What Is Actually Changing
The EU Data Act 2025 is one of the central pillars of Europe’s new data strategy. The regulation — fully applicable from September 2025 — establishes a harmonised framework for data access, data portability, interoperability requirements, and regulated data sharing between businesses, users, and public authorities.
In Europe this translates into new responsibilities for fintech companies, SaaS startups, cloud providers, ISPs, and businesses that develop or deploy connected products (IoT).
In other words, the Data Act marks a fundamental shift in how data is treated:
data generated by a product or service can no longer remain locked inside the provider’s systems — it must be accessible, reusable, and transferable securely under EU law
For European companies, this means acting now to avoid operational mistakes, contractual gaps, and competitive delays.
The Non-Negotiables
The business obligations under the EU Data Act apply to anyone developing digital technologies or operating cloud/SaaS services within the EU.
Among the most important obligations:
- Right of access to data generated by connected (IoT) products, granted to users or device owners.
- Mandatory cloud switching: users must be able to move to another cloud service with no technical or contractual barriers.
- Interoperable data requirements, including machine-readable formats, standardised APIs, and appropriate metadata.
- Data sharing obligations for SMEs and fintechs, when requested under legally defined circumstances.
- Structured procedures for responding to public-sector data requests in specific situations.
- Greater transparency around data processing services, roles, and responsibilities between data holders and data users.
For fintechs, cloud providers, and EU startups, this means integrating the Data Act into everyday operations; from contracts and architecture choices to processes and customer support.
Secure Data Access and Transparency: What Really Changes
A core principle of the EU Data Act is that anyone who uses or owns a connected product has the right to access the data that product generates.
This affects:
- financial IoT devices
- smart POS terminals, payment systems, transaction sensors
- industrial or retail connected products
- piattaforme SaaS platforms that generate operational or usage data, logs, analytics, or metadatache generano dati operativi, di utilizzo o log
Providers must ensure that such data is accessible, exportable, and transferable — while maintaining privacy and security under the EU Data Act.
It is a delicate balance: rapid access for users, strong protection for the business.
What This Means for Tech Leaders
Complying with the EU Data Act 2025 is not simply a matter of writing new policies ; it touches technology, contracts, governance, and security.
Here are the practical steps companies must take:
- Map your data: identify what is generated by users, devices, or services (essential for ISPs, fintechs, and IoT companies).
- Review contracts: add portability rights, cloud switching terms, data processing responsibilities, and interoperability clauses.
- Prepare export tools: clear formats, standard APIs, transparent documentation.
- Define processes for B2B and government requests: authentication, secure handling, response timelines.
- Ensure GDPR-aligned security and privacy: distinguish what falls under the Data Act vs. personal data processing.
- Develop compliance evidence to share with enterprise customers or auditors.
Across Italy, more clients are already asking questions about interoperability, cloud switching, and rights over data. Preparing now means fewer friction points in sales and procurement.
Three Plausible Scenarios Under the EU Data Act
1. A fintech company integrating financial IoT devices
Fintechs using smart payment terminals, sensors, or connected devices generate large volumes of operational data.
Under the EU Data Act, they will need to provide secure data access and export mechanisms for customers.
Standardised access tools and interoperable formats can reduce manual work, prevent errors, and strengthen trust with banking partners, who increasingly prioritise transparent data handling.
2. A SaaS platform operating in multi-cloud environments
Enterprise buyers are already concerned about vendor lock-in.
The EU Data Act obliges cloud and SaaS providers to support cloud switching, removing technical or contractual obstacles.
A SaaS platform could therefore revisit its APIs, document its data formats, and introduce structured portability procedures, enabling smoother onboarding and becoming more competitive in procurement processes.
3. An IoT SME selling connected products across Europe
Companies building IoT products will receive an increasing number of data access requests from users, clients, or partners.
Without structured processes, each request becomes an operational bottleneck. An SME could establish clear criteria, internal roles, and official channels for managing data requests; improving consistency, reducing support workload, and raising brand reliability in a more regulated market.
How to Know Whether Your Company Needs to Act Now
Ask yourself:
- Do we know which datasets fall under the EU Data Act and which under GDPR?
- Do we have a clear process for giving users access to data generated by connected products?
- Can our clients switch cloud providers without technical or contractual blocks?
- Can we respond to B2B or government data requests without improvisation?
- Do our contracts truly reflect our technical practices?
If any answer is “not yet,” the risk is twofold: regulatory non-compliance and commercial slowdowns.
Why Companies Must Act Now That the EU Data Act Is in Force
With the Data Act now active, compliance can no longer be treated as a future project. Delays increase the likelihood of non-compliance, slow down negotiations, and create friction with customers who already demand guarantees on data portability, cloud switching, and interoperable data requirements.
An expert partner can turn the EU Data Act from an operational threat into a competitive advantage by interpreting the regulation, designing realistic processes, and building architectures that withstand due diligence and audits.
interpretando la norma, definendo processi reali e costruendo architetture che resistono ad audit e due diligence.
A dedicated partner helps you:
- Build data inventories aligned with data holder, data user, and data processing definitions
- Implement real interoperability across platforms, APIs, and formats
- Structure B2B and public-sector request workflows
- Update contracts, SLAs, and cloud switching clauses to reduce vendor lock-in risks
- Ensure privacy, security, and data minimisation — harmonising Data Act and GDPR
- Prepare a practical checklist for Italian SMEs, ISPs, and startups
The outcome is tangible: less risk, greater control, and a stronger position in the evolving European data governance landscape.
Ready to Turn the Data Act Into a Strategic Advantage?
Blue Networks supports fintechs, SaaS providers, ISPs, and SMEs across Italy in rapidly and effectively aligning with the EU Data Act, with concrete solutions, clear processes, and measurable results.
Don’t wait for clients or auditors to uncover gaps. Contact us now and put your company in a position to lead — not chase — the new European data economy.