New EU Data Act may impact companies’ GDPR compliance efforts
By 
Neil Hodge2025-10-27T19:06:00
New rules that have recently come into effect across the EU will allow for greater transfers of data between companies, though experts fear the changes could conflict with Europe’s strict privacy legislation, which protects personal information.
The EU Data Act (EDA), which came into force on Sept. 12, will fundamentally change how companies handle data from connected products and related services. The EDA gives users (both businesses and consumers) rights to access, use, and share data generated by Internet of Things (IoT) devices, smart appliances, or industrial equipment. This impacts manufacturers, service providers, and cloud operators, including non-EU companies offering services to EU customers.
Cloud providers, including software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS) firms, must enable seamless switching, remove technical and contractual lock-ins, and ensure interoperability. For manufacturers, connected products placed on the market after September 2026 must allow users to access data either directly or on request, in structured, machine-readable formats, promoting transparency and control.
Related articles
-
ArticleEmployee use of ‘shadow AI’ poses significant risks for companies
Companies face increased risk of cyberattacks, data loss, and even regulatory action because employees are using unapproved “shadow AI” tools to help with work-related tasks.
-
PremiumShadow AI: Another element of TPRM
Companies may face significant financial and legal risks if they fail to vet suppliers and third parties over their use of unauthorized AI and how the technology may use and share their corporate data.
-
ArticleEU targets crypto, fintech firms in push to tackle money laundering
Europe’s banking regulator warns that weak compliance at fintech, regtech, and crypto firms may let money laundering and terrorist financing risks slip through. The EBA also found EU regulators’ approaches are often inconsistent and unclear.
More from Regulatory Policy
-
ArticleCalifornia climate rules cause uncertainty as CARB delays draft guidance
California has delayed the release of draft greenhouse gas reporting rules for businesses until early 2026, the California Air Resources Board said.
-
ArticleNine states collaborating on data privacy enforcement across state lines
Nine states are collaborating to write and enforce comprehensive data privacy laws, in an effort to protect consumers across jurisdictions and due to the absence of a broad, federal privacy law.
-
News BriefFINTRAC hits British Columbia crypto firm with record $125M penalty for AML failures
Canada’s financial intelligence agency has issued its largest-ever penalties against a cryptocurrency exchange, a fine of $126 million (CA$176.9 million). The agency said the exchange’s compliance failures represented a “severe breach of Canada’s anti–money laundering framework.”