EU Data Act reshapes business landscape with new data rights

The European Union's far-reaching Data Act has officially come into force, signalling a significant shift in the continent's approach to data access, sharing and governance. The legislation, aimed at creating a fairer and more competitive digital landscape, ushers in a new era of accountability for businesses and unprecedented rights for users over their data. The reactions from the technology and cybersecurity sectors reveal both optimism and concern as organisations strive to adapt to stricter standards and fresh opportunities.

Gregory Hanson, Group Vice President and Head of EMEA North at Informatica, described the act's arrival as a "defining moment" for businesses. "As the first wave of the EU Data Act takes effect, businesses face a defining moment: commit to data transparency or risk being left behind. Data access and sharing might sound administrative, but they are the lifeblood of a functioning AI economy. Without clarity on who within the organisation owns what data, and whether it's usable, innovation will stall," Hanson said.

He stressed that compliance should not be perceived as a constraint, but as a catalyst for competitiveness. "Fair, reasonable and non-discriminatory terms and data transparency should be seen as a launchpad, not a limitation. If your data can't be found and used responsibly, it's a liability not an asset. For the EU Data Act to deliver on its promise, businesses must invest in strong foundations: data quality, lineage, governance and control," Hanson added, positioning data fitness as the new yardstick for success in the continent's digital economy.

The regulatory landscape is set to have extensive implications for artificial intelligence and cloud-driven businesses. Jane Smith, Field Chief Data & AI Officer EMEA at ThoughtSpot, believes the new rules are poised to "drive both accountability and opportunity for AI" by making data not only more available, but also more transparent and explainable.

"The EU Data Act establishes necessary rules on data access and portability. It also sets new standards for explainability, fairness and transparency. Moving forward, organisations will be held accountable for data access and sharing, as well as regulatory compliance," said Smith.

She noted that the act ensures data generated by Internet of Things (IoT) devices must be shareable, and data portability is expanded across sectors from healthcare to manufacturing. "This new regulation creates tension, but also an opportunity for AI. These new obligations create pressures, but access to high-quality data, built on compliance, enables AI to thrive."

Smith highlighted that, whereas unregulated AI invoked fears around black-box decision making, "the Act makes the technology more valuable. It provides guardrails that enterprises can trust. Instead of fearing opaque AI systems, organisations now have the regulatory legitimacy to adopt AI responsibly."

On a practical level, the EU Data Act directly addresses the challenges and benefits surrounding data portability and cloud vendor lock-in. Tim Pfaelzer, Senior Vice President and General Manager EMEA at Veeam, noted, "While many organisations have embraced hybrid environments for their flexibility, many have done so at the expense of data portability–making it harder to move, access, and secure data. With new requirements not only on data portability, but also accessibility, the Act highlights why flexibility needs to be a key consideration."

Pfaelzer pointed out that organisations may have robust resilience plans, but if their data remains inaccessible, "it could also leave them in breach of the incoming Act. Taking proactive action now won't just benefit organisations with compliance today, but tomorrow as well. Secure yet accessible data will be a key differentiator."

From the perspective of workplace AI, Juliet Bramwell, Vice President EMEA at Glean, welcomes the change as a step toward an open, trusted data economy. "By giving users greater access to their own data, removing barriers to switching providers, and setting higher standards for governance, the Act is designed to shift power back to businesses and consumers. For enterprises, the message is clear: data sovereignty and interoperability are no longer optional." Bramwell sees compliance as an opportunity, "Companies that embrace these principles will be better positioned to innovate responsibly, earn user trust, and build AI systems that are sustainable in the long term."

Yet, not all stakeholders see the changes in an unequivocally positive light. Adam Blake, CEO at cybersecurity firm ThreatSpike, voiced strong concerns over the Act's ambiguous language around forced data sharing. "That ambiguity could easily weaken security. If companies are compelled to expose too much, attackers and competitors might end up being privy to details that were never meant to be public. The rules are far too open to interpretation here."

Blake warned that for small and medium-sized enterprises (SMEs), the new measures represent a substantial burden, possibly entailing considerable expenses to stay compliant. "Imagine the costs of redesigning products, building shareable data interfaces, and coping with ongoing compliance and legal demands. I suspect a lot of SMEs won't have the resources to fight that battle." He also questioned how effective enforcement will be, citing patchy compliance with GDPR as a cautionary precedent.

As the EU Data Act enters into force, European businesses confront a new set of technical and ethical standards around data. For many, the coming months will reveal whether the legislation truly achieves its ambition of boosting digital innovation by making data not just open, but also accountable, portable, and trustworthy.