Data Act: What IT teams need to implement now
The Data Act will become applicable from 12.09.2025. It breaks down data silos, obliges manufacturers and operators to provide data access, and intervenes deeply in processes from IoT to the cloud. You profit if you harmonize data inventory, interfaces, and security controls early on.
Brief overview
- Applicability from 12.09.2025, design obligation for new products from 12.09.2026.
- Users receive access to product and service data; transfer to third parties is possible upon request. Gatekeepers are excluded.
- Cloud switching and multi-cloud are strengthened; requirements for fair conditions and fees.
- No independent legal basis for personal data; GDPR remains paramount.
- EU recommends model contract clauses; drafts are available, final partly still in flux.
Why the topic is relevant now
With the start of the application of the Data Act on 12.09.2025, the grace period ends. Companies must provide data access, secure it contractually, and protect it technically. Delays affect not only compliance but also business models: maintenance, after-sales services, and data-based offers will in future depend on transparent, secure data flows.
In addition to the Data Act, the Cyber Resilience Act is another EU regulation coming into force that brings new obligations for manufacturers and has direct effects on the secure operation of solutions like the Sophos Firewall.
What changes or what is new
- Data access: Users of connected products receive access to raw and certain prepared data generated during use. Direct provision to third parties is required upon request. Gatekeepers according to DMA are excluded as recipients.
- Product design: From 12.09.2026, connected products must be designed so that data is directly available by default.
- Cloud switching: The Data Act reduces lock-in effects, promotes multi-cloud, and regulates fair conditions for switching.
- Contract rules: Data licensing agreements between data holder and user become mandatory. The EU publishes non-binding model clauses for support.
Technical overview
Terms and Roles
- Data holder: Entity with access authority to product or service data, often the manufacturer or operator. Service providers who are responsible for operations can also be data holders. In the future, they must establish processes to allow users access without delay.
- User: Lawful user of the product or service, incl. companies. This also includes fleet operators, farmers, or end customers working with connected devices. Users receive not only a right to information but an immediate right of access to their data.
- Third party: Recipients of data authorized by users, but no gatekeepers. Third parties can be service partners, independent workshops, research institutions, or software providers. They must be integrated via secure interfaces.
Data types
- Covered: Product data and associated service data from use, including sensor data, status messages, location data, and metadata. Prepared datasets are also included if they are intended for reuse.
- Not covered: Content data such as documents, images, or communication. These remain outside the scope.
- GDPR interface: Personal reference is often possible; the Data Act does not create its own legal basis. Every disclosure must additionally be GDPR-compliant, including checking the legal basis and, if applicable, consent.
Interfaces
- Direct access preferred; otherwise standardized provision, machine-readable, and preferably in real-time. For companies, this means establishing APIs, data export functions, and clearly documented processes. Monitoring, authentication, and authorization checks also belong to the interface architecture.
Practical Guide
Preparation
- Data inventory: List systems, products, sensors, and data schemas. Anticipate personal reference, check aggregation levels. External data sources, archive systems, and backup data should also be considered.
- Classification: Separate product and service data from content data. Assign GDPR reference and legal bases per dataset. Additionally, create documentation of categories and lifecycles.
- Contracts: Prepare data license clauses for new and existing contracts; check draft MCTs and adapt if necessary. Additionally, create internal guidelines and training for contract managers.
Implementation
- Interfaces: Establish API or export, implement AuthN/AuthZ, document output formats. Also provide versioning and test environments.
- Authorization of third parties: Set up processes for consent or authorization checks; firmly integrate gatekeeper checks. Additionally, use role-based access patterns and time-limited tokens.
- Cloud switching: Plan switching paths, data transfer, and mapping; define multi-cloud strategies. Schedule test migrations and performance checks.
- Trade secret protection: Evaluate filters for trade secrets, minimization, and pseudonymization. Check technical procedures like data masking or differential privacy.
- Change management: Document and communicate processes for updates and changes to interfaces.
Validation
- Test cases: User self-service, third-party release, revocation, error scenarios. Also include edge cases and load tests.
- Logging: Document outputs, recipients, times, legal basis in an auditable manner. Implement audit-proof storage and regular reports.
- Security tests: API pen tests, rate limiting, anomaly detection. Consider automated vulnerability scans and bug bounty programs.
- Compliance checks: Internal audits to ensure GDPR and Data Act compliance.
Rollback and Monitoring
- Rollback path in case of erroneous releases. Document scenarios for recovery and incident response.
- Monitoring of data outflows via firewall, IDS, and SIEM; alerts for volume or pattern deviations. Additionally, implement real-time dashboards and escalation processes for security teams.
Recommendations and Best Practices
Recommended measures
- Data inventory and categorization as a mandatory step.
- API-first approach with consistent schemas.
- Least privilege and finely granular consent.
- Automate gatekeeper checks.
- Logging and audit-proof evidence.
- Test multi-cloud switching early.
Compact assignment table
| Measure | Purpose | Note |
|---|---|---|
| Data inventory | Transparency and Scope | Basis for GDPR check |
| MCT Review | Contract clarity | Use EU drafts, adapt locally |
| API Rate Limits | Abuse protection | Combine in firewall and API gateway |
| Gatekeeper Filter | Compliance | Comparison against DMA lists |
| SIEM Correlation Rules | Traceability | Integration into existing playbooks |
| Design from 2026 | Future-proofing | Direct access by design |
Impact on Sophos and other platforms
- Firewall Policy: New data endpoints and admin APIs need rules, TLS inspection after risk assessment, Threat Feeds for anomaly detection. Additionally, close-meshed segmentation and the use of application control rules for API-based access are recommended.
- Zero Trust: Segmented zones and mTLS for third-party access. Additionally, regular certificate rotation and integration into existing identity providers to control granular permissions.
- SIEM/EDR: Correlate events on data releases, especially unusual volumes or recipients. Extended use cases should also cover API errors, authentication attempts, and unauthorized queries.
- Cloud: Establish egress controls and contractual exit checklists for switch scenarios. Furthermore, consider capacity planning, automated tests of exit processes, and policies for data classification and encryption.
- Backup and Archiving: Data released under the Data Act should be secured by consistent backup and archiving strategies. This allows recovery in case of erroneous releases or misuse.
- Reporting: IT teams should create regular reports on data outflows and pass them on to compliance and management levels. This ensures transparency and traceability.
Frequently Asked Questions
How do you distinguish personal from non-personal data?
Check contexts and linkability. Location and usage data are often relatable to persons. No disclosure without a suitable GDPR legal basis.
Do you have to deliver data to any third party?
Only upon request of the user and in compliance with the requirements. Gatekeepers are excluded.
From when is direct access mandatory?
For new products and services coming onto the market from 12.09.2026. Until then, provision upon request must work.
Are there model clauses?
Yes, the EU is working on non-binding MCTs and cloud SCCs; an EDPB statement on the draft is available.
What role does cloud switching play?
The Act promotes switching and multi-cloud. Fees must be fair and non-discriminatory.
Conclusion
The Data Act shifts control over product and service data to users and opens markets for services around maintenance, analytics, and integration. For IT teams, this means work on three fronts: data inventory and law, secure interfaces, and operationalized monitoring. Furthermore, new responsibilities arise in the areas of compliance management, process documentation, and employee training. The interaction with cloud services and integration into existing security architectures must also be planned early on. Those who standardize, automate, and implement safeguards early reduce effort and risk and simultaneously position themselves for future regulatory developments and new business models in the data-driven environment.
References
