Dieser Artikel ist auch auf Deutsch verfügbar

This article is part of a series

  • Part 1: EU Data Act: The Beginning of the End for Cloud Monoculture?
  • Part 2: Data Inventories in the EU Data Act: The Democratization of IoT Devices (this article)

A data inventory is a structured, systematic overview of the data resources generated through the use of connected products. What may initially appear to be additional bureaucracy reveals genuine strategic potential for business users upon closer examination:

  • Transparency across all IoT and machine data
  • Legally compliant use of this data
  • Control over sharing with partners or service providers

Modern data principles can help organizations meet legal requirements. Data literacy and a culture of data-driven work are the foundations for turning EU Data Act regulations into tangible organizational advantages.

What obligations do I have as a data-holding company?

This article exclusively evaluates the impact of the EU Data Act primarily from technical and organizational perspectives; it cannot and should not replace legal advice. Nevertheless, the most important aspects of the regulation regarding data inventories will be explained to provide an easily understandable, fundamental overview.

The EU Data Act has implications for all manufacturers of connected products. A connected product is defined as a physical device connected to digital systems via the internet or other networks that can continuously generate, receive, or exchange data. Examples include production machinery and smart commercial vehicles. The legislation also covers providers of digital services that complement such products by using the products' data. Small and medium enterprises with fewer than 50 employees and revenue under ten million euros are exempt, unless they are part of a larger player’s supply chain.

Any information generated during use, such as sensor data, telemetry, diagnostic data, and metadata, must be captured and described in a structured data inventory. This allows those who generate the data to request and process it. Access must be provided in machine-readable format without unnecessary barriers and in a non-discriminatory manner via an API or download platform.

Devices and services must be developed so that later data access is technically possible, secure, and efficiently implementable. Interfaces, formats, and access concepts should therefore be considered, planned, and documented from the outset—not only when users demand them. What should be accessible later must be planned that way from the start.

At the same time, the effort required for provision is legally limited. Companies are not obligated to develop new systems or take technically and economically unreasonable measures solely to enable data access. Data provision is only required when technically available and accessible in common formats. Elaborate reconstructions, special formats, or reverse calculations are not required.

Please note the following: The GDPR takes precedence over the Data Act when it comes to personal data. An appropriate legal basis (e.g., consent or contract) is still required for processing or sharing this type of data.

How you handle your own data determines how much effort is required.

Modern approaches to data handling, such as data mesh architecture, can help implement EU Data Act requirements efficiently and robustly.

In a data mesh architecture[1], responsibility for provision and data quality lies where data originates. Data is not merely considered an asset but rather a product. In a data product catalog, development teams maintain a directory of the data they generate or process—the perfect foundation for the data inventory. Instead of central IT bottlenecks, domain teams are responsible for their own data products. The data inventory is not a pure compliance document but an (automatically generated) part of the data product. If I already have a well-maintained data product catalog, the additional efforts for creating the data inventory will likely remain minimal.

Dashboard of a data marketplace platform showing a search bar, domains with teams and data products, and popular data product details organized in cards.
The Data Mesh Manager makes data products discoverable and accessible across domains in the data marketplace – a practical example of a modern, user-oriented data product catalog. (Source: entropy-data.com)

Another trend in data governance is data contracts[2], which are frequently, but not exclusively, used in combination with data mesh. The core idea of data contracts is that data usage is based on agreements rather than assumptions. A data contract defines not only the technical structure of a dataset but also its business meaning, validation procedures, and responsibilities. It encompasses more than a pure interface description. This fulfills the central requirements that the EU Data Act places on a data inventory. Additionally, it provides added value in the form of automated validation, versioning, monitoring, and testable interfaces. These are essential for any scalable data provision. If I already use data contracts, I can derive my data inventory from them relatively easily.

Regardless of whether it involves data mesh, data contracts, or something else, it is essential to clearly delineate between technical and legal ownership when determining responsibility. For instance, a data product owner is ensuring the technical quality and comprehensibility of the data, while a legal data owner is liable for legally compliant provision and release.

Companies that implement data mesh, data contracts, and clear ownership transform the data inventory obligation into a robust data platform.

Regaining data sovereignty – opportunities for IoT device users

Currently, many operators receive their generated machine data only at a high premium or not at all. This leaves efficiency and innovation potential untapped. The EU Data Act aims to change this by enabling and thus democratizing the use of data from data-holding companies' silos.

Specifically, the Data Act enforces fundamentally free and, where technically feasible, continuous access for users of connected devices to their data. Data-holding companies are obligated to offer their customers the data in a common technical format for their own AI, maintenance, or analysis purposes. A data inventory makes transparent what data is available and how to access it.

Non-personal data may, in principle, be freely processed by the using company. This also applies to their own optimizations or new products, as long as no trade secrets or economically sensitive information of the providing company or its technology partners are disclosed or improperly used. Much stricter restrictions apply to third parties to whom a company shares data. For example, they are not permitted to use the data to design a competing connected product. This is also a legitimate reason for refusing to release data.

As is evident, the EU Data Act opens significant opportunities for companies that use connected products. The resulting usage data can be systematically retrieved and analyzed in the future—for example, to optimize processes, products, or investment decisions. Data should already form the basis for business decisions today. The Data Act creates the opportunity to systematically expand and refine this foundation.

However, this doesn’t happen automatically: data-driven work requires appropriate organizational and technical structures–and must be an integral part of corporate culture. Employees need data literacy to meaningfully interpret and responsibly use data.

Approaches like the data mesh architecture and data contracts mentioned in the previous section can help promote these competencies and cultural structures by making internally and externally obtained data available, usable, and understandable. However, targeted measures are also required. These include building tool competency, providing continuous training, and actively promoting a cultural shift toward data-driven work.

By the way, the sovereignty strengthened by the Data Act doesn’t only affect the use of connected products. Switching cloud providers should also be facilitated through clear rules for data portability, interoperability, and contract terms.

Learn more about this in Daniel Bornkessel’s article “EU Data Regulation” in this issue of the INNOQ Technology Briefing.

  1. More on Data Mesh architecture can be found at www.datamesh–architecture.com.  ↩

  2. You can also find more information on Data Contracts at www.datacontract.com.  ↩

Conclusion

Structure brings sovereignty

Data inventories are more than just a compliance obligation. Proper implementation provides transparency across all IoT and machine data, enables shorter innovation cycles through reliable interfaces, and creates competitive advantages through data-driven business models.

Those who structure gain control.

Those who standardize gain connectivity.

Those who create structures for data-driven work early become more independent from manufacturers and thus strengthen digital sovereignty.

TAGS