Data Act: What IT teams need to implement now

The Data Act will apply from 12.09.2025. It breaks down data silos, obliges manufacturers and operators to provide access to data, and intervenes deeply in processes from IoT to the cloud. You will benefit if you harmonize data inventory, interfaces and security controls early on.

Brief overview

  • Applicability from 12.09.2025, design obligation for new products from 12.09.2026.
  • Users receive access to product and service data; disclosure to third parties is possible on request. Gatekeepers are excluded.
  • Cloud switching and multi-cloud are strengthened; requirements for fair conditions and fees.
  • No independent legal basis for personal data; GDPR remains paramount
  • EU recommends model contract clauses; drafts are available, some final versions are still in flux.

Why the topic is relevant now

The grace period ends when the Data Act comes into force on 12.09.2025. Companies must provide, contractually secure and technically protect data access. Delays not only affect compliance, but also business models: Maintenance, after-sales services and data-based offers will depend on transparent, secure data flows in future.

In addition to the Data Act, the Cyber Resilience Act is another EU regulation that brings new obligations for manufacturers and has a direct impact on the secure operation of solutions such as the Sophos Firewall.

What is changing or what is new

  • Data access: Users of networked products are given access to raw and certain processed data generated during use. Direct provision to third parties is required on request. Gatekeepers according to DMA are excluded as recipients.
  • Product design: From 12.09.2026, connected products must be designed in such a way that data is directly available as standard.
  • Cloud switching: The Data Act reduces lock-in effects, promotes multi-cloud and regulates fair conditions when switching.
  • Contractual rules: Data license agreements between data owners and users become mandatory. The EU publishes non-binding model clauses for support.

Technical overview

Terms and roles

  • Data owner: Entity with authority to access product or service data, often the manufacturer or operator. Service providers with operational responsibility can also be data owners. In future, they must establish processes to enable users to access the data without delay.
  • Users: Legitimate users of the product or service, including companies. This also includes fleet operators, farmers or end customers who work with networked devices. Users are not only granted a right to information, but also a direct right of access to their data.
  • Third parties: Recipients of data authorized by users, but not gatekeepers. Third parties can be service partners, independent workshops, research institutions or software providers. They must be integrated via secure interfaces.

Data types

  • Captured: Product data and associated service data from usage, including sensor data, status messages, location data and metadata. Processed data records are also included if they are intended for further use.
  • Not recorded: Content data such as documents, images or communication. These remain outside the scope of application.
  • GDPR interface: Personal reference is often possible; the Data Act does not create its own legal basis. Any disclosure must also be GDPR-compliant, including verification of the legal basis and, if necessary, consent.

Interfaces

  • Direct access is preferred; otherwise standardized provision, machine-readable and preferably in real time. For companies, this means setting up APIs, data export functions and clearly documented processes. Monitoring, authentication and authorization checks are also part of the interface architecture.

Practical guide

Preparation

  1. Data inventory: List systems, products, sensors and data schemas. Anticipate personal references, check degree of aggregation. External data sources, archive systems and backup data should also be taken into account.
  2. Classification: Separate product and service data from content data. Assign GDPR reference and legal basis per data record. Create additional documentation of categories and life cycles.
  3. Contracts: Prepare data license clauses for new and existing contracts; review draft MCTs and adapt as necessary. In addition, create internal guidelines and training for contract managers.

Implementation

  1. Interfaces: Establish API or export, implement AuthN/AuthZ, document output formats. Also provide versioning and test environments.
  2. Third-party authorization: Set up processes for consent and authorization checks; firmly integrate gatekeeper checks. In addition, use role-based access patterns and time-limited tokens.
  3. Cloud switching: plan switch paths, data transfer and mapping; define multi-cloud strategies. Schedule test migrations and performance checks.
  4. Protection of secrets: Evaluate filters for trade secrets, minimization and pseudonymization. Check technical procedures such as data masking or differential privacy.
  5. Change management: Document and communicate processes for updates and changes to interfaces.

Validation

  • Test cases: User self-service, third-party release, revocation, error scenarios. Also include edge cases and load tests.
  • Logging: document expenses, recipients, times, legal basis in an auditable manner. Implement audit-proof storage and regular reports.
  • Security tests: API pen tests, rate limiting, anomaly detection. Consider automated vulnerability scans and bug bounty programs.
  • Compliance checks: Internal audits to ensure GDPR and Data Act compliance.

Rollback and monitoring

  • Rollback path for incorrect releases. Document scenarios for recovery and incident response.
  • Monitoring of data outflows via firewall, IDS and SIEM; alerts in the event of volume or pattern deviations. Additionally, implement real-time dashboards and escalation processes for security teams.

Recommendations and best practices

Recommended measures

  • Data inventory and categorization as a mandatory step.
  • API-first approach with consistent schemas.
  • Least-privilege and finely granular consent.
  • Automate gatekeeper check.
  • Logging and audit-proof evidence.
  • Test multi-cloud switching early on.

Compact allocation table

MeasurePurposeNote
Data inventoryTransparency and scopeBasis for GDPR audit
MCT reviewContractual clarityUse EU drafts, adapt locally
API rate limitsProtection against abuseCombine in firewall and API gateway
Gatekeeper filterComplianceComparison against DMA lists
SIEM correlation rulesTraceabilityIntegration into existing playbooks
Design from 2026Future securityDirect access by design

Impact on Sophos and other platforms

  • Firewall policy: New data endpoints and admin APIs require rules, TLS inspection after risk assessment, threat feeds for anomaly detection. In addition, close-meshed segmentation and the use of application control rules for API-based access are recommended.
  • Zero Trust: segmented zones and mTLS for third-party access. In addition, regular certificate rotation and integration into existing identity providers to control granular authorizations.
  • SIEM/EDR: Correlate events to data releases, especially unusual volumes or recipients. Extended use cases should also cover API errors, authentication attempts and unauthorized queries.
  • Cloud: Establish egress controls and contractual exit checklists for switch scenarios. In addition, consider capacity planning, automated tests of exit processes and policies for data classification and encryption.
  • Backup and archiving: Data released under the Data Act should be secured by consistent backup and archiving strategies. This allows recovery in the event of incorrect releases or misuse.
  • Reporting: IT teams should create regular reports on data outflows and pass them on to compliance and management levels. This ensures transparency and traceability.

Frequently asked questions

How to distinguish personal data from non-personal data
Contexts and linkability are checked. Location and usage data can often be linked to individuals. No disclosure without a suitable GDPR legal basis.

Do you have to provide data to every third party?

Only at the request of the user and in compliance with the requirements. Gatekeepers are excluded.

When is direct access mandatory?

For new products and services that come onto the market from 12.09.2026. Until then, provision must work on request.

Are there model clauses?

Yes, the EU is developing non-binding MCTs and cloud SCCs; an EDPB statement on the draft is available.

What role does cloud switching play?

The Act promotes switching and multi-cloud. Charges must be fair and non-discriminatory.

Conclusion

The Data Act shifts control of product and service data to the user and opens up markets for maintenance, analytics and integration services. For IT teams, this means work on three fronts: Data inventory and law, secure interfaces, and operationalized monitoring. In addition, new responsibilities arise in the areas of compliance management, process documentation and employee training. Interaction with cloud services and integration into existing security architectures must also be planned at an early stage. Those who standardize, automate and implement safeguards at an early stage will reduce costs and risks while positioning themselves for future regulatory developments and new business models in a data-driven environment.

Sources

Patrizio
Patrizio

Patrizio is an experienced network specialist with a focus on Sophos firewalls, switches and access points. He supports customers or their IT department in the configuration and migration of Sophos firewalls and ensures optimal network security through clean segmentation and firewall rule management.

Subscribe Newsletter

We send out a monthly newsletter with all the blog posts for that month.