Data Act implementation for IoT manufacturers and machine builders, from data analysis to API implementation. Practical solutions to meet the 12 September 2025 deadline.
Overview of requirements for manufacturers
The Data Act requires manufacturers to grant users and authorized third parties access to the data generated by their products. This includes both technical and legal obligations.
Technically, manufacturers must provide secure, standardized interfaces through which data can be retrieved in machine-readable formats. Authentication and authorization of access must be ensured without jeopardizing the overall security of systems.
Legally, manufacturers are obliged to document data structures, define clear terms of use and make transparent which data are available. The scope extends to all connected products that generate data about their use or environment.
Practical implementation using a connected machine as an example
Consider an industrial machine connected via MQTT to the Azure IoT platform. Sensor data, operating parameters and maintenance information currently flow via the MQTT protocol to the Azure IoT Hub in cloud systems. These data are used internally for optimization and predictive maintenance.
For the Data Act, the manufacturer must develop additional APIs that allow customers to access these data. A REST API could provide endpoints for operating data, energy consumption and maintenance history. Authentication can be implemented using OAuth 2.0 or API keys issued to authorized users.
The Azure platform offers different solution approaches: Azure API Management can act as a gateway handling both authentication and rate limiting. Low-code solutions can also be developed via Power Platform to enable customers to integrate the data into their systems without deep technical knowledge.
When implementing, manufacturers must distinguish between user APIs for product owners and third-party APIs for authorized services. Data filtering plays a decisive role - internal data are not all relevant or accessible to external users.
Central challenges and approaches
Beyond the technical implementation tasks, manufacturers face three fundamental challenges that the Data Act only partially defines. These legal uncertainties require pragmatic approaches and close coordination between technical and legal teams.
What counts as relevant data
One of the greatest uncertainties of the Data Act lies in the definition of “relevant data.” The text of the regulation remains deliberately vague and leaves concretization to practice and case law. For manufacturers this means legal uncertainty.
In practice, a conservative interpretation is recommended: all data that could be relevant to the function, maintenance or optimization of the product should be made accessible. For industrial machines this typically includes operating data, sensor measurements and status messages. Internal configuration data or algorithm parameters, by contrast, can be classified as not relevant.
Exchange with trade associations and other manufacturers helps to develop common interpretation guidelines. Legal certainty will, however, only arise through initial court rulings or regulatory clarifications.
> "Data": any digital representation of acts, facts or information as well as any compilation of such acts, facts or information, also in the form of audio, image or audiovisual material; > > > Article 2 - definitions
Intellectual property and trade secrets
The Data Act provides exceptions for trade secrets but does not clearly define the boundaries. Manufacturers must differentiate between valuable IP information and harmless operational data.
Technically, this can be solved through multi-level data classification: publicly accessible data, customer-accessible operational data and internal trade secrets are treated separately. APIs can selectively expose only certain data categories.
Legally, terms of use and NDAs should govern the handling of provided data. For sensitive industrial applications, an additional contractual layer with stricter confidentiality clauses may be appropriate.
Documentation obligations
The Data Act requires comprehensive documentation of the provided data. This includes technical API specifications, descriptions of data structures and their meaning, as well as information on update cycles.
Manufacturers must provide documentation understandable both for technical integrators and end users. API specifications should be machine-readable (for example in the OpenAPI format), while user guides explain practical usage.
Versioning is particularly challenging: when provided data or their structures change, this must be documented and communicated. A structured change management process is therefore essential.
Further critical aspects
Beyond the basic implementation challenges, manufacturers must consider additional compliance requirements. These relate in particular to IT security, international operations and the economic impacts of implementing the Data Act.
Data security and compliance
Opening data streams must not create security vulnerabilities. APIs must be robust against attacks and must not allow unauthorized access to internal systems. Rate limiting and monitoring are therefore indispensable.
At the same time, GDPR requirements must be observed if personal data are processed in IoT systems. The combination of the Data Act and the GDPR requires particular care in implementation.
International challenges
Globally active manufacturers must consider that cloud services are often operated outside the EU. Azure offers EU regions, but many companies use global deployments. Data residency and transfer mechanisms must be designed to comply with the Data Act.
Economic considerations
Implementing the Data Act causes significant costs for development, operation and maintenance. At the same time, new business models can arise when data are offered as a service.
Manufacturers should decide early whether to treat the Data Act as a cost factor or a differentiation opportunity. Proactive companies can gain a competitive advantage through superior data services.
Strategic approach to implementation
Given the complexity and time pressure, implementing the Data Act requires a structured and pragmatic approach. A three-phase process has proven effective in practice to systematically meet both legal and technical requirements.
Phase 1: analysis and inventory
The first step is a systematic inventory of all relevant data types in the products. This requires close collaboration between development, product management and legal departments.
A professional legal assessment helps to determine the boundary between IP-protected and accessible data. At the same time the existing technical infrastructure must be analyzed to identify implementation options.
Phase 2: conception and design
Based on the analysis, a Data Act-compliant interface architecture is developed. This includes the API strategy, security concepts and data classification.
The technical specification should have a modular design to allow future adjustments. Performance aspects must also be considered, as the Data Act APIs add extra load to existing systems.
Phase 3: implementation and validation
Implementation should ideally be carried out in stages with continuous validation of legal compliance. Performance tests and security checks are essential.
The final documentation must be complete and up to date before the APIs go live. A compliance review by external experts can provide additional assurance.
Given the short time until the deadline, a structured approach is crucial. The combination of technical and legal expertise is indispensable - few companies have all the required competencies in-house.
An iterative approach allows adjustments during development without endangering the schedule. Important stakeholders such as customers and partners should also be involved early in the process.
Recommendations and best practices
Based on initial implementation experience and technical standards, concrete recommendations for successful Data Act implementation can be derived. These are divided into technical and legal aspects that should be addressed in parallel.
Technical recommendations
Manufacturers should rely on established standards wherever possible. REST APIs with JSON payloads are widespread and well documented. In industry, standards like OPC UA can simplify integration.
A modular architecture makes it possible to provide basic functionality first and expand later. Monitoring and logging of API usage are important for operation and potential compliance evidence.
Legal recommendations
In the current situation, involving legal experts focused on the Data Act is practically indispensable. Exchange with trade associations can help develop common interpretative aids.
Pilot projects with selected customers also deliver valuable experience and reduce implementation risks. At the same time they build trust with key stakeholders.
Conclusion and outlook
The Data Act presents manufacturers with significant challenges that are hard to tackle in the remaining weeks until the deadline without professional support. The complexity of legal and technical requirements demands specialized expertise. Penalties are substantial: fines of up to EUR 20 million or 4% of global annual turnover can be imposed for violations.
At the same time, the Data Act offers long-term opportunities for new business models and differentiation. Companies that act proactively and use Data Act compliance as a strategic advantage can position themselves accordingly in the market.
Development will continue after the deadline. Case law and regulatory practice will clarify the interpretation of the Data Act and may require adjustments.
Your next steps
If you have not yet started implementing the Data Act, immediate action is required. An inventory of your affected products and data flows is the first step.
Given the complexity and time pressure, we recommend professional advice. Focus on the most critical systems and data flows to achieve at least basic compliance by the deadline.
Contact us for Data Act compliance consulting. We support you with legal assessment, technical implementation and strategic positioning so you can use the Data Act not only as a compliance challenge but as a business opportunity.
Further information: www.secuvi.com