In the previous article, we discussed the relevance and challenges of sharing data with third parties, as required by Article 5 of the EU Data Act. In this installment, we’ll be focusing on the expectations by September 12, 2025, and what they could mean for your organization.
Why the Data Act matters now
The EU Data Act sets a high standard for all providers of connected products and related services. Noncompliance may result in fines of up to €20 million or 4% of a company’s global annual turnover. Other consequences include exclusion from the EU market for products that do not meet access-by-design requirements after September 2026, delayed launches, reputational harm due to a lack of transparency, and costly last-minute retrofits. All things that organizations want to avoid.
However, there are clear advantages for compliant companies as well: modernized product and technology foundations, reduced security risks through strong governance, and access to data-driven growth as the EU opens vast pools of currently unused industrial data.
Core obligations and timeline
The regulation establishes common rules across three pillars. Article 3 requires access by design, meaning products must enable users to access readily available data by default with export tools and clear instructions. Article 4 establishes user access rights, stipulating that users can retrieve their data free of charge in a structured, machine-readable format that includes metadata. Article 5 requires third-party sharing. Users may authorize third parties to access their product-generated data, and data holders must enable this access on FRAND terms: fair, reasonable, and non-discriminatory.
The timeline is phased. By September 12, 2025, users must be able to access and share their data (Articles 4 and 5). By September 12, 2026, products must comply with access by design (Article 3).
Build the foundation – Inventory, scope, metadata, governance
Before designing data journeys or user interfaces, it is essential to establish a solid foundation that connects legal requirements, technical implementation, and business strategy.
Begin by creating a comprehensive data inventory. Identify the product and service data in scope, map ownership and data sources across your pipelines, and determine which attributes are subject to the EU Data Act. This clarity is crucial for both compliance and control.
Apply the principle of data minimization by sharing only what is readily available and relevant to the intended use. Sensitive data, such as trade secrets, diagnostic information, or real-time signals, should be safeguarded through layered access controls, filtering, and continuous monitoring.
High-quality metadata is equally important. Clean, consistent metadata enables users to retrieve data in structured, machine-readable formats. This supports standardized interfaces and documentation, which are essential for safe and scalable integration.
Strong governance frameworks are another critical component. Define clear roles, responsibilities, and operational standards for data ownership. Standardize third-party agreements to outline permitted purposes, retention limits, onward sharing restrictions, and security requirements. These contracts should also include audit rights, incident notification procedures, and alignment with your broader governance and data privacy models.
Finally, ensure early coordination with other regulatory frameworks such as the GDPR, MDR/IVDR, AI Act, European Health Data Space, and FIDA. Legal, Data Protection, IT, R&D, and Product teams should collaborate closely to prevent regulatory conflicts, avoid recertification, and reduce the need for costly retrofits.
Article 4 in practice – a secure, user-friendly experience for end customers
Article 4 places users at the center of the data experience. In practice, this begins with a clearly defined activation process and a coherent user journey. That journey should include transparent notifications, structured data listings, and privacy-compliant options for activation, sharing, and revocation across all relevant touchpoints.
Data retrieval must be intuitive and accessible. Provide export tools with clear instructions to ensure users can access their data without friction. These tools should operate through secure, interoperable channels such as APIs or direct exports, and be governed by strong access controls, detailed usage logs, and audit-ready records.
Consent and revocation processes should be fully integrated from start to finish. Offer configurable access options that match common provisioning models, such as file downloads, API access, and batch or near real-time delivery. This allows users to manage frequency and scope while staying aligned with data minimization and protection requirements.
Security and performance should be tested at pilot scale before wider rollout. Where appropriate, use layered filtering to protect sensitive attributes and prevent exposure of transient or real-time data.
Is your organization ready for the EU Data act?
Start preparing now to ensure you comply with the requirements.
Article 5 in practice – self-service integration for third parties on FRAND terms
When users authorize third parties, access must be provided on FRAND terms. This requires transparent processes and consistent application so that comparable third parties in similar situations receive similar access under neutral criteria.
A scalable approach depends on self-service. Third parties should be able to register, authenticate, and integrate independently using standardized documentation and infrastructure. Operational readiness is critical. Processes must cover identity management, authentication, and authorization for both users and third parties, as well as request handling, billing, and contracting. Each process should generate audit-ready records. Contracts must be standardized and aligned with governance and privacy models. They should define permitted purposes, data retention limits, onward sharing restrictions, security obligations, audit rights, and incident notification requirements.
Article 5 also allows remuneration for user-authorized access. Pricing structures should be transparent and consistently applied. Small and medium-sized enterprises are limited to cost-based pricing, while larger enterprises may apply more flexible models. Differentiate between types of access, for example file downloads versus APIs, or batch versus near real-time data flows. Billing and contracting should be automated within the onboarding process to ensure efficiency and compliance with FRAND principles. Interfaces should follow recognized standards and include well-documented metadata to enable secure integration across systems and platforms.
Balancing simplicity and near real-time for customers and third parties
There is a natural tension between simple provisioning and near real-time integration. Self-service exports with clear instructions address baseline Article 4 requirements and support faster adoption. However, real-time data feeds introduce higher complexity. These require mature access controls, continuous monitoring, usage logs, and thorough performance validation. Not all data is suitable for near real-time sharing, especially when it involves transient signals or sensitive diagnostics.
A pragmatic approach is to offer tiered options. Start with downloadable files, then expand to batch APIs, and only move to near real-time delivery where there is clear added value and appropriate safeguards in place. The same logic applies to third parties. Onboarding should be easy and based on standardized documentation and neutral eligibility criteria. At the same time, performance and interoperability should be carefully validated at pilot scale to prevent brittle integrations and long-term technical debt.
A phased roadmap from regulation to value
A structured roadmap helps accelerate compliance while unlocking business value. Begin with discovery and assessment to determine which products and services fall within scope. Map data flows and ownership, identify regulatory touchpoints, assess risks at the product level, and prioritize high-value use cases.
Next, focus on solution design and alignment. Translate legal requirements into actionable architecture, user journeys, and governance frameworks. Define internal roles, technical standards, and operational guidelines. Draft access models and FRAND-aligned terms for your data infrastructure and export mechanisms.
During the build, test, and validation phase, implement secure architecture and ensure safe user access with full logging and monitoring. Integrate consent layers and third-party service connections. Validate both security and performance at a controlled pilot scale.
Finally, in the launch and sustain phase, train internal teams, roll out change management, ensure secure integrations across platforms, and monitor key performance indicators. Maintain audit readiness through continuous reporting and active governance.
Key challenges and how to address them
Many organizations struggle to translate legal frameworks into technical architectures and user flows. Addressing this early helps prevent bottlenecks and rushed implementation. IT adaptations are often significant, so evaluating solution scenarios upfront helps reduce risk, limit retrofits, and avoid technical debt.
Strong governance is essential. Clearly define roles, standards, and policies for data ownership, and establish a standardized approach to risk assessment and mitigation. Cross-functional collaboration across Legal, Data Protection, IT, R&D, and Product teams is critical to ensure aligned execution.
On the business side, organizations should avoid one-sided value extraction by developing their own integration capabilities and building value-added services on top of shared data.
What to do now
Several immediate steps will set the right foundation. Begin by assessing your readiness: identify in-scope products, map data flows and ownership, and close any remaining gaps in access, sharing, and security. Establish strong governance with cross-functional decision-making and a shared roadmap. Design a third-party access model with standardized consent journeys, FRAND-compliant terms, onboarding procedures, and billing models, all aligned with your IT architecture and go-to-market strategy. Focus on building the backbone. Prioritize identity and access management, interoperable APIs and export tools, and audit-ready monitoring processes. Pilot these capabilities before the 2025 milestone to validate usability, performance, and compliance before scaling up.
Start preparing today
Proven data-sharing patterns already exist across sectors. The regulation puts users at the center and calls for secure, user-friendly interfaces and scalable third-party ecosystems. Now is the time to take a strategic approach. To explore how your organization can comply with Articles 4 and 5 visit our page and get in touch.
