When data freedom becomes an obligation
Imagine this: Your refrigerator analyzes your eating habits and sends the data to the manufacturer – but you yourself are not allowed to view it, let alone transfer it to another service. Sounds like an absurd scenario? It is precisely these kinds of imbalances that the EU Data Act aims to eliminate. From September 12, 2025, users must be given access to the data generated by their connected products. And they will also be allowed to pass this data on to third parties – provided this is legally permissible.
This represents a significant change for businesses. While data has often been viewed as exclusive capital in the past, the Data Act requires transparent and fair access. This results in a special role for trust service providers: they ensure that this access is not only possible but also secure.
Objectives and scope of the Data Act
The Data Act has been in force since January 2024, but took effect only on 12th september 2025. It is part of the European data strategy, which aims to strengthen the single market and promote innovation in the digital space. While the GDPR protects personal data, the Data Act primarily regulates access to non-personal data generated through the use of products and services.
This primarily affects manufacturers of IoT devices, providers of connected machines, and cloud and data processing services. Companies outside the EU also fall within the scope of the Act if they offer their products or services on the European market. This makes the Data Act a globally relevant set of rules.
New obligations for companies
The regulation stipulates that data may no longer be “locked in” by the manufacturer. Users have the right to view the data they have generated and to pass it on to other providers. Companies must provide technical interfaces such as APIs or portals for this purpose. No fees may be charged for this.
The regulations for cloud services are particularly far-reaching. In future, customers should be able to switch providers more easily without incurring high switching costs. From 2027, such “switching fees” will be completely prohibited. Contracts may also no longer contain clauses that artificially impede data access or bind users in the long term.
Another dimension concerns the state: in exceptional situations – such as natural disasters – public authorities will in future be able to request access to certain data. For companies, this means providing access channels that comply with the law while at the same time protecting trade secrets.
Challenges of implementation
The requirements of the Data Act are complex because they affect technical, legal, and organizational levels simultaneously. Companies must develop systems that ensure openness on one hand but also meet the highest security standards on the other. Interfaces must not become a weak point but must be designed in such a way that misuse is impossible.
On the legal side, companies are facing a wave of contract revisions. Existing agreements in the cloud sector or in IoT ecosystems will often not be Data Act-compliant and will need to be adapted accordingly. New processes are also needed on the organizational side: access must be logged in a traceable and audit-proof manner to ensure transparency and trust.
Added to this is the uncertainty surrounding practical enforcement. In many member states, it is still unclear which authorities will be responsible. Overlaps with the GDPR or with industry-specific laws may create additional challenges.
Perspective of a trust service provider
For trust service providers, the Data Act is not only a regulatory requirement but also an opportunity. Their task is to ensure that the new data access rights are implemented within a secure framework. This includes identifying authorized persons, ensuring data integrity, and documenting all accesses.
Digital identities, qualified signatures, and strong authentication mechanisms are key tools in this process. They enable data to be freely accessible but only passed on to the right people or organizations. In addition, audit trails and logging ensure that companies can prove that they have acted in compliance with the law at all times in the event of an audit.
Another aspect is future viability. Systems should be modular and scalable so that they not only meet today’s requirements but also allow for future adjustments. Trust service providers can offer support here with their expertise in compliance and security, acting as a bridge between regulation and practice.
Opportunities for companies
The potential is as great as the efforts required for implementation. Companies that act early can position themselves as trustworthy and customer-oriented providers. They demonstrate that they not only comply with legal requirements, but also actively strengthen their customers’ data sovereignty.
The Data Act also opens up new opportunities for innovation. When data can be shared, new ecosystems emerge in which partner companies develop services together. For the cloud market, easier switchability means more competition – which will lead to better offers for customers in the long term.
Finally, the Data Act strengthens Europe’s digital sovereignty. By creating clear rules and distributing access to data fairly, it makes the single market more resilient and less dependent on monopolistic structures.
Conclusion
The EU Data Act is a milestone on the road to a fairer, more transparent, and more innovative data market. For companies, it means significant changes, both technical and legal. But those who see change as an opportunity can secure competitive advantages and strengthen the trust of their customers.
This presents a key task for trust service providers: they must create a framework in which data access is secure, traceable, and legally compliant. Ultimately, trust is what determines success in the digital age – and that is precisely what makes the Data Act not just a regulatory obligation, but a real opportunity.
