The EU Data Act Isn’t GDPR 2.0 – Here’s Why You Need to Move Fast

Launching the EU Data Act Series

Danny Zeegers and Harry Van Der Plas are joining forces to launch a new EU Data Act Series, aimed at helping companies not only understand the regulation but also implement it effectively.

In this first article, we provide boards and executives with a critical impact overview — one that demands action today, or even better, yesterday. The message is clear: the EU Data Act is not another regulation to park in the legal corner; it is a strategic shift that will reshape governance, resilience, and competitiveness.

In the coming parts of the series, companies will gain insight into how the HSMS concept from Harry Van Der Plas brings added value by avoiding overlap, reducing wasted effort, and saving resources. Later, the series will explore how CATS provides structured insight, revised template policies, and actionable tools — turning regulatory pressure into a manageable, even inspiring, transformation.

This is more than compliance. It’s the start of an inspiring journey into building smarter governance and future-proof data resilience.

The EU Data Act: Beyond Privacy — How Europe’s New Regulation Reshapes NIS2 Compliance

A New Layer of Compliance Pressure

European companies already adapting to the NIS2 Directive now face another regulatory heavyweight: the EU Data Act (Regulation (EU) 2023/2854), entering into application in September 2025. Where NIS2 forces critical and essential entities to tighten their cybersecurity and risk governance, the Data Act goes a step further — dictating how data must be accessed, shared, and stored across sectors.

For CISOs and compliance officers, the question is no longer “Do we comply with cybersecurity standards?” but “How do we build trust in an economy where data is both an asset and a liability?”

Boardroom Story: MSP SOC Extended and the Overnight Illusion

The boardroom of MSP SOC Extended was tense but optimistic. The CEO opened the meeting with a confident tone:

“We’ve survived GDPR, we’re halfway through NIS2, and now the Data Act is on the horizon. Let’s draft a quick roadmap — surely this is just another overnight compliance exercise, right?”

Heads nodded around the table. The CFO added:

“If it’s about data, our GDPR work should cover most of it. We’ll just tweak some privacy policies, ask Legal for a few clauses, and we’re done.”

At this point, the CISO shifted uneasily in his chair.

“With respect, this is a misconception. The Data Act isn’t just GDPR with another name. It’s about all data, not just personal data. It demands that we enable fair access, portability, and even mandatory sharing in some scenarios. That means infrastructure changes, contract rewrites, supplier renegotiations, and cloud portability tests. This is not an overnight exercise.”

The DPO jumped in:

“Exactly. GDPR was about protecting personal data — individuals’ rights. The Data Act adds sovereignty, B2B sharing, and operational resilience. We need to rebuild our DPIAs into broader Data Impact Assessments. Right now, our GDPR foundation is only 60% mature. If we treat this as a quick add-on, we’ll fail audits — and more importantly, we’ll expose ourselves to operational risks.”

Silence fell over the table. The CEO leaned back, realizing the magnitude:

“So our roadmap can’t just be a sprint. It has to be a program — with alignment across NIS2, GDPR, and the Data Act.”

The compliance officer summarized it best:

“The overnight exercise is a dangerous illusion. The real roadmap requires months of preparation, role clarity, and board-level ownership. If we start tomorrow, we’re already late.”

The room nodded again — but this time, with a sober understanding that the EU Data Act is not a checkbox, but a strategic transformation.

---

Data Act vs GDPR: Clearing the Misconceptions

At first glance, the Data Act may seem like a GDPR twin, but the two serve fundamentally different purposes:

• GDPR: Protects personal data of individuals, setting rules on consent, processing, and privacy rights.
• Data Act: Covers all types of data (personal and non-personal), focusing on fair access, interoperability, and portability.

The key difference? GDPR is about who owns your personal data, while the Data Act is about who controls access to generated data from devices, platforms, and services. This distinction means that NIS2-regulated companies must navigate two overlapping compliance regimes: securing personal data under GDPR, while ensuring non-discriminatory access and secure data portability under the Data Act.

---

The Global Dimension: What About Non-EU Suppliers?

A recurring concern among European ICT leaders is the impact on non-EU providers — especially US hyperscalers and Asian device manufacturers. The Data Act is explicit:

• If services or products are offered in the EU, the rules apply — regardless of where the provider is based.
• Providers without EU-based storage or data centers still face obligations to guarantee secure data access, switching, and sharing.
• International transfers must comply with EU data sovereignty safeguards, adding new layers of control similar to the Schrems II fallout under GDPR.

For non-EU suppliers, this means they cannot simply rely on “we don’t store data in Europe” as an exemption. The regulation follows the market access principle: if you serve EU customers, you play by EU rules.

---

Why the Data Act Matters for NIS2 Entities

1. Operational Resilience

Cloud switching obligations reduce vendor lock-in risks, strengthening resilience — a NIS2 cornerstone.

2. Supply Chain Security

The Act’s provisions on B2B and B2G sharing introduce new supply-chain exposures. NIS2 already requires vetting of suppliers; now, contractual arrangements must also anticipate forced data-sharing obligations.

3. Incident Response & Recovery

By standardizing access rights, organizations can better map data flows, enabling faster incident detection and forensic readiness — aligning with NIS2’s mandatory reporting requirements.

---

The Human Factor: DPO, CISO, and Compliance Under Pressure

The Data Act is not just about infrastructure; it reshapes roles:

• Data Protection Officer (DPO): The mandate expands from privacy to data sovereignty governance. A DPO must now assess not only consent and personal data but also B2B data-sharing obligations and cloud portability impacts.
• Chief Information Security Officer (CISO): Gains responsibility for ensuring secure data transfer pathways between providers and across jurisdictions. Portability is now a security matter.
• Compliance Officers: Must orchestrate a three-layered compliance puzzle: GDPR, NIS2, and Data Act — all with different regulators, enforcement timelines, and penalties.

For many organizations, this means role fatigue. Who ultimately owns the Data Act? This remains a governance gap.

---

Timelines: A Legal Dream, A Practical Nightmare?

The EU grants companies until 12 September 2025 for application, followed by a 12-month compliance window — effectively September 2026 for enforcement readiness.

But is this realistic? Consider the context:

• DORA (Digital Operational Resilience Act) is barely being implemented in financial entities, with many still at pilot stage.
• NIS2 entities are scrambling to demonstrate compliance by October 2024, often stuck in verification rather than certification.
• GDPR, even after six years, still leaves SMEs at “50% readiness” at best.

Layering the Data Act on top risks regulatory fatigue. For mid-sized providers, the clock is ticking with too many stopwatches running.

---

Qfirst & Management Projects Advisory: A Practical Implementation Strategy

At Qfirst & Management Projects, Danny Zeegers and Harry VM van der Plas recommend a phased approach to survive this regulatory storm:

1. Gap Scan: Perform a rapid Data Act readiness scan integrated with NIS2 maturity assessments.
2. Policy Refresh: Prioritize ISO 27001-aligned policies most impacted:
   • Information Transfer Policy (A.5.15, A.5.20)
   • Supplier Management Policy (A.5.19)
   • Cloud & Portability Procedures (A.5.23)
   • Business Continuity & Resilience (A.5.30)
   • Logging & Monitoring (A.8.16)
3. Cyfun Essentials Integration: Use the Cyfun Essentials framework to calibrate criticality and maturity, aligning NIS2, GDPR, and Data Act under one risk lens.
4. Contractual Rewrite: Standardize clauses for data access, portability, and government requests.
5. Shadow Testing: Run a “switching simulation” to ensure cloud portability is feasible in practice, not just in contracts.

---

The GDPR “Sinking Ship” Question

What about companies only “halfway there” with GDPR? Can they build Data Act compliance on that fragile base?

The blunt answer: not without structural changes. GDPR immaturity means weak DPIAs, vague data flow mapping, and insufficient breach handling — all of which are prerequisites for Data Act compliance. Building on a shaky GDPR foundation is like “constructing a skyscraper on quicksand.”

Instead, organizations should treat the Data Act as a chance to retrofit GDPR programs:

• Redesign DPIAs to include non-personal data and interoperability risks.
• Rebuild RoPAs (Records of Processing Activities) into holistic data flow maps.
• Elevate governance from privacy-only to enterprise-wide data accountability.

---

Qfirst Blueprint: GDPR + Data Act Transition Model

To avoid drowning in parallel programs, Qfirst proposes a blueprint transition model:

1. Unified DPIA 2.0: Extend Data Protection Impact Assessments into Data Impact & Portability Assessments (covering both GDPR and Data Act risks).
2. Three-Tier Data Governance:
   • Privacy (GDPR)
   • Sovereignty (Data Act)
   • Security (NIS2)
3. Centralized Data Register: One repository for personal, non-personal, and shared data flows.
4. Board-Level Oversight: Establish a Data Governance Committee aligning DPO, CISO, and Compliance Officer roles.

This blueprint shifts the perspective from compliance silos to a single governance model — pragmatic, auditable, and resilient.

---

Mapping the Data Act to NIS2 and ISO/IEC 27001:2022 Controls

To make sense of the overlap, let’s map Data Act obligations against NIS2 security objectives and ISO 27001 Annex A controls:

• Cloud Portability & Switching
  • NIS2: Business continuity & supplier risk management
  • ISO 27001: A.5.30 ICT readiness for business continuity; A.8.16 Monitoring activities
• B2B & B2G Data Sharing
  • NIS2: Supply chain security, transparency
  • ISO 27001: A.5.19 Supplier relationships; A.5.23 Information security for use of cloud services
• International Transfer Safeguards
  • NIS2: Incident reporting & risk mitigation
  • ISO 27001: A.5.36 Compliance with policies and procedures; A.5.37 Legal and contractual requirements
• Data Governance & Access Rights
  • NIS2: Governance, accountability
  • ISO 27001: A.5.1 Policies for information security; A.5.2 Roles and responsibilities

---

Conclusion: Regulation as Infrastructure

With less than a year before application, and only twelve months to implement, the EU Data Act risks becoming the regulation too far for companies already overwhelmed by GDPR, NIS2, and DORA.

But seen differently, it may be the missing puzzle piece: aligning privacy, sovereignty, and cybersecurity into one coherent governance framework.

For companies, the choice is clear: either chase compliance deadlines as isolated battles — or embrace a blueprint strategy that turns regulatory burden into operational resilience.

And as Qfirst advises: “Don’t just build compliance programs. Build a data governance architecture that will survive the next regulation too.”

---

📌 Reference: EUR-Lex – Regulation (EU) 2023/2854 (Data Act)