Should I care about the EU Data Act?
For good or bad, the EU has drowned us all in data legislation. I don’t think that at the time all the regulations were drafted that the commission foresaw the collapse of the alliance between the US and Europe, but they were clearly concerned about the dominance of American data gatekeepers on European data. In many ways, protecting the sovereignty of European data has only become more critical.
On top of all the new data security requirements, there is a particular focus on connected device data. Most IoT product managers, distracted by NIS2 compliance are also now looking at 2026 when all newly launched products need to comply with the enhancements to the Radio Equipment Directive as well as potentially needing to be designed to have a data model that conforms to one or more of the ongoing EU Data Space initiatives. On top of this is that pesky Data Act that only the largest company legal departments are currently getting an opinion on.
As experts in understanding what the impact of the Data Act will be on IoT deployments, Greenhouse Group has been talking to participants across the spectrum and getting a lot of interesting feedback. Our interviews have spanned legal and product groups in both data holders and data processors as well as various law firms who have published articles on the act.
In the case of data holders and data processor platform providers we have spoken to, the status six month before enforcement is intriguing.
a) Approximately 80% have still not been made aware of it.
b) Of those who are aware of it, 30% have not started with securing a legal opinion.
c) Of those who have secured a legal opinion that they need to comply, 70% have not passed the task of compliance onto their product management departments yet.
d) Of those that have settled on a compliance approach, all have decided to adopt a minimum viable compliance strategy with the minimum of investment.
Of the law firms we have spoken to, the general feedback has been consistent with how it was with GDPR compliance. In 2018, after two years of forewarning, there was a mass panic described by one consultant as “five minutes to midnight” where everyone suddenly needed help in compliance simultaneously. In the case of the Data Act, one opinion expressed this week was that compliance will typically be “five minutes after midnight” for most SME data holders who will likely set budgets in Q1 2026 to comply with legislation that theoretically is enforceable from Sept 12 2025. Larger companies with more to lose will likely put compliance efforts in place in Q4 this year.
All law firms agree however that the risks of facing penalties for non-compliance are significantly higher than in GDPR as reports of non-compliance will always come from commercial entities whose topline revenue is dependant on securing access to your data. This then leads to an answer to the question posed, “do you need to care about the data act?” which is most likely yes, you do.
If you want to talk more about this, reach out at www.greenhousegroup.se and we’ll be happy to set up a free initial consultation meeting. More to come on the topic soon.
Antony
