The Illusion of Compliance: What's Still Missing in Industrial EU Data Act Strategies
Across the industrial IoT landscape, many teams believe they're on their way to Data Act compliance. A close look at what the regulation actually requires reveals a significant gap between what's been built and what's needed.
We speak with industrial IoT teams almost every week. When we ask about their Data Act compliance status, we typically hear one of two things: "We’re covered — we have GDPR compliance" or "We’re building internal data governance frameworks." Both answers, in most cases, describe something very different from what the Data Act actually requires.
The GDPR confusion
GDPR compliance is necessary but not sufficient for Data Act compliance. The regulations address different things. GDPR governs the processing of personal data. The Data Act governs the data generated by connected products — most of which is not personal data at all. Machine telemetry, equipment performance logs, energy consumption readings: this is the data the Data Act is primarily concerned with, and GDPR frameworks say almost nothing about how it should be handled.
The most common gap we see: companies have robust processes for managing personal data (user accounts, contact records, consent for marketing) but no architecture at all for the non-personal IoT data their products generate. The Data Act requires them to have one.
What industrial companies are missing
The core requirements of the Data Act for connected product manufacturers break down into four areas: user access rights, third-party data sharing, emergency data availability, and trade-secret protection. Most industrial companies we encounter have addressed none of these in their product architecture.
User access rights under Article 4 require that the data generated by a connected product be accessible to the user of that product — in real time, in a machine-readable format, without friction. For a machine builder whose customers operate the equipment, this means building APIs that let customers retrieve their own machine data directly, without going through the manufacturer’s sales or service team.
"The most dangerous compliance posture is the one that feels complete. The gap between ‘we have a data governance policy’ and ‘we have compliant data access infrastructure’ is where most industrial companies currently live."Steelbridge · Industrial
The data portability gap
Third-party data sharing under Article 5 is where industrial companies face their most significant architectural challenge. The regulation requires that users can instruct manufacturers to share their data with authorized third parties — maintenance providers, analytics platforms, insurers, industry-specific services. This sharing must happen via standardized APIs, with appropriate access controls, and under documented data contracts.
Building this capability from scratch is a substantial engineering project. It requires designing and maintaining public APIs, implementing OAuth-based authorization flows, creating and enforcing data contract templates, maintaining audit logs for all access events, and building the revocation mechanisms that let users withdraw third-party access. Most industrial engineering teams are not resourced to build and maintain this alongside their core product work.
What real compliance architecture looks like
Genuine Data Act compliance for an industrial IoT manufacturer requires: a consent and access management layer that handles user permissions for their own data; a third-party sharing API that implements the required access controls and authorization flows; a data contract engine that creates, executes, and terminates data sharing agreements; an audit log that records every access event with the granularity needed for regulatory review; and a trade-secret protection mechanism that lets manufacturers designate sensitive parameters as protected while still providing the access the regulation requires.
This is not a policy document. It is a set of running software systems — and they need to work reliably, scale with usage, and remain current as regulatory guidance evolves.
A better approach
For most industrial manufacturers, the right answer is not to build this infrastructure internally. The compliance requirements are clear enough to be productized — and a managed compliance infrastructure layer that handles these obligations as a service is significantly faster and cheaper than bespoke development. The engineering team can focus on the product; the compliance layer handles the regulation.
The first step is an honest assessment of what’s actually in place. In our experience, most industrial companies are further from compliance than they think — and the gap is addressable faster than they fear.
About Steelbridge
Steelbridge Oy is a Helsinki-based compliance infrastructure company. Our platform handles the technical and legal obligations of the EU Data Act as a managed service, enabling IoT and connected-device manufacturers to go live in weeks rather than months.
Contact: contact@steelbridge.fi
