory frameworks, ensuring readiness for the future.
Contact Us

Get Started on your Digital Trust Journey

Contact Us