What the EU Data Act Means for Global Telecom Operators

Telecommunications providers are facing a significant regulatory shift with the European Union’s landmark Data Act. Unlike the General Data Protection Regulation (GDPR), which is rooted in safeguarding personal privacy, the Data Act establishes an entirely new paradigm that governs, facilitates and ultimately commoditises the data generated by connected products and machine interfaces.

With its enforcement phased from 11 January 2024 and main provisions active from 12 September 2025, the Act will transform the global data economy and impose broad-reaching obligations on all entities placing products on the EU market or serving EU customers, regardless of domicile.

The act as industrial policy: shifting the balance of power

Rather than serving as a mere technical standard, the Data Act operates as a deliberate instrument of industrial policy. Its ambition is bold: the European Commission estimates that 80% of industrial data in the EU remains untapped, a resource valued to inject as much as US$315bn into the region’s GDP.

By shifting control of data from manufacturers and large incumbent cloud providers, often US or Chinese giants, to the users of connected products and services, particularly EU-based SMEs, the Act aims to rebalance the global data economy.

As Skadden legal experts comment: “The Data Act obliges manufacturers and cloud service providers to review and revise their contractual frameworks and data governance strategies to comply with new obligations. It promotes data sharing and innovation, preventing lock-ins that limit user choice.”

Global impact: strategic dilemmas for non-EU Telcos

The extraterritorial scope of the Data Act is direct and commercially focused. A telecoms enterprise in Brazil, Australia or China will be subject to its provisions simply by offering services or placing connected products on the EU market, for example. Compliance obligations arise immediately due to this "market trigger".

• Brazilian technology firms are faced with a dual compliance burden, needing to reconcile the Data Act’s rules with provisions in Brazil’s LGPD and confronting an asymmetry in SME protections that disproportionately impacts non-EU companies and risks curtailing their competitive edge.
• Australian IoT and medical device manufacturers must meet “access-by-design” mandates, requiring new approaches to product architecture. Australian software firms, however, will spot openings to develop innovative aftermarket services for connected products now regulated for data access.
• Chinese cloud service providers face an ideological and legal clash. EU requirements for cloud flexibility and safeguards against foreign government access directly contradict core features of China’s national laws, likely forcing Chinese companies into costly separation of operations or a shift in strategic focus.

Explaining the key pillars: IoT, cloud and public sector data sharing

IoT data sharing & access-by-design

The spotlight falls on data from connected devices. Users, whether individuals or large enterprises, are now granted rights to access and share all data co-generated by their use of a device. Manufacturers and service providers must ensure the data is readily and securely accessible. Independent service providers can finally compete with original equipment manufacturers, as data monopolies are dismantled.

The “access-by-design” requirement mandates technical changes: products placed on the EU market after 12 September 2026 must intrinsically allow user access to relevant data, shifting compliance into the heart of engineering and design processes.

Cloud market rebalancing & interoperability

The Data Act attacks market lock-in by imposing strict rules on cloud providers (IaaS, PaaS, SaaS). Providers must eliminate egress fees, enable rapid switching and foster interoperability through open standards. Customers, including telecoms companies, are empowered to port data and digital assets freely, sparking greater competition among providers.

Business-to-government data sharing

Public sector bodies and EU institutions gain new powers to access privately held data under “exceptional need” scenarios, such as emergencies or public interest projects. Telcos  must prepare for requests that may include both personal and non-personal data, managing these obligations with robust data protection and trade secret safeguards.

GDPR and data act: Navigating overlap and conflict

Though complementary, the GDPR and Data Act often overlap, especially when datasets contain both personal and machine-generated content.

Organisations must maintain rigorous consent systems and technological solutions for data segmentation. For example, a vehicle fleet owner seeking usage data for insurance purposes will trigger both the Data Act’s right to access and GDPR’s consent and privacy safeguards, demanding sophisticated technical and legal approaches for compliance.

Strategic guidance for global operators

Telecoms businesses cannot afford an ad hoc approach. Compliance must be embedded from product conception to commercial deployment. It impacts engineering, legal and strategic decisions at every level.

The European Commission’s Executive Vice-President for Technological Sovereignty, Security and Democracy, Henna Virkkunen, highlights the need for a unified approach: “Today's dialogue represents the first step in simplifying our digital rules for all citizens and businesses. I look forward to hearing views on how to create an even more cohesive and simple approach to data policy.”

The EU Data Act signals a watershed moment for the connected world, compelling global telcos to rethink how they create, handle and unlock value from industrial and IoT-generated data.