What are my technical options for Compliance to the EU Data Act?
Over the last few articles, I have tried to explain the EU Data Act, why Data Holders need to care about it and what compliance actually entails. In this article, I will attempt to briefly outline the technologies that a data holder can use to reach data sharing compliance as holder of IoT data.
Typically, your infrastructure as a data holder will consist of diverse connected devices feeding into a device management/ingestion interface and on to a structured or unstructured data store. Feeding off this store will be applications that parse the data and present a selection of it via user interfaces for the data subjects and all of it for internal applications or users.
Of particular note is that as of today, all the collected data is legally yours. After September 12 however it’s no longer as ownership is transferred to the data subject. This unfortunately has far reaching implications on your solution design.
To comply with the data act, you will need to add a layer over the data store in which every data field can be functionally mapped, and compliance governance rules applied. This mapping and governance layer will need to be augmented by updated user interfaces in which authenticated data subjects will be able to view the entire data map and request specified data be provided or externally shared in machine readable formats to any 3PP. A new application will need to be developed to extract and package this data and to expose it via file or API. A contract engine will need to be developed and deployed to ensure that every sharing event is covered by digitally signed legal agreements between all three parties and all operational interfaces will need to be developed.
Options for compliance can be grouped into three broad categories.
1) Code compliance support yourself
2) Use a compliance 3PP plugin or external service
3) Wait for your underlying data processor platform provider to add compliance
As many data holders are using IoT infrastructure provided by data processor platform providers, it is tempting to simply expect that these platforms will add support for the Data Act on or before Sept 12 as software upgrades. Unfortunately, there is little evidence that this is so. Having spoken with all major cloud providers, it seems that this level of data sharing compliance is too far up the stack for them to provide support inside their IoT platforms. Compliance is currently up to the data holder to manage.
At Greenhouse Group our focus is on helping with options 1 and 2. If you need to add compliance support into your IoT infrastructure and want to do it yourself, we can help with translating the legal text into practical implementation requirements to reach compliance with the minimum of disruption and effort. On the other hand, if you want to find a 3PP who can help you reach compliance quickly and simply then we can help identify the most appropriate solution provider for your industry.
A few examples of solution suppliers for legacy data we have spoken to include:
Aeris IoT SaaS
Before starting Greenhouse Group I was working on the data act for Aeris Automotive business unit. The Nexus platform is their solution to providing compliance via the Aeris Mobility Suite telematics platform. If you are a vehicle OEM this can be a good solution.
Tranquil Data
If you are a US company with customers in Europe and a need to comply, then drop a line to Tranquil Data whose platform can help with data mapping and governance. Tranquil Data frames and enforces correct use and sharing, enabling consent-based sharing for the Data Act and ensuring correcting use across EU and US services.
Redacta
A recently announced solution that seems to tick a lot of the boxes is the Redacta platform by 3FS Nordics. If your data is sitting on AWS or Azure then Redacta offers a simple installable agent connected to a multi-lingual SaaS layer. If you have structured data, 3FS claim that you can go from zero to full compliance in 14 days without any need to re-code existing applications.
These are just a few of the solutions that are target 2025 compliance. Many others are sector-specific and heavily focused on 2026 requirements specifically around EU Data Spaces.
Irrespective of where you are in planning for the EU Data Act, Greenhouse Group can help you quickly develop the right compliance product, strategy and go to market approach for September. Just give us a call on +46733258590 or drop us a message. The next article will go deeper into this.
