On November 27, the European Council adopted the EU Data Act. Part of the larger EU Data Strategy to infuse competition and drive more data-driven innovation within the region, the Data Act will make data generated by connected devices and related services (industrial data) accessible to EU consumers and companies.

Rules and regulations around data governance are not new. There are already laws in place to protect personal or classified data and to open up government data for reuse. But the mandate to share industrial data and enforce cloud interoperability, as outlined in the Data Act, are truly novel areas of law.

As a leading technology company that securely connects everything to make anything possible, Cisco has been an active participant in this legislative process, and we look forward to our continued engagement. In the 20-month period between adoption and enforcement, stakeholders will work together on drafting applicable technical standards and specifications; creating appropriate and fair, reasonable, and non-discriminatory contractual terms; and outlining safeguards and protections for data that should not be readily shared (think trade secrets and personal data).

Given the novel aspects of this legislation, there will undoubtedly be additional compliance and design processes created in order to participate in this new data economy. But for organizations with established data governance and cloud compliance programs in place, there is a clear roadmap forward.

Cisco Data Governanace and Cloud Compliance

At its core, the Data Act is driving the three key principles of transparency, fairness, and accountability that underlie responsible privacy practices. The data might be different (personal vs. industrial), but the principles of data governance remain the same.

At Cisco, we take rigorous steps to handle data properly. In 2015, we created a dedicated privacy team to embed privacy by design as a core component of our product development methodologies. This team is responsible for conducting privacy impact assessments (PIA) on our products and solutions as part of the Cisco Secure Development Lifecycle. After completing a PIA, we create a public-facing Privacy Data Sheet to provide transparency around what personal data is being collected, why it’s being used, and how it’s protected.

Our Global Cloud Compliance team established the Cisco Cloud Controls Framework to streamline and operationalize cloud compliance and certification.  It maps relevant standards and provides guidance on supporting audit artifacts for each control.  New standards, such as those that will emerge on cloud portability and interoperability due to the Data Act, can be ingested into the framework.

These building blocks of data governance and cloud design controls can be adapted and leveraged to understand and be transparent about industrial and cloud data, how it’s used, and provide users mechanisms to access it. This evolution of processes is part of Cisco’s approach. We continually re-evaluate privacy, security and cloud design controls against a variety of regulations and industry standards to make sure Cisco products comply with regulatory, market, and customer requirements. And with the EU Data Act, we are committed to doing the same.

Because we recognize transparency is key to trust, as always, we will keep our customers, partners, and stakeholders informed as this work progresses. Together, we will drive data-centric innovation, facilitate fair and open competition, and unlock the value of data to power an inclusive future for all.



Dev Stahlkopf

Executive Vice President

Chief Legal Officer