Article
    by Ahti Rossi, Project Manager, Nortal Finland

    EU Data Act unlocks industrial IoT data: here’s what it means for you

    Service

    Industry Data and AI Manufacturing

    Industry

    Data and AI

    You own the machine. You run the operations. You generate the data. Yet in many cases, accessing that data isn’t straightforward. For years, industrial data has often been tied to vendor ecosystems, bundled into service packages that limit flexibility and visibility. But that’s about to change. The EU Data Act gives you, the machine user, the legal right to access and use your data freely. This isn’t just a regulatory update — it’s a strategic opportunity to take back control and future-proof your operations.

    Have you ever felt disconnected from the machine data in your own facility? If so, you’re not alone.

     

    In many factories and other industrial facilities, machines quietly generate vast amounts of valuable data. However, accessing this data often means committing to expensive vendor ecosystems. Typically, the data flows from the machine straight into the manufacturer’s cloud, where it’s packaged with dashboards, predictive tools, and other features that may not align with your needs or budget. Even if you only need raw signals, you may be required to commit to the full suite and still face limitations in format, speed, or usability. 

    That’s about to change. On Friday, September 12, 2025, the EU Data Act came into effect, marking a shift in how industrial data is governed. The Data Act will grant you, as the machine user, the legal right to access and use the data your equipment produces, including historical data. This shift isn’t just a regulatory update but more like a strategic opportunity to rethink how data supports your operations and innovation.

    What the Data Act really grants you

     

    The key concept of the EU Data Act is that vendors delivering connected machines or offering related services must provide machine users with access to the data generated by those products (defined in Chapter II: “Business to consumer and business to business data sharing”). Also, users should be able to request their data through a simple process, and data holders must provide it free of charge. 

    Chapter II applies to all raw and pre-processed data generated from the use of a connected machine or related service, whether from a single sensor or a set of sensors, if the data is readily available to the vendor. The data can be, for example: 

    • temperature, pressure, flow rates
    • audio, pH, liquid levels
    • position, acceleration, or speed 

    What’s not in the scope of the obligation is inferred or derived data and content, such as highly enriched datasets or audiovisual material that a vendor has created from the raw data. That’s fair to vendors: if users want that enriched layer, vendors are still able to offer this as a paid service. This encourages vendors to build genuine, value‑added services based on know-how and expertise, rather than simply charging for raw data access.  

    It is worth noting that the Data Act obligations may also be interpreted to cover historical data created before the Act comes into effect in September 2025, as suggested in Chapter II. This means that data should be made available if it has been retained within a reasonable timeframe and remains technically accessible. While the definition for “reasonable timeframe” may be vague, it could be interpreted as data that is still relevant and technically usable for its original purpose. Additionally, suppose an equipment manufacturer’s own service, like a dashboard, relies on historical data and covers a specific period of historical data. In that case, the same period is also a reasonable expectation for customers’ access.

     

     

    Starting on September 12, 2026, the Data Act also requires that every new connected product and associated service sold in the EU must be designed and built to ensure that operational data and metadata are easily and directly accessible, secure, free of charge, and provided in a structured, machine-readable format. This requirement will be in effect within 12 months of that date.

    How the Data Act regulates contractual imbalance in enforcing fairness

    The Data Act protects data users from takeitorleaveit data clauses in contracts between enterprises (defined in Chapter IV “Unfair contractual terms related to data access and use between enterprises”). Suppose a vendor with the stronger bargaining position unilaterally imposes a term that is significantly out of line with good commercial practice and contrary to good faith and fair dealing. In that case, that term can be deemed nonbinding. 

    Contractual freedom still stands, however: many terms favoring one side are perfectly acceptable. However, a clause crosses the line when it objectively prevents the other party from protecting its legitimate commercial interests in the data. 

    The practical impact of this clause in the Data Act will ultimately be shaped by real-world application. Debates are likely to emerge around what constitutes “unfair” or “unilaterally imposed” terms in B2B data contracts, and only time will tell how Chapter IV will be interpreted and enforced in practice. The EU Commission has introduced model contractual terms and standard contractual clauses to be used as a voluntary benchmark for what “good” contractual practice looks like in data sharing and cloud services.  

    The consequences of human error are costly.  According to IBM’s Cost of a Data Breach Report, businesses lose an average of €3.9 million per breach, with phishing and stolen credentials being the top initial attack vectors. Furthermore, 60% of small and medium-sized businesses go out of business within six months of experiencing a cyberattack. 

    Open data pathways ease switching and pave the way for interoperability

    The EU Data Act doesn’t just give you access to your data, it ensures you can take it with you. From January 2027, switching between data processing services must be free of charge (as of January 12, 2027, but switching fees have already been reduced since January 2024), fast, and fluid (defined in Chapter VI “Switching between data processing services”). This is a direct strike against long-standing vendor lock-in practices. 

    The new rules are designed to break down the barriers that keep businesses locked into single providers. By making contracts clearer and data more portable, the EU aims to make the digital market more open and competitive. Companies should be able to move their data freely without being held back by technical limitations or restrictive agreements. 

    That said, the impact on machine-generated data may be limited at first. Much of this data originates from proprietary automation or control systems, which are not yet designed to support open or alternative data access interfaces. This will begin to change on September 12, 2026, when new equipment design obligations take effect, requiring that connected products and related services be built with easy and secure access to operational data. 

    But portability alone isn’t enough. For data to be truly usable across systems, it must also be interoperable (defined in Chapter VIII “Interoperability”). That’s why the Act mandates data flow within and between data spaces, facilitated by clear documentation on data structures, formats, and vocabularies. Even if full switching isn’t yet technically feasible in all cases, good documentation already makes a difference. It enables businesses to integrate and build value on top of existing systems, laying the groundwork for a more open and competitive digital ecosystem. 

    Cyber exercising:
    The cornerstone of
    cyber resilience

    Cyber exercises must be integrated into our security strategy to truly strengthen cyber resilience. These structured simulations test an organisation’s readiness against real-world cyber threats. They help teams practice incident response, refine decision-making processes, clarify communications channels, assure roles and responsibilities, test assumptions, hone tactics, techniques, and procedures (TTPs), and build confidence in crises.

    From critical infrastructure to corporate enterprises, cyber exercising equips teams with the practical experience to respond with clarity and speed. Whether defending national infrastructure or safeguarding sensitive customer data, these exercises transform static response plans into living capabilities. 

    Make the most of the Data Act opportunities

    The EU Data Act signals a fundamental change in the dynamics of industrial data. Instead of locking data behind proprietary walls, it opens the door for machine users to tap into the raw information they need to drive innovation. This shift challenges vendors to rethink their role - not as gatekeepers, but as enablers - creating value through services and solutions rather than control.

    This shift is already reshaping the industrial landscape. At Nortal, we help customers navigate this kind of transition, especially when systems were previously closed. When raw data, like simple counter readings, becomes openly accessible, building modern data platforms becomes significantly easier. And when customers want to analyze or enrich that data, it opens the door to new kinds of digital services that go beyond just offering access and actually delivering insight and impact. 

    This evolution challenges equipment vendors to rethink their digital offerings. Simply providing access to data is no longer enough. They must create services that do something genuinely useful with it. That’s a win for everyone: users gain flexibility and control, and vendors are pushed to innovate.

    Looking ahead, new investments should be made with data access in mind. Procurement contracts should explicitly guarantee access to the minimum operational data required for effective monitoring and optimization. This principle is reinforced by Chapter II, Article 3 of the Data Act, which mandates that all connected products and related services placed on the EU market after September 12, 2026, must be designed to ensure that such data — and its metadata — is easily, securely, and freely accessible to users in a structured, machine-readable format, and, where feasible, directly accessible.

    But don’t wait for regulation to do the heavy lifting. Treat data access as a legal checkbox and a strategic lever for agility and competitiveness. Avoid vendor-controlled platforms that limit your visibility. Challenge your suppliers. And most importantly, ensure your future investments align with the ideology of openness and interoperability. 

    Key definitions and further reading: 

    Why cyber exercising matters

    • Reveals critical gaps in technical controls, escalation paths, and decision-making workflows.
    • Fosters organisation-wide collaboration, improving coordaination and communication across all roles, functions, and levels. Builds confidence under pressure, giving participants, groups, and organisations muscle memory they can rely on.
    • Exposes participants to real-world attack techniques, improving detection, containment, and familiarity.
    • Strengthens regulatory and stakeholder alignment by stress-testing notification and reporting procedures in a simulated environment.
    • Fosters a culture of continuous improvement by turning lessons from exercises into actionable changes across people, processes, and technologies. 

    Get in touch

    Nortal is a strategic innovation and technology company with an unparalleled track-record of delivering successful transformation projects over 20 years.