On 27 November the European Council adopted the EU Data Act, a first-of-its-kind law that aims to unlock the value of ‘industrial data’ in the European Union (EU). It will enter into force early 2024, starting the 20-month clock for companies to comply with its requirements.
This is the culmination of almost four years of work stretching back to the European Data Strategy. Cisco has been engaging throughout the legislative process and welcomes the opportunity to work with regulators, customers, and partners to navigate the next stage.
Read more from our Chief Legal Officer, Dev Stahlkopf, in her blog “Unlocking Industrial Data: The EU Data Act”
What’s new: data sharing and cloud switching
Laws looking at how data is governed aren’t original. It’s just that to date they have focused either on opening up government data for reuse or protecting data. The Data Act, on the other hand, looks to shift the point of data control over to the user and business customers.
The Data Act covers a lot of ground. In this blog, I focus on access, sharing, and use of data generated by connected devices and related services, as well as cloud switching provisions from the Act, and what it means for a company like Cisco and our customers.
Data governance: from challenge to opportunities
The EU Data Act requires device manufacturers to design products and interconnected services to allow customers to access them and to be transparent about what data is being generated by the products about their environment and use, and how that data is being used. To stimulate competition and innovation in after-market services, such as for repair, management and operation of products, users will also be able to share their data with a third party.
From the perspective of a manufacturer of connected devices like Cisco, data governance operations deployed to meet existing data privacy requirements are a good starting point for a new programme. You need to know, and be transparent about, what data you have and how you’re using it. You also need to build in features and controls that allow customers to access and use the data about them and their environment. At Cisco, we pioneered transparency on personal data governance on a product-level basis through our Privacy Data Sheets and Maps.
When designing products, a key aspect is building in standardised interfaces for data accessibility and consumption by customers and third parties they engage. We also see the new data streams as a possible opportunity across our platform suite and encourage our customers to explore their potential.
The Act aims to enable customers to easily migrate from one cloud service provider to another by porting their data and applications in a timely and cost-effective manner and being able to effectively use them in the new environment.
It also covers interoperability between similar applications (‘same service type’), enabling them to work together. For Infrastructure-as-a-Service providers, that means porting of data and applications and facilitating ‘functional equivalence’ in their use in the destination service. For Software-as-a-Service (SaaS) applications, it’s largely about porting customer-generated data and related metadata.
As a SaaS provider, we intend to leverage our Cisco Secure Development Lifecycle and Cisco Cloud Controls Framework as a foundation for structuring the controls and audit artifacts that will enable cloud offers to demonstrate compliance with the requirements.
And to the extent the law encourages businesses to consider multi-cloud strategy, we have a portfolio of products and services to help connect, protect, secure, and consume cloud services.
Next steps: model clauses, standards and more
While the law has been adopted, not all the details on how it will be interpreted and implemented in practice are settled. That’s to be expected for a new area of law.
The EU Data Act will be enforceable in approximately September 2025. In the intervening months, some of the details will be debated and filled in. The issues that need to be addressed include the exact types of data and products in scope and how that is defined in edge cases; how access to data is provided and in what format; and safeguards for data that should not be as readily shared – to ensure trade secrets and personal data are appropriately protected and rights respected. The standards around cloud data portability and interoperability are also not yet mature.
The European Commission has established an Expert Group on B2B Data Sharing and Cloud Contracts, which is working on non-binding model contract terms in these two sections of the law and is hopeful to deliver results by the end of 2024. The Act also envisages a central standards repository for meeting the cloud portability and interoperability aspects. And, the Commission will call on the European standards development organisations to develop the relevant standards.
We look forward to engaging in that work and potentially including the emerging standards in our Cloud Controls Framework.
Preparing for the EU Data Act implementation
Cisco, our customers, our partners, and our peers will have to consider a range of actions to prepare for the regulation and new requirements. While this list isn’t comprehensive, here’s a set of actions to consider:
- Establish cross functional team to define and oversee strategy for compliance and opportunities.
- Leverage existing product development, security, and privacy programmes, tools, and processes.
- Identify and document relevant product and cloud data.
- Adopt process to identify and protect trade secrets.
- Insert data access and portability in product secure development lifecycle processes.
- Adapt data and cloud strategies to leverage opportunities with vendors and products.
- Review and update relevant vendor and customers contracts.
- Monitor or engage in forthcoming guidance and tools for compliance – including model clauses, codes of conduct, and standards.
At Cisco, we believe in the vast opportunities of a responsible data economy. We are committed to contributing to efforts to build on its success.