EU DATA ACT, Featured

The Challenge of the EU Data Act in Practice

Geschreven door Danny Zeegers
21 september 2025

The EU Data Act requires companies to handle the data generated by their systems and IoT devices transparently. In theory, this sounds simple: users gain the right to access their own data, and companies must share this data with third parties or governments under certain conditions.

In practice, however, this proves to be a major challenge. Many organizations lack a complete overview of their data assets: where the data originates, how it flows through APIs or dashboards, which copies exist in backups, and which datasets contain critical business information or personal data. Without such an overview, companies risk either sharing too much data (losing competitive advantage) or too little (risking non-compliance and sanctions).

Within 12 months, a company can achieve this through a phased approach:

Inventory – map all systems, applications, and data flows.
Classification – categorize data into PII, business-critical, regulated, and open.
Blueprint – design a global data architecture showing the lifecycle (creation, use, exchange, backup, archiving).
Governance & policy – establish policies that combine the Data Act with GDPR and NIS2.

This way, the Data Act becomes not just a paper obligation, but a strategic lever for better data management and cybersecurity.

Qfirst reflection: “Many companies underestimate the Data Act: they think it only concerns IoT data but forget that backups, APIs, and dashboards are also access points that may fall within scope.”

The Promise and Challenge of European Data Sharing

Europe is heavily investing in data as the driver of the digital economy. With the combination of the Data Governance Act (DGA) and the EU Data Act, the EU gains a legal framework that not only fosters trust in data sharing but also structurally regulates access to data. Together, these regulations form the backbone of the European data strategy, with direct consequences for companies across all sectors.

But what does this mean in practice?

The Challenge for MSP SOC Extended

When MSP SOC Extended, a mid-sized managed service provider with its own SOC, was tasked with creating a data inventory, managers assumed it was simply a list of applications and databases.

However, as the team dug deeper, they discovered how complex their data landscape truly was: ERP systems, CRM, Power BI dashboards, cloud storage in Microsoft 365, backups across multiple regions, and a growing IoT lab in their SOC. Each system had its own data flows, API connections, and archiving rules.

The critical question became painfully clear: which data falls under GDPR, which under the Data Act, and which is so business-critical that it must be absolutely protected?

Qfirst reflection: “The European data strategy preaches cooperation, but what if commercial interests clash with the idea of ‘data as a public good’? Building trust is one thing, enforcing fair access is another.”

From Trust to Obligation

DGA in Practice at MSP SOC Extended

The Data Governance Act (DGA) requires MSP SOC Extended to demonstrate trust and transparency in their data sharing. The SOC team saw opportunities: through a neutral data intermediary, they could share anonymized threat intelligence with research institutions without clients fearing misuse.

In force since September 2023, the DGA emphasizes trust and structures for data sharing. Key points:

Data intermediaries: neutral players acting as “notaries” for data sharing.
Data altruism: citizens and companies can voluntarily make data available for societal benefit.
European data spaces: sectoral ecosystems where data can be shared safely and transparently.

In short: the DGA determines how data can be shared securely.

It mainly helps them build a governance structure for voluntary collaboration.

Data Act as a Game Changer

The Data Act brings other obligations. Clients of MSP SOC Extended use IoT devices in critical networks. According to the law, these clients gain the right to access the sensor data from their own devices and share it with external cybersecurity partners.

The Data Act (applicable from 2025/2026) goes further: it establishes rights and duties around access to data, particularly IoT and machine data. Key provisions:

Users gain the right to access the data generated by their devices.
Companies must share data with third parties upon user request.
Governments can enforce access in crisis situations.
Cloud providers must ensure interoperability and portability.

In short: the Data Act regulates who can access data and under what conditions.

This meant MSP SOC Extended not only had to map their data flows but also review access rights and contracts. For the first time, it became clear that data was not only managed internally but could also be demanded by external parties.

Qfirst reflection: “The DGA encourages companies to share voluntarily; the Data Act sometimes obliges them against their will. Is this a harmonious duo or the recipe for endless conflict?”

Practical Example: EU Data Act and a Power Plant

Imagine a SOC cybersecurity team monitoring the data flows of a power plant. Thousands of IoT sensors in the plant register temperature, pressure, and vibrations in turbines and pipes. This sensor data is crucial – not only for operational efficiency but also for safety.

According to the EU Data Act, operators and users of these systems have the right to access this data. External maintenance parties or regulators can request this data via APIs or reports. While useful for innovation and transparency, it also creates risks:

Challenge: without strict inventory and classification, sensitive or business-critical data may be shared uncontrollably. In the worst case, malicious actors could exploit this access to expose attack surfaces and manipulate processes.
Necessity: the SOC must know exactly where the data resides, how it flows (APIs, dashboards, backups), and which datasets are business-critical. Only then can they ensure that mandatory shared data does not open doors for hackers.

Within 12 months, this can be managed through:

Data mapping of all sensors and API connections.
Classification of data (operational, PII, business-critical).
Access control and monitoring of third-party data sharing.
A blueprint giving the SOC real-time insight into where risks arise.

Thus, the Data Act transforms from a compliance puzzle into a strategic instrument for cyber resilience.

Qfirst reflection: “When turbine sensor data must also be shared externally, where is the line between transparency and sabotage? Hackers need only one poorly secured API endpoint to cause chaos.”

The Link with NIS2

The challenges faced by MSP SOC Extended aligned perfectly with NIS2 requirements: incident detection, risk management, and transparent reporting.

Thanks to the DGA, they could share threat intelligence securely within their sector.
Thanks to the Data Act, clients and regulators gained more direct access to operational data, speeding up incident response.

For the company, it became clear: without an integrated approach to DGA, Data Act, and NIS2, their compliance would collapse like a house of cards.

Qfirst reflection: “NIS2 mandates incident detection and rapid response. But without access to the right data, this is impossible – ironically, the very obligation to share data can also increase the attack surface.”

The Necessity of a Data Asset Blueprint

MSP SOC Extended decided to establish a Global Data Blueprint: an inventory and classification model for all data.

Step 1: Asset overview

IoT and machine data from SOC sensors.
PII of clients and employees.
Business-critical research data and IP.

Step 2: Lifecycle mapping
Mapping how data flows through the company:
[Creation] → [Storage] → [Use/Processing] → [Exchange/API] → [Backup] → [Archiving] → [Deletion]

Step 3: Classification

Open data: anonymized datasets for research.
Regulated data: IoT sensor data and PII.
Business-critical data: internal threat models and client IP.

This blueprint became the central document where compliance, security, and operations converged.

Qfirst reflection: “A blueprint sounds technical, but it is mainly political: which data do you want to protect, which are you willing to share, and who decides? The answer often lies less in IT and more in boardrooms.”

Applications: The Reality for All Companies

To create a useful overview, companies must examine which applications hold data and how that data moves.

Examples of widely used applications

ERP (SAP, Dynamics): master data, financial and operational data.
CRM (Salesforce, HubSpot): customer and contact data.
BI tools (Power BI, Tableau): data visualization and analytics.
Collaboration suites (Microsoft 365, Google Workspace): documents and communication.
Financial software (Exact, QuickBooks): invoices and payment flows.
HR & Payroll (Workday, SD Worx): personnel and payroll data.
IoT/SCADA: operational sensor data and critical infrastructure.

Commonly Used Applications and Data Analysis

1. ERP Systems (e.g., SAP, Microsoft Dynamics, Oracle NetSuite)

Analysis:

Which master data (customers, suppliers, products) contains personal data (GDPR)?
Which financial or operational data can be business-critical?
How does integration with other systems occur via APIs or ETL?

Data stages:

Input of customer data.
Synchronization via APIs to CRM/BI.
Storage in relational databases.
Backups (on-prem or cloud).
Archiving (compliance retention periods).

2. CRM Systems (e.g., Salesforce, HubSpot, Zoho)

Analysis:

Which PII (contact info, interactions, preferences) is processed?
Which datasets are shared with marketing tools or external APIs?
What authorizations and logging are implemented?

Data stages:

Input by sales/marketing.
Data exchange with email marketing or social integrations.
Analysis in dashboards (e.g., Power BI).
Archiving & data retention policy.

3. Business Intelligence & Analytics (e.g., Power BI, Tableau, Qlik)

Analysis:

Which source data is imported (ERP, CRM, sensor data, IoT)?
Are PII fields anonymized or does traceability remain?
Are datasets encrypted during storage/transport?

Data stages:

Extraction of data sources (ETL process).
Transformation (aggregations, data cleaning).
Visualization in dashboards.
Backups of datasets.
Export/reporting to external parties.

4. Collaboration Suites (e.g., Microsoft 365, Google Workspace, Slack, Teams)

Analysis:

Which files contain sensitive data (PII, IP)?
Where are files shared (internal/external)?
Which security controls are active (DLP, encryption)?

Data stages:

Creation of documents/spreadsheets.
Storage in SharePoint/Google Drive.
Exchange via email, Teams, Slack.
Archiving or deletion according to retention policies.

5. Financial Software (e.g., Exact, Sage, QuickBooks)

Analysis:

Processing of PII (invoice data).
Exchange with banks (APIs).
Compliance with fiscal retention periods.

Data stages:

Input of invoices/receipts.
Exchange with accounting systems.
Backups in the cloud.
Archiving & legal retention.

6. HR & Payroll (e.g., Workday, SD Worx, ADP, SAP SuccessFactors)

Analysis:

Which categories of PII and sensitive data (health, salary, contract) are present?
Shared with external payroll providers or government agencies?
Access and authorization management.

Data stages:

Input of employee data.
Exchange with government agencies (social security).
Storage & backup.
Archiving (e.g., 7 years payroll data).

7. IoT & Operations Platforms (e.g., industrial sensors, SCADA, smart devices)

Analysis:

Which operational data is generated?
Are there links with critical infrastructure (NIS2)?
Which data falls under the Data Act (user access)?

Data stages:

Real-time data capturing.
APIs to analytics platforms.
Storage in data lakes.
Backup & archiving.

Data Stages in the Lifecycle

For each system, organizations must document the full data lifecycle:

Creation/Input – e.g., customer data in CRM, sensor data from IoT.
Storage – database, cloud, data lake.
Use/Processing – dashboards, reporting.
Exchange – APIs, ETL, external partners.
Backup – redundancy, cloud or on-prem.
Archiving – retention periods and compliance.
Deletion – data retention, right-to-be-forgotten.

This overview is crucial to know which datasets fall under the Data Act, which under GDPR, and which are business-critical.

The Team’s Findings

The team discovered their data was scattered across various applications:

Application	Data	Risks / Analysis	Critical Phases
ERP (SAP)	Invoicing, supplier data	Business-critical + PII	API exchange, backups
CRM (HubSpot)	Customer contacts	GDPR, marketing sharing	Exports, dashboards
Power BI	Threat intelligence dashboards	Anonymization needed	ETL, visualizations
M365 & Slack	Reports, internal communication	PII + IP	Sharing, archiving
HR (SD Worx)	Contract and payroll data	Sensitive PII	Government exchange
IoT/SCADA	SOC sensor data	Data Act scope + NIS2	Real-time APIs, data lakes

It became clear that there was no system that did not require investigation.

Qfirst reflection: “Every system in a company – from Power BI to Slack – is a potential data leak or compliance risk. The question is not whether sensitive data is in there, but how much and who can access it.”

Conclusion

The EU Data Act changes the way companies handle their data foundation. Without a global asset overview and blueprint, compliance is impossible – and organizations face risks both in compliance and competitive advantage.

Practice shows: organizations that already link their data governance with DGA, Data Act, NIS2, and GDPR will not only face fewer audit headaches but also gain a competitive advantage through better data quality, faster incident detection, and more transparent collaboration.

In the third article of the series, Harry VM van der Plas will explain how to turn extensive internal governance into a revenue model by mapping overlaps and aligning all frameworks to work together in harmony.

Europe’s message is clear: data is not a possession to be locked away, but a resource that must circulate – safely, fairly, and under clear rules.

🔑 Key takeaway: For MSP SOC Extended, data inventory became the core of their governance and cybersecurity. What started as compliance ended as a competitive advantage.

Qfirst reflection: “The Data Act transforms compliance from a box-ticking exercise into a geopolitical game: whoever controls data controls the balance of power. For companies, the choice is simple: either adapt or be overtaken.”

DGA and Governance & Policies – Where Can My Company Find Examples and Guidance?

Roadmap for Policy Development under the DGA

Where to find the digital honey in EU Data Spaces Initiatives
The EU Data Spaces Initiatives are coordinated via the Data Spaces Support Centre (DSSC). This is the main source for practical guidance:

🌐 DSSC Website: https://dssc.eu
- Blueprints → provide governance and policy examples.
- Reference Architecture Model → shows how data intermediaries and trust mechanisms should work technically and in policy.
- Toolbox → contains components and frameworks directly usable for policy development.
Sectoral Data Spaces (e.g., Health, Mobility, Energy) also publish their own guidelines with concrete governance examples.

✅ In short:
A company finds the legal basis in EUR-Lex, practical interpretation at the European Commission and ENISA, and the governance blueprints in the EU Data Spaces Initiatives (DSSC).

Sources

1. Data Sharing Policy

EUR-Lex: DGA Text → EUR-Lex
European Commission: Data Act & Data Governance resources → link
EU Data Spaces Support Centre (DSSC) → https://dssc.eu

2. Data Transparency Policy

EU GDPR Text → link
ENISA Publications Library → link
EU Data Spaces: Blueprints for Trustworthy Data Sharing → https://dssc.eu

3. Data Intermediary Governance Policy

GAIA-X: Policy Rules & Architecture Docs → https://gaia-x.eu
Data Spaces Support Centre: Governance frameworks → https://dssc.eu

4. Data Altruism Policy

European Commission – Data Altruism (EU Digital Strategy) → link
EU Data Spaces – Health/Mobility/Energy pilots → https://dssc.eu

5. Data Access & Rights Policy

EUR-Lex: Data Act Text → EUR-Lex
EU Data Spaces: Reference Architecture for Data Access Control → https://dssc.eu

6. Confidentiality & Trust Policy

ENISA Trust Frameworks (ENISA Publications) → link
EU Data Spaces: DSSC Toolbox → [https://dssc.eu/toolbox/]

Overall: EU Data Spaces Initiatives

Data Spaces Support Centre (DSSC) – main page → https://dssc.eu
- Blueprints
- Reference Architecture Model
- Toolbox
- Sectoral Data Spaces (Health, Mobility, Energy, etc.)

This article was made possible with the help of Harry VM van der Plas and Karin Printemps, DATA Risk Manager.

Laat een reactie achter Reactie annuleren

Je moet ingelogd zijn op om een reactie te plaatsen.

Deel dit artikel

Aanbevolen artikels

Meer items

Featured

U weet maar beter wat Verordening (EU) 2023/1543 inhoudt voor u in Augustus 2026 een gerechtelijk dwangbevel krijgt met grote gevolgen.

Lezen

8 januari 2026 Geen reacties

Cybersecurity

NIS2 – Important of Essentiële organisatie: Staan jouw bedrijfskritische leveranciers enkel garant voor het topje van de ijsberg?

Lezen

3 januari 2026 Geen reacties

AI Governance

AI wordt een nieuwe aanvalsvector: waarom Compliance op het Cyber AI Profile zat te wachten.

Lezen

28 december 2025 Geen reacties

Featured

Het kado van de CISO dat de CEO van een NIS2 entiteit op 25 December 2025 opendeed telde af van 113 dagen….

Lezen

25 december 2025 Geen reacties

Cybersecurity

NIS2 Essentiele bedrijven, we dachten dat NIS2 een doordeweekse oefening was!

Lezen

16 december 2025 Geen reacties

The Challenge of the EU Data Act in Practice

The Promise and Challenge of European Data Sharing

The Challenge for MSP SOC Extended