The Data Act & AI Governance: Europe’s Double Strategy for a Responsible Data Era.

How companies benefit from Europe’s new data act order and AI strategy

1. Introduction: The Data Act—More Than Just Another Law

With the entry into force of the EU Data Act in September 2025, Europe is embarking on its most ambitious data economy transformation to date. This regulation, officially known as Regulation (EU) 2023/2584, will impact a data-driven ecosystem already valued at over €550 billion—roughly 4% of EU GDP—with projections expecting the value of the European data economy to reach €1 trillion by 2030 (European Commission, Data Market Monitoring Tool, 2024).

The Era of Data Abundance—and Fragmentation

In 2024, Europe hosted over 12 billion IoT devices (Statista, 2024), with industrial IoT alone accounting for more than 3.5 billion connected assets in factories, agriculture, mobility, and smart cities. The daily data generated in the EU is measured in exabytes: for example, connected cars produce up to 25GB per hour; a smart factory may generate several petabytes per year.

Yet, despite this abundance, the value of data remained locked in proprietary silos:

Only 25% of EU businesses currently share data with external partners (Eurostat, 2023).
85% of industrial data remains unused (European Commission, 2022).
Cross-border data use within the EU is below 15%.

The Compliance-Driven Era Is Over

The Data Act signals a new chapter, going far beyond previous legal regimes (like the GDPR or Data Governance Act). For the first time, access, portability, sharing, and re-use of data are harmonized across all 27 EU member states and for all key sectors—from manufacturing to mobility, energy, and healthcare.

Key facts:

The Data Act covers all data generated by connected products (IoT, machinery, vehicles, smart devices) and related services, regardless of sector.
It affects over 400,000 companies—from industrial giants to SMEs and startups.
The Commission estimates that the Data Act will create an additional €270 billion in GDP and 2.7 million new jobs by 2030, as data-driven business models flourish (EU Impact Assessment, 2023).

Foundation for Trust, Innovation, and Global Leadership

But the Data Act is more than a compliance checkbox. It is the essential foundation for a secure, trustworthy, and innovative digital economy—where data becomes a shared asset, not a private fiefdom.

For consumers, it means real control and transparency.
For companies, it opens new business models and access to European and global data spaces.
For governments, it ensures responsible crisis response and fosters innovation.

Why AI Governance Is the Necessary Twin

Crucially, the Data Act sets the rules of the road—but it is only with robust AI Governance that the journey becomes safe, ethical, and future-proof.

As of 2025, Europe will host more than 35,000 specialized AI models (CB Insights, 2025), with over 2,200 foundation models available on leading platforms.
AI-driven automation is expected to generate €400 billion in productivity gains for the EU by 2030.
However, every AI breakthrough is only as strong as the data behind it—and every risk (bias, security, legal liability) multiplies with poorly governed data.

Conclusion: The Data Act and AI Governance together represent Europe’s double helix of digital leadership.

The Data Act unlocks the value and movement of data.
AI Governance ensures that this data is used responsibly, ethically, and in compliance with European values.

Only in synergy can Europe create a digital economy that is globally competitive, resilient, and truly trustworthy.

2. What Does the Data Act Actually Regulate?

a) Data Access, Portability & Fairness

For the first time, the Data Act gives both individuals and businesses in the EU a clear, enforceable right to access and use data generated by their connected products—ranging from smart home devices and cars to industrial machinery.

This includes over 12 billion connected devices in Europe (Statista, 2024), with the number projected to reach nearly 15 billion by 2027.
The right specifically applies to raw and pre-processed data—for example, sensor readings, usage logs, or operational data.
Highly enriched, inferred, or “content” data (such as software-generated insights or copyright-protected works) are explicitly excluded (Data Act, Recital 15–16; FAQ #4–6).
Users can freely port this data to third parties, fostering competition and enabling new digital services. Currently, less than 30% of EU consumers exercise data portability rights; the Data Act is designed to multiply this figure.

Example: A logistics company can access real-time vehicle telematics data from its fleet and share this data directly with maintenance providers, route optimizers, or insurers—without being locked into one platform.

b) Protecting Weaker Market Participants & FRAND Conditions

To correct market imbalances, the Data Act enforces FRAND (Fair, Reasonable, and Non-Discriminatory) terms for data access and sharing, particularly benefiting SMEs (which make up over 99% of all EU businesses) and consumers.

The Commission found that over 60% of SMEs lack bargaining power in data contracts (EU Impact Assessment, 2023).
Unfair contract terms—such as unilateral clauses that restrict data use or impose hidden fees—are now prohibited (see FAQ #41–42).
The EU will provide model contract clauses to support SMEs and harmonize practices across the Single Market.

Example: A small manufacturer must be able to access equipment data from its leased machinery and cannot be forced into unfavorable or one-sided data-sharing agreements with larger vendors.

c) Data Access for Public Authorities in Emergencies

In exceptional cases—such as natural disasters, pandemics, or other crises—the Data Act empowers public authorities to request access to specific corporate data.

This right is strictly limited to well-justified, time-bound, and purpose-specific requests (Data Act, Article 15; FAQ #43–50).
Authorities must clearly document and explain the necessity, proportionality, and intended use of the requested data.
After use, data must be deleted within 6 months, unless otherwise required by law.

Example: During a flood, city officials can request real-time mobility data from e-scooter or ridesharing companies to coordinate emergency response, then must delete the data after the crisis is resolved.

d) Cloud Switching & Interoperability

Vendor lock-in is a major barrier: Over 40% of EU companies cite switching costs as the top obstacle to moving between cloud providers (Eurostat, 2023).

The Data Act mandates open standards, data portability, and interoperability for cloud, platform, and data processing services.
From January 2027, all switching fees must be eliminated; until then, they are capped at cost-recovery levels (Data Act, Article 29; FAQ #54).
Providers must support standardized export formats and facilitate smooth transitions.

Example: An energy company can migrate smart grid data and digital assets from one cloud provider to another—seamlessly and at no extra cost—enabling multi-cloud and sovereign EU data strategies.

e) Protection of Trade Secrets & Security

Data sharing under the Data Act must not endanger trade secrets, intellectual property, or critical infrastructure security.

Companies can invoke a so-called “Trade Secrets/Safety Handbrake” if disclosure would cause serious and demonstrable economic harm or risk (Data Act, Article 4(6–8); FAQ #23–25).
This requires objective evidence, prior notification to authorities, and the possibility of dispute resolution.
Sector-specific rules (e.g., in defense, healthcare, or finance) may impose additional safeguards.

Example: A robotics manufacturer may restrict access to proprietary calibration algorithms or sensitive sensor data if disclosure could facilitate industrial espionage.

f) Alignment with Other EU Regulations

The Data Act does not operate in a vacuum. It is designed to complement and, where needed, take precedence over sectoral and national laws—always in harmony with the GDPR and data protection frameworks.

In case of any conflict, GDPR rules on personal data take priority (FAQ #1–2, #18).
Sector-specific rules (such as in automotive, energy, or health) may add further requirements, but cannot undercut the baseline Data Act protections (FAQ #3, #65).
International providers (cloud, IoT, platforms) must ensure full compliance when offering services in the EU, regardless of their headquarters.

Example: A US-based cloud provider hosting data for a German hospital must implement both Data Act and GDPR requirements, ensuring data access, portability, and privacy are maintained.

Summary: The Data Act fundamentally restructures how data is accessed, shared, and governed in Europe—laying the groundwork for open, fair, and secure digital markets, and ensuring that every data interaction supports innovation, trust, and European values.

3. Practical Use Cases—How the Data Act Delivers Value

Industry 4.0: Unlocking Predictive Maintenance & Smart Manufacturing

Challenge: In Europe’s industrial sector—home to over 2.8 million manufacturing companies—vast quantities of data generated by machines, robots, and sensors remain untapped. Studies show that up to 75% of industrial data is never analyzed or reused (European Commission, 2024).

Data Act Solution:

The Data Act obliges machine and equipment manufacturers to provide access to raw and pre-processed machine data to end-users, operators, and authorized third parties.
This enables predictive maintenance providers to connect directly to equipment in the field, analyze real-time data streams, and predict failures before they occur.
Companies can choose the best service providers, fostering a dynamic maintenance market and ending vendor lock-in.

Impact:

Predictive maintenance can reduce unplanned downtime by up to 50% and lower maintenance costs by 20–30%(McKinsey, 2024).
The EU estimates that fully leveraging industrial data could add €110 billion per year to European manufacturing productivity.

Example: A German car parts supplier accesses sensor data from its automated assembly lines (e.g., temperature, vibration, cycle counts) and shares it with an AI-based maintenance startup. The startup uses these data to offer real-time alerts and optimization strategies, extending equipment life and cutting costs.

Agriculture: Smart Farming & AI-Driven Yield Forecasting

Challenge: EU agriculture is rapidly digitalizing, with over 20% of European farms now using connected tractors, drones, and sensors (Eurostat, 2024). However, most data is siloed by manufacturers and rarely interoperable.

Data Act Solution:

Farmers and cooperatives gain the right to access and port all data generated by their equipment—from soil sensors to combine harvesters.
They can share this data with agri-tech startups, weather services, or cooperative AI platforms for advanced analytics and yield prediction.
The market for agricultural data services is expected to reach €7 billion in the EU by 2027 (AgFunder, 2025).

Impact:

Data-driven farming boosts productivity by up to 15%, reduces input costs, and supports sustainability (European Parliament, 2024).
Open data ecosystems foster rural innovation and empower smallholders, not just agro-industry giants.

Example: A French farmer exports machine and environmental data from connected tractors to an independent AI platform. The platform combines weather, satellite, and machinery data to forecast yield, recommend fertilizer, and optimize irrigation—resulting in higher profits and lower environmental impact.

Smart Cities: Optimizing Mobility & Environmental Management

Challenge: Urban areas generate petabytes of mobility, energy, and environmental data daily, but only about 20% of cities use this data for cross-sectoral optimization (EU Smart Cities Marketplace, 2024).

Data Act Solution:

Public authorities, mobility companies, and infrastructure operators can legally and securely exchange data—from air quality sensors to shared vehicle usage.
Standardized access and interoperability enable the creation of city-wide digital twins, real-time traffic management, and coordinated climate action.
EU cities are expected to invest over €25 billion in smart city solutions by 2026 (IDC, 2025).

Impact:

Integrated mobility management reduces congestion by up to 30% and emissions by up to 25% (European Environment Agency, 2024).
Data sharing enables crisis response—such as during floods, where scooter GPS data helps emergency services optimize rescue routes (see Data Act FAQ #43–50).

Example: The city of Barcelona shares mobility and environmental sensor data with local startups and academic partners. The result: improved public transport routing, dynamic congestion pricing, and air quality alerts—demonstrating the economic and societal value of open urban data.

Healthcare: Empowering Patients with Interoperable Medical Data

Challenge: The EU’s digital health ecosystem includes over 350 million citizens and 1.4 million medical devices, but health data is often fragmented across providers and locked in vendor systems.

Data Act Solution:

Patients gain a clear right to access and port data from wearable devices, smart monitors, and connected medical equipment.
Data can be shared with healthcare professionals, second-opinion services, or digital therapeutics providers—across borders and IT systems.
The EU is investing €5.1 billion in the European Health Data Space (EHDS), aiming for full interoperability by 2030.

Impact:

Seamless data sharing leads to faster diagnoses, improved treatment adherence, and more personalized care.
Studies show that medical IoT and data-driven care can reduce hospitalizations by 10–20% and save billions in public health costs (European Commission, 2024).

Example: A diabetic patient in Sweden synchronizes glucose monitor data with a cloud portal, shares it instantly with doctors in Germany and a digital nutrition coach. Treatment plans are personalized in real time, and adverse events are prevented.

Summary: The Data Act delivers tangible value across all sectors—unlocking data silos, accelerating digital innovation, and ensuring that data serves both economic growth and societal well-being. Each use case demonstrates how the Data Act, in concert with strong AI Governance, is turning Europe’s data abundance into a shared asset for all.

4. AI Governance: Powerless Without the Data Act

The AI Boom—and Its Governance Challenge

As Europe and the world enter an era of explosive AI adoption, the EU alone will host over 35,000 specialized AI models by 2025, serving sectors from finance and energy to mobility and healthcare (CB Insights, 2025). Over 72% of large EU enterprises now deploy AI-powered analytics or automation tools (Eurostat, 2024).

Yet, every AI system—no matter how advanced—can only be as trustworthy, ethical, and legally compliant as the data foundation on which it is built. The Data Act and AI Governance together form the “double helix” of responsible AI:

The Data Act establishes the rules and transparency for data access, portability, and sharing.
AI Governance ensures that AI is used responsibly, fairly, and with full accountability.

Key Pillars—Backed by Regulation and Practice

a) Risk Management

AI risks—bias, discrimination, unintended consequences—are a top concern for both regulators and the public. In a 2024 EU survey, 68% of citizens ranked AI “fairness” and “safety” as top priorities.

Robust, bias-free AI depends on high-quality, transparent, and traceable data (see Data Act, Article 10; EU AI Act, Art. 9–15).
Under the Data Act, companies gain access to verified, granular, and up-to-date operational data—making it possible to detect and mitigate biases early in the AI lifecycle.
Over 85% of AI failures in industry are linked to poor or opaque data provenance (MIT Technology Review, 2024).

b) Transparency & Accountability

New EU rules—including the Data Act and AI Act—mandate explainability (“Explainable AI”):

Organizations must document and explain what data was used for training, how it was processed, and how decisions are made (EU AI Act, Art. 13).
The Data Act supports this by enforcing detailed data documentation, traceability, and access rights.
In regulated sectors (health, finance, mobility), “black box” AI is increasingly unacceptable.
68% of EU business leaders report that explainability is now a key requirement for adopting AI at scale (Capgemini, 2024).

c) Liability & Auditability

When AI causes harm—be it a faulty product, unfair decision, or safety incident—traceability is essential for compliance and liability.

Only the combination of Data Act (data audit trails) and AI Governance (model auditability) allows authorities and companies to investigate and assign responsibility.
Under the EU’s proposed Product Liability Directive, companies must demonstrate not only how their AI works, but which data led to a specific outcome.

Use Case: Predictive Maintenance—Data Act & AI Governance in Action

Context: A European manufacturing company deploys AI-powered predictive maintenance on its machinery, using data from IoT sensors embedded in production equipment.

How it works under the Data Act:

The company accesses and ports raw operational data (temperature, vibration, usage logs) as guaranteed by the Data Act.
This data is used to train and refine AI models for predicting failures and optimizing maintenance.

AI Governance in practice:

The company applies AI Governance policies: ensuring data quality, documenting training data, conducting bias and fairness audits, and maintaining an end-to-end audit trail.
Every AI-driven recommendation (e.g., replace a part, adjust a process) is fully traceable—back to the specific sensor data that triggered it.

Result:

When a maintenance incident occurs, investigators can pinpoint exactly which data informed the AI’s decision, assess whether data was accurate, and identify or rule out any bias or malfunction.
This builds trust among regulators, customers, and business partners—while ensuring full compliance with EU laws.

Summary

AI without robust data governance is inherently risky and opaque. The Data Act and AI Governance are inseparable pillars:

The Data Act provides the infrastructure of trust for data,
AI Governance ensures responsible, fair, and transparent use of that data in AI systems.

Only together can Europe’s digital economy be both innovative and trustworthy.

5. Challenges & Recommendations

a) Data Classification: Building a New Taxonomy for the Data Economy

Challenge: The Data Act introduces new categories—raw data, pre-processed data, enriched data, and “content”—each subject to different rights and obligations (see Data Act FAQ #4–6).

In 2025, less than 40% of EU companies have a robust internal data taxonomy (IDC, 2024).
Poor classification leads to compliance gaps and missed opportunities.

Recommendation:

Develop and maintain a living data catalog, classifying all business data by type, source, sensitivity, and regulatory status.
Define roles: Assign clear Data Owners (responsible for data assets) and Data Stewards (managing data quality and access).
Ensure metadata and lineage documentation for traceability—a key requirement under both the Data Act and AI Act.

Best Practice: Implement automated data cataloging solutions and use the EU’s forthcoming standard templates to accelerate compliance.

b) Contract Management: Raising the Bar on Fairness and Security

Challenge: Legacy contracts rarely address modern requirements like portability, third-party sharing, or trade secret protection.

The European Commission estimates over 60% of B2B data-sharing contracts have clauses that would now be considered “unfair” under the Data Act (EU Impact Assessment, 2023).

Recommendation:

Review and update all contracts: Integrate Data Act–compliant clauses covering data access, FRAND terms, security, and confidentiality.
Use model contract terms published by the European Commission for standardization.
Implement dispute resolution mechanisms: The Data Act empowers both parties to access independent dispute bodies for B2B data-sharing conflicts (FAQ #40–42).

Best Practice: Adopt “Data Sharing Agreements” as a standard across all business relationships, detailing rights, obligations, and procedures for each type of data exchange.

c) Cloud & Internationality: Enabling Safe, Seamless, and Sovereign Data Flows

Challenge: The rise of global cloud providers means that over 55% of EU companies’ critical data is now hosted on cross-border infrastructure (Eurostat, 2024).

Risks include non-EU government access, data residency violations, and technical incompatibility.

Recommendation:

Mandate technical and organizational safeguards: Encryption, access controls, regular security audits, and compliance with EU data localization requirements.
Insist on interoperable export formats and “right to switch” clauses in cloud contracts (Data Act, Article 29; FAQ #54).
Assess third-country risk: Article 32 of the Data Act requires providers to prevent unlawful access by non-EU authorities.

Best Practice: Leverage multi-cloud and hybrid-cloud strategies—using trusted EU-based providers for sensitive workloads, while ensuring portability and exit options.

d) Enforcement: Making the Data Act Work in Practice

Challenge: Uniform enforcement is critical to trust and legal certainty.

Each Member State must designate at least one competent authority and a “Data Coordinator”—a central point for handling complaints, questions, and cross-border issues (FAQ #67–68).

Recommendation:

Engage proactively with your national Data Coordinator: Clarify points of interpretation, seek guidance on compliance, and participate in feedback mechanisms.
Ensure internal reporting and escalation processes for potential data disputes or breaches.
Stay up-to-date: The European Data Innovation Board will regularly issue guidelines, standard contracts, and technical specifications.

Best Practice: Join industry forums and standardization bodies to help shape evolving best practices—and ensure your company remains ahead of regulatory developments.

Summary: The Data Act’s requirements are ambitious—but so are the rewards. Companies that act early to classify data, modernize contracts, secure cloud and international data flows, and engage actively with enforcement bodies will not only achieve compliance, but also gain a decisive edge in Europe’s new data economy.

6. Conclusion: Data Act & AI Governance—The New Bedrock of Digital Competitiveness

Europe’s Strategic Edge in a Data-Driven World

The implementation of the EU Data Act marks a historic inflection point for Europe’s digital economy. With the data economy projected to surpass €1 trillion in value and support over 10 million jobs by 2030 (European Commission, 2025), Europe is staking its leadership on a foundation of responsible innovation.

But: Compliance alone is no longer enough. Companies that integrate Data Governance—structured management of data rights, quality, and flows—with robust AI Governance—the ethical, legal, and operational control of AI systems—will do more than simply meet regulatory obligations. They will:

Accelerate innovation: Open access to high-quality, interoperable data enables rapid development of new business models, AI-powered products, and digital services.
Build trust and reputation: Transparent data and AI practices address growing public and stakeholder demand for digital responsibility—72% of EU consumers say trust is the decisive factor in choosing digital providers (Eurobarometer, 2024).
Future-proof growth: Organizations with best-in-class data and AI governance are 40% more likely to achieve sustainable, long-term revenue growth (Capgemini Research, 2025).

The Simple Truth—And the Strategic Imperative

Without the Data Act, there is no robust, compliant, and future-ready data foundation. Without AI Governance, there is no trustworthy, auditable, or socially accepted AI. Only together can they unlock the next generation of value creation in Europe’s—and the world’s—digital economy.

The Data Act ensures every business, from startups to multinationals, can access, share, and leverage data—securely and fairly.
AI Governance ensures that every data-driven decision is explainable, fair, and aligned with European values.

Those who act strategically today will not just survive Europe’s regulatory wave—they will lead the digital transformation, set global standards, and secure their place at the heart of tomorrow’s value chains.

Ready to Lead in the Era of Responsible Data and AI?

Making your organization fit for the Data Act and AI Governance is not a checkbox exercise—it’s a strategic investment in innovation, trust, and sustainable growth.

Contact me for:

Tailored assessments to benchmark your current state
Advisory on aligning your data and AI governance
Hands-on workshops for your teams and leadership
Best practices, model contracts, and compliance toolkits

Let’s shape the future—responsibly, competitively, and together.