Impact on manufacturers and provider
According to Art. 3 para. 1 Data Act, connected products must be designed and manufactured and related services must be designed and provided in such a way that the product data and related service data – including the relevant metadata necessary to interpret and use those data, are, by default, easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format, and, where relevant and technically feasible, directly accessible to the user.
Impact on data holder
- Obligations to make data available
The EU legislature wants to boost the use of data in the EU. To this end, existing “data silos” are to be broken up by means of data access rights. Data owners must provide users with certain data without undue delay, of the same quality as is available to the data holder, easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format and, where relevant and technically feasible, continuously and in real-time. This not only threatens to result in a flood of secret data, but also to reduce the market value of certain data. - Necessity of a data license
The Data Act also stipulates the requirement of a data license: anyone who wants to use certain non-personal data requires the consent of the respective users. Otherwise, in addition to fines, there is also the possibility of claims for damages from the so-called users.
Impact on the supply chain
Before concluding purchase, rental or leasing contracts for connected products and contracts for associated services, the user would have to be provided with a wide range of mandatory information. Implementing these requirements will necessitate corresponding organizational and contractual measures within the respective supply chain.
Impact on cloud providers
The Data Act also directly interferes with the business models of cloud providers. So-called “data processing services” are obliged to eleminate pre-commercial, commercial, technical, contractual and organizational obstacles to change and fees in order to counteract a vendor lock-in of their customers. The Data Act prescribes numerous contractual minimum provisions, in particular, customers should be able to start switching providers at any time with a notice period of max. two months. This has significant implications for the legal and commercial design of SaaS and other cloud contracts.
Paradigm shift for EU data economy
While the Data Act was originally conceived as a promoter of innovation, in practice it is increasingly proving to be an obstacle to innovation. At the legal level, the interplay of the Data Act, in particular with the GDPR and the protection of trade secrets, is causing considerable concern. In addition, the central concepts and requirements of the Data Act are still so unclear that they could hardly be applied with legal certainty without comprehensive concretization. On a technical level, a key challenge is to ensure a clear assignment of data and data usage rights, in particular to specific users and data owners, and to resolve multiple assignments appropriately. At the same time, however, the provisions of the Data Act offer new opportunities for value creation and even competitive advantages. Those who think about the Data Act at an early stage may be one step ahead of the competition. Those who ignore it endanger their own business model.
Realization plan
Almost every company that collects, exchanges, processes or commercializes data is potentially affected by the Data Act. Despite the short implementation deadlines, many addressees of the Data Act have so far underestimated the challenges ahead. In view of the ambitious timetable, swift action is required. Aitava helps you to be prepared. As a thought leader, we provide you with decisive impetus.
- Step 1: Requirements Engineering
Unfortunately, the Data Act is subject to a high degree of interpretation uncertainty. It cannot simply be implemented, but must first be “drilled down” and “translated” into technical requirements. This is not just a matter of legal interpretation. Rather, operational risk decisions often need to be made to achieve a company-wide interpretation of the facts and legal consequences. - Step 2: Taking stock and gap analysis
The key to implementing the Data Act lies in smart data governance. Therefore, an accurate picture of the current situation must first be created. To do this, the relevant and planned data flows, systems, products, services and business processes, and existing interfaces must be recorded. This is followed by a comparison between the target and actual situation in order to derive the specific deltas. - Step 3: Escaping the offense
Ideally, the application of the Data Act to one’s own products and services can be avoided. The rushed EU legislature has accepted gaps that create opportunities for design. This applies, for example, to:- Technical design, e.g. development focus on secondary data not covered by the Data Act
- Organizational arrangements, e.g. agreement of processing contracts in accordance with Art. 28 GDPR to avoid the role of data holder
- Legal arrangements, e.g. “escape” into overriding data protection law to avoid data access claims
- Step 4: Processing plan
The requirements of the Data Act must be implemented by September 12, 2025. The initial focus should be on the must-haves, which include:- Dealing with third-party data access claims (including defense with secrecy and data protection)
- Necessity of data licenses when handling the data concerned
- Information requirements in the supply chain
- Adaptation of standard contracts to Art. 13, 25 DA
- Requirements for access by design in manufacturing and development (to be implemented by September 12, 2026)
- Step 5: Automate processes
To achieve sustainable efficiency, the requirements of the Data Act must be understood as business processes:- Automated handling of data access requests
- Establishment of company-wide frameworks to implement the Data Act by default in future projects.
- Implementation of interfaces to aggregate and optimize data flows, also in connection with other regulatory requirements (e.g. GDPR, AI Act).
Use Aitava’s expertise to meet the challenges of the Data Act. We see ourselves as thought leaders and continuously support numerous well-known companies in data protection and data governance projects. When implementing the Data Act, we can draw on extensive expertise and proven strategies. Aitava cuts through the complexity and helps you to understand the new regulations of the Data Act and implement them sustainably.