Compliance budgets are usually built backwards. Finance asks engineering for a number, engineering quotes the implementation work they can see, and the resulting estimate misses most of the real cost. It also misses most of the real return.
The visible costs
The obvious compliance costs are engineering time and legal review. Building consent management flows, designing access APIs that meet the Data Act’s technical requirements, implementing audit logging, creating data contract infrastructure — these are real, significant engineering investments. For a mid-sized IoT manufacturer, the build-it-yourself approach typically runs to several hundred thousand euros in engineering time and six to twelve months on the critical path.
Add ongoing legal costs — counsel reviewing data sharing agreements, monitoring regulatory guidance, advising on trade-secret protections — and the annual maintenance cost of a homegrown compliance implementation starts to look substantial.
The hidden costs of getting it wrong
The compliance costs that don’t appear in most estimates are the opportunity costs and error costs of getting it wrong. The Data Act’s enforcement mechanism includes fines of up to 2% of global annual turnover for violations of its data access and portability provisions. For a company with €50M in revenue, that’s up to €1M per violation.
More damaging in practice is the commercial cost: a compliance failure in a major enterprise deal. Enterprise customers — particularly in regulated industries like energy, healthcare, and automotive — are beginning to require Data Act compliance attestations from their IoT suppliers. A failure to comply doesn’t just expose you to regulatory risk; it blocks your ability to win and retain enterprise business.
"Non-compliance is not a cost-saving strategy. It is a deferred liability with compounding interest — paid in fines, lost deals, and engineering rework."Steelbridge · Compliance
The ROI calculation
Done correctly, compliance investment has a measurable return. The most direct return is deal access: the enterprise IoT market increasingly runs through procurement processes that include compliance questionnaires. Companies with documented compliance infrastructure pass these gates; companies without them don’t.
The second return is operational efficiency. The access APIs, consent management, and data contract infrastructure that the Data Act requires are the same infrastructure that enables premium data products, data sharing partnerships, and eventually data monetization. Compliance infrastructure is product infrastructure.
Infrastructure changes the math
The build-vs-buy calculation for compliance infrastructure has shifted significantly since the Data Act came into force. Managed compliance platforms handle the engineering complexity, maintain regulatory currency as guidance evolves, and provide the audit trail needed for enterprise customers and regulators — at a fraction of the cost and timeline of building equivalent capability internally.
For most companies, the right question isn’t "how much does compliance cost?" It’s "what’s the fastest path to a compliance posture that opens the enterprise market?" That’s a different, and significantly more tractable, question.
About Steelbridge
Steelbridge Oy is a Helsinki-based compliance infrastructure company. Our platform handles the technical and legal obligations of the EU Data Act as a managed service, enabling IoT and connected-device manufacturers to go live in weeks rather than months.
Contact: contact@steelbridge.fi
