Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Search

Data Act: Yet another regulation? Yes. But this one really changes the game (even for those in security).

Sandro Sana : 2 October 2025 16:08

Every time Brussels churns out a new acronym, someone in the company snorts: “More paper?” It happens. But the Data Act isn’t just a stamp to add to the binder: it clarifies who can access data, under what conditions, and how to exit a cloud provider without being locked in. In a market dominated by connected products, platforms, and “take it or leave it” contracts, it’s a tangible step change.

The Regulation entered into force on January 11, 2024 , and will apply throughout the EU from September 12, 2025. The goal is to create a fairer and more competitive data market: less lock-in, more interoperability, and greater rights for users and businesses. In other words, data no longer remains in the hands of manufacturers or cloud providers, but becomes a lever that users can leverage.

What is it, in a nutshell?

It is a “horizontal” regulation that encompasses personal and non-personal data and affects three key areas. The first: data generated by connected products (machines, vehicles, home automation, sensors). Users of the device have the right to access that data and share it with third parties of their choosing, such as an independent maintenance provider. The second: B2B relationships , where the Data Act limits unilaterally imposed contractual clauses that restrict data use. The third: data processing services (cloud and edge), with rules that mandate portability, interoperability, and the removal of technical and contractual barriers to switching.

There’s also the issue of public administration access to data : it’s not a completely open door. We’re talking about “exceptional needs,” meaning emergencies or specific cases provided for by law, with targeted, temporary, and justified requests. The idea isn’t to “take everything,” but to allow interventions when truly necessary.

Security, IP and trade secrets

First, the question everyone asks: “So, should I give away my secrets?” No. The Data Act requires adequate measures to protect trade secrets and intellectual property. If the user or third party fails to comply with the protection measures, sharing can be suspended. The logic is simple: access and reuse rights yes, plunder no .

There’s also a geopolitical cautionary clause: for non-personal data held in the Union, safeguards are required to prevent access or transfers outside the EU that are incompatible with European law. For those with global data supply chains, this isn’t a minor detail.

Why CISOs, CIOs, and Lawyers Really Care

For those building connected devices, the message is clear: design “by data-sharing .” It’s not enough to simply “generate” data: users must be allowed to access and share it in a secure and traceable manner. Strong authentication, logging, pseudonymization where appropriate, timely management of trade secrets, request governance, and an official channel to process them without improvisation are required.

For those who buy or sell cloud, slogans become facts. Switching becomes a right: contracts must specify how to exit, in what timeframe, with what support, and at what financial conditions. On the technical level, open export formats, semantic mappings, portability automation, multicloud orchestration, and measurable interoperability criteria are needed. This is the structural antidote to lock-in, and it also represents operational resilience.

For those who write or reread B2B contracts, the Data Act disarms many restrictive clauses regarding liability, remedies, and the interpretation of usage rights. The bottom line is that contractual freedom remains, but fairness is back in focus: certain conditions no longer bind the weaker party.

Finally, the B2G process : have an internal policy for managing PA requests. Check the legal basis, determine exceptional need, minimize, track, and retain. Avoid off-the-cuff responses: roles, workflows, and a request log are essential.

What changes “from Monday morning”

Let’s stop considering it just another obligation and instead see it as a competitive enabler . Product data fuels new after-sales services, predictive maintenance, and more transparent supply chains. Cloud interoperability unlocks less romantic and more measurable multicloud strategies, reducing operational risk. Contractual clarity in B2B relationships avoids bickering and shortens the time to value of data-driven projects.

And yes, it involves real work: mapping data flows, updating policies and contracts, strengthening controls, rethinking the architecture for portability. But it’s work that creates value, not just compliance.

Conclusion: less slogans, more engineering (and well-crafted contracts)

Is the Data Act just another regulation? Yes. Except that this one, if you implement it, makes you work better . It shifts power to those who use the products and pay for the services, reduces the invisible chains of lock-in, and forces everyone to treat data as a negotiable common good with clear rules. The difference is in the execution: solid processes, security by design, and finally explicit contracts regarding access, sharing, and release . The rest is just excuses.

Sandro Sana
Member of the Red Hot Cyber Dark Lab team and director of the Red Hot Cyber Podcast. He has worked in Information Technology since 1990 and specialized in Cybersecurity since 2014 (CEH - CIH - CISSP - CSIRT Manager - CTI Expert). Speaker at SMAU 2017 and SMAU 2018, lecturer for SMAU Academy & ITS, and member of ISACA. He is also a member of the Scientific Committee of the national Competence Center Cyber 4.0, where he contributes to the strategic direction of research, training, and innovation activities in the cybersecurity.

Lista degli articoli
Visita il sito web dell'autore