Over the course of this year, CIOs have spent time studying the Data Act, the European digital regulatory framework composed of a set of laws united by the aim to encourage innovation in European companies, and to open up new markets. It came into force in January and will apply from September 2025 to define who can access and use data generated in the EU in all economic sectors. The measure aims to ensure fair distribution of data value among digital actors, stimulate a competitive data market, open up opportunities for data-driven innovation, and make data more accessible to. In practice, it’s the framework of rules from which a data-driven company can take flight.
It is, in fact, a law born in the era of big data, including personal and commercially valuable data, with the potential to bring competitiveness to the EU, provided it’s managed in a way that protects the rights of businesses and individuals. For this reason, the Data Act gives everyone greater control over their data, allowing businesses to migrate data processing services more easily from one provider to another. The Data Act also implements safeguards against illegal data transfers by cloud providers, and provides development of interoperability standards for reuse of data across sectors.
“The opportunity offered is enormous,” says Maria Roberta Perugini, data protection and data governance attorney and member of European Data Protection Board. “The Data Act aims to open the data market by defining certain rules to circulate and enhance data safely. For companies, it supports the data-based business model of the future. And the CIO has a key role, especially in starting this process, and will have to show a great creative spirit in implementing data-related processes, because within the opening of the information market, the CIO will have to find ways to create value.”
Giacomo Degasperi, legal expert and founder of Italy-based information platform Legal4Tech, also highlights the positive impacts of the law. “The goal of the Data Act is to facilitate companies’ access to data from connected devices as a means to generate returns, as well as facilitate data-driven innovation,” he says. “The law offers great opportunities for CIOs to incentivize innovation because it makes it easier for companies, especially SMEs, to access data in order to create new business models. A lot of data isn’t utilized because it’s not easy to access, but the law ensures access and interoperability, and requires companies to be more aware and mature in data use.”
What the EU Data Act provides
Perugini details that the new act starts from the fact that connected products and related digital services lacked a harmonized regulatory framework capable of reorganizing and specifying who has the right to use data, and on what basis and under what conditions.
Currently, data generated by connected devices is mainly controlled by device providers, limiting user access and the ability to share it with third parties. With the Data Act, users will have the right to access their data and share it freely with others. To this end, from September 2026, manufacturers will have to offer devices and apps on the market that comply with the principle of data accessibility by design, meaning they’re accessible in a secure and direct way with the ability to share with third parties. This creates new opportunities for innovative services and business models based on data sharing and use.
The Data Act also protects European companies from unfair terms in data-sharing contracts that one contracting party unilaterally imposes on the other. This will enable SMEs in particular to participate more actively in the data market. Plus, it’ll enable customers to seamlessly and cost-effectively switch between different cloud providers, or combine data services from different ones.
Despite the focus on data sharing, compliance with privacy regulations remains central to the Data Act. Companies must ensure each use of data is clearly explained to data owners, offering them the ability to easily give or withdraw consent for each activity. For this reason, the Data Act promotes the development of smart contracts, or automated agreements, that execute transactions based on predefined conditions. These tools not only ensure transparency in data sharing agreements, but they decentralize control within the digital economy.
“Managing information gives great competitiveness to companies, including SMEs, and this law represents an opportunity,” says Perugini. “But we must act with determination, in the knowledge that, without data, companies disappear.”
How CIOs are working on the Data Act
As required by current regulations for private healthcare, elderly healthcare management company Karol Strutture Sanitarie collects patient data in their medical records, allowing them to use it even after hospitalization. The data is, in fact, recorded by medical devices, remains in the logs, and is shared with the suppliers or manufacturers of these devices.
“The Data Act impacts data sharing,” says Massimo Anselmo, its director of information systems. “An important aspect is, for example, our ability to use patient data for research purposes after anonymizing them, in line with GDPR. The Data Act helps us because it defines more clearly how to use this data, and we’re currently trying to understand if, compared to the past, there’s more data we can make available to patients. So not only the results of a diagnostic test, but specifications of the machine used. Most of the medical machines are owned by us, but with the Data Act, we’ll always have a relationship with the manufacturer to analyze the logs and verify their correct functioning or schedule maintenance. I also foresee an intervention on contracts with suppliers, together with the legal office, and on rental machines to control which data are shared and for how long.”
The impact on Karol’s data governance won’t be a major upheaval either, adds Anselmo. “I’ll have to work, above all, on monitoring data traffic and protecting communications, while isolating some data and regulation of access,” he says.
From cloud to privacy: the law’s highlights
There are some particular articles of the Data Act that would pique the interest of the CIO. Articles 4 to 6, for instance, establish that companies adopt tools and processes to guarantee access to user data directly or through authorized third parties, and support their access requests. These obligations concern manufacturers of connected devices, but also providers of services such as cloud or data analysis. For CIOs, this means they’ll be facilitated in switching from one provider to another.
Also germane is the obligation of interoperability, outlined in articles 28 and 30, or the ability of applications and systems to exchange data securely and automatically beyond geographical and political borders. Therefore, cloud and edge computing service providers must ensure data interoperability, and that it extends to APIs that must be open and standardized.
“The CIO will be able to verify their technology providers comply with these standards and the possibility of migrating between providers, or using multiple providers,” says Degasperi. “This is particularly relevant for cloud providers. The CIO will have to ensure they use compliant platforms that make it easier and less expensive to migrate to another platform.”
And Article 3 is important in reference to GDPR. “If companies share data with each other, they must protect privacy and cybersecurity — another task for the CIO,” he says. “There’s also parts in Articles 14 and 15 about contracts. There must be coordination with the legal team because companies have to ensure contractual clauses with suppliers comply with provisions of the Data Act regarding what data can be collected, who can access the data, how long it can be stored, and so on.”
For Perugini, a relevant point is the burden of accessibility by design. If connected devices must be designed to make access to user data always directly possible, the CIO will have to deal with the technical solutions related to access authorization based on the user’s credentials, and the security of transmission to others. This can concern the CIO regardless of whether the company operates as a manufacturer, seller, supplier, or user of a connected device.
“The CIO must be an active part in creating the rules and solutions for these accesses, and must know the connected product and the Data Act well, and try to design both technical and organizational actions for compliance,” says Perugini. “The CIO must prevent the risk of violation by hackers and unauthorized users.”
There’s also the question of data retention. The CIO must establish, together with other company functions, retention times, which must be scheduled based on the actual use of data collected by connected devices. “Of course, there may be an overlap with GDPR which, on personal data, remains the main reference law,” she says.
Tasks of the CIO
There are many things the CIO will have to perform in light of Data Act provisions. In the meantime, as explained by Perugini, CIOs must do due diligence on the data their companies collect from connected devices and understand where they are in the value chain — whether they are the owners, users, or recipients.
“If the company produces a connected industrial machine and gives it to a customer and then maintains the machine, it finds itself collecting the data as the owner,” she says. “If the company is a customer of the machine, it’s a user and co-generates the data. But if it’s a company that acquires the data of the machine, it’s a recipient because the user or the manufacturer has allowed it to make them available or participates in a data marketplace. CIOs can also see if there’s data generated by others on the market that can be used for internal analysis, and procure it. Any use or exchange of data must be regulated by an agreement between the interested parties with contracts.”
The CIO will also have to evaluate contracts with suppliers, ensuring terms are compliant, and negotiate with suppliers to access data in a direct and interoperable way. Plus, the CIO has to evaluate whether the company’s IT infrastructure is suitable to guarantee interoperability and security of data as per GDPR. And updating teams on regulatory developments and collaborating with colleagues from the legal team or with legal consultants is important. IT action alone isn’t enough. In compliance with the Data Act, organizational and governance aspects are essential, and the CIO will have to collaborate with other functions.
But acquiring skills on the Data Act and the possible use of consultants could increase the costs of compliance, especially for SMEs. But according to Degasperi, there’s a great opportunity to create a more open and collaborative digital ecosystem that avoids data monopolies. “Of course, companies must adopt a conscious and strategic approach, and the CIO will have to rethink data governance,” he says. “The key will be to find a balance between fulfilling regulatory obligations and exploiting opportunities.”
Perugini advises companies to get out of a conservative mindset in order to take advantage of the European law and truly transform into data-driven companies. This will require careful study of the provisions, and an understanding of how to apply them to operations. This will be, in part, a task for the creative CIO because, starting from the tools offered by the Data Act, they’ll have to discover how to use them to spark innovation.
Read More from This Article: What CIOs are in for with the EU’s Data Act
Source: News