Expert Exchange: Navigating the EU Data Act in a Landscape of Uncertain and Evolving Guidance

Client Inquiry:  

I am responsible for understanding how the EU Data Act applies to data generated by our connected equipment in Europe. The regulatory language feels unclear and keeps shifting, and our legal teams are struggling to interpret what must be shared, at what level of fidelity, and in what format. I need to understand how leading organizations are interpreting the regulation, what requirements are truly in scope, and how to balance compliance with protection of our intellectual property. I am also trying to understand how other industries are preparing and what practical steps we should take now while the guidance is still evolving. 

Expert Takeaways: 

1. Treat the EU Data Act as a moving target and expect requirements to shift 

No organization has a complete or confident interpretation of the act because the EU has not finalized the guidance needed for precise compliance. Member states are still shaping their own interpretations, and technical details will depend on a trusted data framework that is behind schedule. While the ambiguity creates frustration, waiting for full clarity is not an option. Regulators expect organizations to show preparation even before the rules are complete. 

Successful organizations are preparing for a range of outcomes rather than anchoring to a single reading of the law. The most realistic posture is to meet the spirit of the regulation while building foundations that can adapt once the details solidify. 

Key Insights:  

• Member states have not aligned, which guarantees delays and uneven enforcement 
• Many details depend on a Trusted Data Framework that remains unfinished 
• The practical requirement is to show readiness and progress rather than perfect compliance 
• A posture of good faith and documented preparation strengthens defensibility 
• Early groundwork reduces the disruption when final requirements are released 

2. Protect IP and personal data with a defensible, risk-based approach 

The act does not clearly define what counts as raw data, processed data, or derived data. Organizations will need positions they can defend to regulators, and those positions must be built with legal, privacy, and security at the table. When in doubt, assume that any data that can reveal an operator, customer, location, or specific machine must be treated as personal or sensitive. 

This includes images, sensor readings, diagnostics, equipment identifiers, timestamps, and logs. Leaders should expect regulators to scrutinize how personal data is removed or transformed and whether the organization can prove that the shared data cannot be traced back to a person or a specific identifiable asset. 

• Images, video, telemetry, and identifiers often contain personal or sensitive information 
• Legal and privacy teams must determine what is appropriate to share and what requires pseudonymization 
• Raw images should not be shared unless they are proven to be free of identifiable elements 
• Aggregate or generalized versions of sensitive data reduce risk while meeting regulatory intent 
• A consistent, legally vetted stance becomes the primary line of defense 

3. Build a unified data governance foundation before addressing technical compliance 

Compliance with the EU Data Act depends on having strong, enterprise-wide data governance. Organizations must know exactly what data they produce, where it resides, how it flows across systems, and who is responsible for it. Without this foundation, technical compliance work becomes unmanageable. 

IoT and connected equipment environments create additional complexity because data flows across embedded systems, cloud platforms, partner networks, and downstream applications. Mapping these flows is essential for understanding what is being generated and how it is transformed along the way. This work also prepares the organization for related regulations that require transparency into how automated systems operate. 

Key Insights: 

• A complete and accurate data inventory is the most important asset for compliance 
• Governance must link engineering, AI, legal, privacy, and security 
• IoT data pipelines must be mapped end to end to reveal risk and processing logic 
• Automated systems require clear documentation of human oversight and interaction 
• Strong governance lowers the cost of adapting to future regulations 

4. Expect the AI Act, GDPR, and NIS2 to shape obligations as much as the EU Data Act 

The EU Data Act cannot be interpreted in isolation. Requirements from GDPR, the AI Act, and NIS2 overlap in ways that surprise many organizations. The combined effect is that connected equipment often qualifies as an AI system, personal data is defined more broadly than most teams expect, and critical infrastructure rules extend to sectors like agriculture and food systems. 

Compliance planning must account for these intersections early. Leaders who approach the Data Act as a standalone requirement often discover that adjacent regulations impose obligations that ultimately shape what can be shared and how systems must behave. 

• The AI Act introduces risk categories that determine documentation and oversight 
• GDPR treats many machine-generated data points as personal data 
• NIS2 expands security obligations for industries tied to food, agriculture, or infrastructure 
• Equipment with automated decision making may qualify as an AI system 
• Compliance requires coordination across legal, AI, data, security, and engineering 

5. Use structured tracking to manage ambiguity and show credible progress 

Although the regulation is still evolving, regulators expect organizations to demonstrate structured preparation. Tracking mechanisms help teams manage uncertainty, coordinate decision making, and document progress across legal, engineering, and data functions.  

Dashboards are particularly valuable because they show where external dependencies remain unresolved and where internal blockers require attention. 

This structure helps executives understand what can be decided now and what depends on future guidance. It also provides a clear record of preparation if regulators ask for evidence of readiness. 

Key Insights: 

• Track EU Commission updates and anticipated release timelines 
• Monitor the privacy and legal review status of data sets under consideration for sharing 
• Flag contractual terms that will require revision once obligations are final 
• Assess engineering readiness for potential data access and provisioning models 
• Visualization creates shared understanding across legal, data, and technical teams