The Data Act has come into effect since September 12, 2025. Its aim is that users gain control over data generated by their connected devices, such as smartwatches and cars. Users can also make this data available to a third-party company, who has the opportunity to use the data to develop innovative after-sales services. We spoke with Rex Leijenaar (Team manager/MT member Telecom and Digital at Netherlands Authority for Consumers and Markets – ACM) and Gijs van Houwelingen (researcher at TNO/CoE-DSC) about this topic.
ACM and the Data Act
ACM is an independent regulator that oversees fair competition, protects consumers and their interests, and regulates specific sectors such as energy, telecommunications, transport, and postal services. It does this by, for example, monitoring markets, investigating possible infringements, and setting rules if appropriate. Since 21 November 2025, the ACM has been the regulator for the Data Act. According to Rex, two tasks in particular stand out: supervising rules on data sharing and the cloud. “We want to make clear what opportunities the Data Act offers companies and what they can do with it. That is why we combine supervision with education.”
In addition, the ACM needs input from the sector to know what is going on in terms of data sharing and cloud. “We are actively engaging in dialogue with companies, especially cloud providers. They have a number of clear obligations – for example, cloud providers must phase out egress fees and they have to provide detailed information about the procedures to switch to another cloud provider – that we want to discuss with parties in the sector. We do this to see to what extent these obligations are already being met and, if not, what still needs to be done by all compagnies/parties that must comply with the Data Act.” Rex invites organisations to get in touch. “If you believe something is not in line with the Data Act, for example because data from a connected product is inaccessible or switching between cloud services is difficult, we would like to hear from you. This gives us a better picture of the problems and questions that are relevant in the sector and that we can act upon.”
Data sharing and switching cloud services are essential
According to Rex, there are two key principles underlying the Data Act. The first is active data sharing. “When it comes to data sharing, the basic principle is that data is shared. ‘You have a right to get data, unless’. How far that ‘unless’ goes will have to be determined in practice.” Rex gives an example: “Say a supplier of climate control systems for greenhouses has developed a system with specific settings to enhance growth of crops. The collected data give insight in these settings, which means sharing it might reveal trade secrets. This in itself does not prevent data sharing, but the parties involved have to agree on measures to protect confidentiality. The ACM is keeping a critical eye, because it should not be a licence to keep data to yourself too easily. If a manufacturer does not want to make confidential business information widely available, the parties involved have to come to an agreement. And if the parties cannot reach an agreement, the ACM can examine whether the invocation of trade secrets is justified, whether the conditions imposed are unreasonable, etc.”
Secondly, the option to switch cloud services is important. Rex says: “Providers of cloud and edge computing services must meet minimum requirements to enable switching. For example provide sufficient information and end switching costs. Contractual barriers should be in line with the Data Act. This will also contribute to efficient data interoperability. Cloud services should be made interoperable, so that systems connect to each other and can communicate with each other. This will enable the parallel use of multiple cloud systems. Here too, we are keen to learn about the challenges the market is facing.”
How data ecosystems can take the pressure off businesses
How do you ensure that you are compliant with the Data Act? According to Gijs, data ecosystems can play a role in this. “A number of data ecosystems have many participants who are active in the SME sector. Some obligations are relaxed for micro/small enterprises. However, the compliance burden is still significant, and they will have more difficulty to become compliant. Data ecosystems can play a central role in this by offering Compliance as a Service. For example, a data ecosystem could provide a standardised API gateway that automatically handles Data Act requirements like user consent management, data portability requests, and secure data transfer protocols. Or they could offer generic building blocks such as pre-built connectors that ensure IoT data flows meet the Act’s technical and legal requirements, so individual companies don’t need to build this from scratch. However, data controllers/processors still retain legal responsibility in such cases, especially where personal data is involved and GDPR prevails.”
Data ecosystems are communities that share knowledge and best practices. According to Gijs, besides offering new services, they can also organise knowledge sharing and best practices effectively at sectoral level. “In principle, the Data Act transcends sectors. But when it comes to e.g. the use of IoT technology in agriculture and mobility, completely different dynamics come into play. For example, what data formats to use, which trade secret claims are typical and legitimate in that sector, and how to handle the specific power dynamics between large manufacturers and smaller service providers. In agriculture, data sharing can involve trade secrets about crop yields and farming techniques, with equipment manufacturers and growers as data holders. In mobility, it can involve sharing vehicle data between car manufacturers, drivers, and independent repair shops, with different technical standards and commercial relationships. Data ecosystems can translate the more generic level to the specific sectoral level.”
Rex agrees with Gijs: “Data ecosystems are a channel for obtaining information and gathering questions that are relevant. Companies can always share compliance issues with the ACM. This gives us a better picture of the problems and questions that are relevant in the sector.”
New value-added services through better access to data
According to Gijs, the Data Act also offers an opportunity for data ecosystems. “Demonstrating the value capture of data ecosystems is a challenge. Many run on subsidies and it is difficult to make the transition to more sustainable revenue models. The Data Act changes this: suddenly, there’s a clear regulatory requirement that businesses must meet, and that’s where data ecosystems can step in with commercial services. If they position themselves well and offer as-a-service models – charging for compliance support, data infrastructure, or quality validation – they can generate revenue while solving a real pain point for their members.” Compliance as a Service is one example – helping companies meet their legal obligations under the Act. But data ecosystems can also offer Data Access as a Service, which is about the technical infrastructure. “Many smaller companies lack the secure, scalable infrastructure needed to actually share data even if they want to comply. Data ecosystems can provide this infrastructure via data spaces, essentially operating the technical ‘plumbing’ for secure data exchange, while individual companies focus on their core business.”
In addition, breaking vendor lock-in has advantages. Rex says: “If you own a car, you are entitled to that data. You can make it available to the garage around the corner, for example, so that they can carry out repairs instead of the brand dealer located further away. This stimulates new aftermarket services. In addition, data sharing should be used to create something new, not to copy something that already exists. Because ultimately, the Data Act is aimed at stimulating innovation.”
Cooperation between sector, data ecosystems and regulator
And what role does the CoE-DSC play in this? One of the strategic goals of the CoE-DSC is to promote cross-sectoral interoperability between Dutch data spaces and the broader European playing field. According to Gijs, many sectoral developments are relatively fragmented. As a result, they are not only technically incompatible, but also legally non-interoperable. “The Data Act provides a common legal baseline across sectors, but we need to ensure that technical implementations are also aligned. The CoE-DSC wants to help improve and strengthen this. We can work more closely with the ACM on this. We recognise the important role that the ACM plays, and our supporters had questions about this. So we invited colleagues from Rex to the Community Meeting in September to discuss the issue and provide explanations. This was very well received.” Gijs continues: “There are lots of ideas about what is possible, but many ideas have not yet been validated in reality. We can work together, each from our own role, to help validate those ideas.” Rex agrees: “We need to engage in regular dialogue with the sector. The CoE-DSC can be very helpful in this regard. This is the type of collaboration we are looking for. We would like to see examples of and exchange ideas about the Data Act and related topics.”
Would you like to know more about the Data Act? Send an email to info@coe-dsc.nl. Would you like to get in touch with the ACM? Please contact them via their website.
