Data Act implementation for IoT manufacturers and machine builders: from data analysis to API implementation. Practical solutions before 12 September 2025.
Overview of requirements for manufacturers
The Data Act obliges manufacturers to grant users and authorized third parties access to the data generated by their products. This includes both technical and legal requirements.
On the technical side, manufacturers must provide secure, standardized interfaces through which data can be retrieved in machine-readable formats. Authentication and authorization for access must be ensured without compromising the security of the overall systems.
Legally, manufacturers are required to document data structures, define clear terms of use, and be transparent about which data is available. The scope covers all connected products that generate data about their use or environment.
Many manufacturers underestimate the scope of the data access and documentation obligations. If you want to clarify which requirements the Data Act specifically triggers for your products, a short orientation conversation can help.
Practical implementation using the example of a connected machine
Consider an industrial machine connected to the Azure IoT platform via MQTT. Currently, sensor data, operating parameters and maintenance information flow to the Azure IoT Hub in the cloud systems via the MQTT protocol. These data are used internally for optimizations and predictive maintenance.
For the Data Act, the manufacturer must develop additional APIs that allow customers to access this data. For example, a REST API could provide endpoints for operating data, energy consumption and maintenance history. Authentication can be done via OAuth 2.0 or API keys issued to authorized users.
The Azure platform offers various approaches here: Azure API Management can act as a gateway handling both authentication and rate limiting. Low-code solutions can also be developed via Power Platform to allow customers to integrate the data into their own systems without deep technical knowledge.
When implementing, manufacturers must distinguish between user APIs for product owners and third-party APIs for authorized services. Data filtering plays a critical role—not all internal data are relevant or accessible to external users.
Central challenges and approaches
In addition to the technical implementation tasks, manufacturers face three fundamental challenges that the Data Act only partially defines. These legal uncertainties require pragmatic solutions and close coordination between technical and legal aspects.
What counts as relevant data?
One of the biggest uncertainties of the Data Act lies in the definition of “relevant data.” The wording of the law remains deliberately vague and leaves concretization to practice and case law. For manufacturers, this means legal uncertainty.
In practice, a conservative interpretation is advisable: all data that could be relevant for the function, maintenance or optimization of the product should be made accessible. For industrial machines, this typically includes operating data, sensor measurements and status reports. Internal configuration data or algorithm parameters can, however, be classified as not relevant.
Exchange with industry associations and other manufacturers helps to develop common interpretation guidelines. Legal certainty will only arise through initial court rulings or regulatory clarifications.
> “Data”: any digital representation of acts, facts or information as well as any compilation of such acts, facts or information, including in the form of audio, image or audiovisual material; > > > Article 2 – Definitions
The distinction between relevant data, trade secrets and internal information is not legally clear. We are happy to discuss non-binding how to draw a pragmatic and robust line here.
Intellectual property and trade secrets
The Data Act provides exceptions for trade secrets but does not clearly define where the boundaries lie. Manufacturers must distinguish between valuable IP information and harmless operating data.
The Data Act provides exceptions for trade secrets but does not clearly define where the boundaries lie. Manufacturers must distinguish between valuable IP information and harmless operating data.
Technically, this can be solved by multi-level data classification: publicly accessible data, customer-accessible operating data and internal trade secrets are handled separately. APIs can selectively expose only certain data categories.
Legally, terms of use and NDAs should govern the handling of provided data. For sensitive industrial applications, an additional contractual layer with stricter confidentiality clauses may be advisable.
Documentation obligations
The Data Act requires comprehensive documentation of the provided data. This includes technical specifications of the APIs, descriptions of data structures and their meaning, as well as information on update cycles.
Manufacturers must provide documentation understandable to both technical integrators and end users. API specifications should be machine-readable (for example in the OpenAPI format), while user manuals explain practical usage.
Versioning is particularly challenging: if the provided data or their structures change, this must be documented and communicated. Structured change management is therefore essential.
Further critical aspects
Beyond the fundamental implementation challenges, manufacturers must consider additional compliance requirements. These particularly affect IT security, international operations and the economic impacts of Data Act implementation.
Data security and compliance
Opening up data streams must not create security vulnerabilities. APIs must be robust against attacks and must not allow unauthorized access to internal systems. Rate limiting and monitoring are therefore indispensable.
At the same time, GDPR requirements must be observed if personal data are processed in IoT systems. The combination of the Data Act and the GDPR requires special care in implementation.
International challenges
Globally active manufacturers must consider that cloud services are often operated outside the EU. Azure offers EU regions, but many companies use global deployments. Data residency and transfer mechanisms must be designed to comply with the Data Act.
Economic considerations
Implementing the Data Act causes substantial costs for development, operation and maintenance. At the same time, new business models can emerge if data are offered as a service.
Manufacturers should decide early whether they will view the Data Act as a cost factor or as a differentiator. Proactive companies can gain competitive advantages through superior data services.
Strategic approach for implementation
Given the complexity and time pressure, implementing the Data Act requires a structured and pragmatic approach. A three-phase approach has proven effective in practice to systematically meet both legal and technical requirements.
Phase 1: analysis and inventory
The first step is a systematic inventory of all relevant data types in the products. This requires close collaboration between development, product management and the legal department.
A professional legal assessment helps to delimit IP-protected and accessible data. At the same time, the existing technical infrastructure must be analyzed to identify implementation options.
Phase 2: conception and design
Based on the analysis, a Data Act-compliant interface architecture is developed. This includes the API strategy, security concepts and data classification.
The technical specification should be modular to allow future adjustments. At the same time, performance aspects must be considered, as the APIs required by the Data Act will add additional load to existing systems.
Phase 3: implementation and validation
Implementation should ideally be carried out in stages, with continuous validation of legal conformity. Performance tests and security assessments are essential.
The final documentation must be complete and up to date before the APIs go live. A compliance review by external experts can provide additional assurance.
Given the short time until the deadline, a structured approach is crucial. The combination of technical and legal expertise is indispensable—few companies have all the required competencies in-house.
An iterative approach allows adjustments during development without jeopardizing the schedule. At the same time, important stakeholders such as customers and partners should be involved early in the process.
Recommendations and best practices
Based on initial implementation experience and technical standards, concrete recommendations for successful Data Act implementation can be derived. These are divided into technical and legal aspects that should be considered in parallel.
Technical recommendations
Manufacturers should rely on established standards wherever possible. REST APIs with JSON payloads are widespread and well documented. In industry, standards like OPC UA can simplify integration.
A modular architecture makes it possible to provide basic functionality first and extend it later. Monitoring and logging of API usage are important for operation and potential compliance evidence.
Legal recommendations
Involving legal experts focused on the Data Act is practically indispensable in the current situation. Exchange with industry associations can help develop common interpretation aids.
In addition, pilot projects with selected customers provide valuable experience and reduce implementation risks. At the same time, they build trust with key stakeholders.
Conclusion and outlook
The Data Act presents manufacturers with significant challenges that are hard to manage within the remaining weeks until the deadline without professional support. The complexity of the legal and technical requirements demands specialized expertise. Sanction options are substantial: in case of breaches, fines of up to 20 million euros or 4% of worldwide annual turnover can be imposed.
At the same time, the Data Act offers long-term opportunities for new business models and differentiation. Companies that act proactively and use Data Act compliance as a strategic advantage can position themselves accordingly in the market.
Development will continue after the deadline. Case law and regulatory practice will refine the interpretation of the Data Act and may require adjustments.
The Data Act deadline is approaching while many detailed questions remain open. If you need short-term clarity about your status and which next steps are realistic, this can be well clarified in a non-binding conversation.
