If we were to explain the European Data Act through an analogy, we could describe it as “the GDPR for machine data.”
As we know, the General Data Protection Regulation (GDPR) clearly establishes that personal data belongs to the individual concerned and may only be freely shared by its owner (the data subject). Any other party that gains access to such data is required to comply with specific rules regarding confidentiality, processing, and the return or deletion of the data upon the owner’s request.
Similarly, the Data Act establishes that all data generated by any digital automated system or machine (the regulation extends well beyond industrial applications) belongs to the user of the machine (the User), who must be free to use it and share it with any third party at no cost. Any recipient of such data is subject to specific obligations, including returning or deleting the data upon the User’s request and refraining from using it for purposes that have not been previously agreed upon.
This regulatory approach is further confirmed by the fact that enforcement and dispute resolution for both the GDPR and the Data Act fall under the responsibility of the national Data Protection Authorities. The penalties for non-compliance with the Data Act are also substantial, reaching up to 4% of the manufacturer’s annual worldwide turnover. Furthermore, if a manufacturer fails to remedy identified non-compliance, the competent authority may prohibit the sale of the non-compliant products within the European market.
Although these principles appear reasonable and broadly acceptable, they carry significant technical and economic consequences that manufacturers of industrial automation equipment—whether based on PLCs, CNCs, or even simple microcontrollers capable of generating data—must carefully assess.
Commercial Implications for Machine Manufacturers
Let us first examine the commercial impact on the business models that OEMs may have developed around telemetry data collected from the machines they manufacture or sell.
The first key requirement is that all data generated by the machine must be made freely accessible to the User, either directly through standard communication protocols (such as OPC UA, MQTT, etc.) available on the machine itself or, where this is not technically feasible, through a cloud platform at least in the form of downloadable files.
Manufacturers that have adopted closed vertical machine-to-cloud architectures may face significant economic challenges. Even when the customer does not subscribe to remote monitoring services or purchase spare parts, manufacturers are still required to store and make machine data available throughout the machine’s expected lifetime using cloud infrastructures, which often involve considerable operational costs.
As a result, implementing an open communication protocol directly on the machine becomes essential to minimize the cost of making data available to users. These costs, however, can never be completely eliminated because, under both the new Machinery Regulation and the Cyber Resilience Act, this software component must also be maintained and updated for at least five years or throughout the expected service life of the machine.
Technical Implications
From a technical perspective, manufacturers must fundamentally redesign their industrial machines before the end of 2026 to avoid the severe penalties described above.
For the first time, machine manufacturers are required to implement data governance for the information generated by the electronic systems they install. More importantly, this governance must be placed under the User’s control. Users must be able to independently decide how, when, and with whom to share their data, without requiring the manufacturer’s intervention and without incurring additional costs.
Simply providing a modern communication protocol such as OPC UA, MQTT, or REST—with authentication capabilities—is not sufficient to achieve Data Act compliance.
Manufacturers must also ensure that Users are able to create, modify, and manage user accounts and credentials for these services. In many cases, however, these protocols are managed directly by PLCs or CNC controllers whose administrative access is rarely shared with the end user.
This represents one of the most critical challenges. Manufacturers remain responsible for the automation software, cybersecurity, functional safety, and overall performance of their machines. Granting administrative access to industrial control systems would expose them to significant risks, including cybersecurity threats and the potential theft of valuable intellectual property.
The Strategic Role of Next-Generation IoT Gateways
In this new regulatory landscape, next-generation IoT gateways become indispensable. Their role extends far beyond traditional remote service applications, connectivity to proprietary cloud platforms, or simple protocol conversion.
A Data Act-ready IoT Gateway is increasingly delivered as a containerized application running directly on modern controllers, industrial switches, routers, HMIs, or industrial PCs. It establishes a clear separation between what remains under the manufacturer’s responsibility and ownership and the orchestration of telemetry data that belongs to the User.
It is worth noting that, in future machines, even communications directed toward OEM cloud platforms should pass through the IoT Gateway. This allows Users to determine the amount of data transmitted, adjust transmission frequency, or even completely disable data transmission if they so choose.
To preserve revenue opportunities generated by data-driven services, manufacturers should also ensure that the selected IoT Gateway supports multiple simultaneous outbound connections to different recipients while allowing different subsets of information to be shared with each one. This prevents Users from having to choose a single recipient for their machine data and enables OEM services to coexist with third-party applications.
Conclusions
The Data Act has been applicable throughout the European Union since September 2025, while the transitional period for the first obligations described above will end in October 2026.
Many Italian manufacturers appear to have underestimated the impact of this regulation. In contrast, companies in other European countries have already launched significant investment programs to adapt both their products and their business models to the new regulatory framework.