Blog
EU Data Act
Manufacturing

Challenges of EU Data Act in Home Appliance business

Adam Kozłowski
Head of Automotive R&D
October 17, 2025
5 min read

Table of contents

Schedule a consultation with our data compliance experts

Contact us

As we started 2026, the EU Data Act (Regulation (EU) 2023/2854), which is now in force in whole European Union, is mandatory for all “connected” home appliance manufacturers. IT is applicable since 12 September 2025.

Compared to other industries, like automotive or agriculture, the situation is far more complicated. The implementation of connected services varies between manufacturers, and lack of connectivity is not often considered important factor, especially for lower-segment devices.

The core approaches to connectivity in home appliances are:

  • Devices connected to Wi-Fi network and sharing the data constantly to the cloud.
  • Devices which can be connected through bluetooth and mobile app (those devices technically expose local API which should be accessible to owner)
  • Devices with no connectivity available to customer (no mobile app), but still collecting data for diagnostic and repair purposes, accessible through undocumented service interface.
  • Devices with no data collection at all (even diagnostic data).

Apart from the last bullet point, all of the mentioned approaches to building Smart HomeAppliance require the EU Data Act implementation, and those devices are considered “connected product”, even without actual internet connectivity.

 The rule of thumb would be - if there is data collected by the home appliance or mobile app associated with its functions, it falls under the EU Data Act.

Short overview of EU Data Act

To make the discussion more concrete, it helps to name the key roles and the types of data upfront. In EU Data Act language, the user is the person or entity entitled to access and share the data; the data holder is typically the manufacturer and/or provider of the related service (mobile app, cloud platform); and a data recipient is the third party selected by the user to receive the data. In home appliances, “data” usually means both product data (device signals, status, events) and related-service data (app/cloud configuration, diagnostics, alerts, usage history, metadata), and access often needs to cover both historical and near-real-time datasets.

Another important dimension is balancing data access with trade secrets, security, and abuse prevention. Home appliances are not read-only devices. Many can be controlled remotely, and exposing interfaces too broadly can create safety and cybersecurity risks, so strong authentication and fine-grained authorization are essential. On top of that, direct access must be resilient:rate limiting, anti-scraping protections, and audit logs help prevent major misuse. Direct access should be self-service, but not unrestricted.

Current market situation

As of the 01.2026, most of the home appliance manufacturers (>85% of the 40manufacturers researched, responsible for 165 home appliance brands currently present on the European market) either provide the data access through a manual process (ticket, contact form, email, chatbot) or does not recognize the need of sharing data with owner at all.

If we look at the market from the perspective of how manufacturer treats the requirementsEU Data Act imposes on them, we can see that only 12,5% of 40 companies researched (which means 5 manufacturers) provide the full data access with portal allowing to easily, in self-service manner access your data (green on chart below). 55% companies researched (yellow on the diagram below) recognize the need of sharing the data with their customers, but as a manual service request or email, not in automated or direct way.

Recognition of EU Data Act

The red group (32,5%) is a group of manufacturers, which according to our researchers:

  • does not provide an easy way to access your data,
  • does not recognize EU Data Act legislation at all,
  • recognizes EDA, but their interpretation is that they don’t need to share data with devices owners.

A contact form or email can be treated as a temporary solution, but it fails to fulfill the next set of requirements around direct data access. Although direct access can be understood differently and can be fulfilled in different ways, a manual request requiring manufacturer permission and interaction is generally not considered “direct”. (Notably, “access by design” expectations intensify for products placed on the market from September 2026.)

API access

We can’t talk about EU Data Act implementation without understanding the current technical landscape. For home appliance industry, especially high-end devices, the competitive edge is smart features and Smart Home integration support.That’s why many manufacturers already have the cloud API access to their devices.

Major manufacturers, like Samsung, LG, Bosch, allow to access the appliance (like electric ovens, air conditioning system, humidifier, or dishwasher) data and control its functions. This API is then use by mobile app (which is a related service in terms of EU Data Act), or by owners building popular Smart Home systems.

There are two approaches: either device itself provides local API through server running on it (very rare), or the API is provided in the manufacturer cloud (most common), making the access easier from outside world, securely through their authentication mechanism, but requiring data storage in the cloud.

Both approaches in the light of EDA can be treated as direct access. The access does not require specific permission from the manufacturer, anyone can configure, and if all functions and data is available, this might be considered the solution.

Is API access enough?

The unfortunate part is that it rarely is, and for more than one reason. Let’s get through all of them to understand why Samsung, which has great Smart Things ecosystem, still developed separate EU Data Act portal for data access.

1. The API does not make all data accessible

The APIs are mostly developed for Smart Home and integration purposes, not with the goal of sharing all the data collected by the appliance or by the related service(mobile app).

Adding endpoints for every single datapoint, especially for metadata, will be costly and not really useful for both customers and the manufacturer. It’s easier and better to provide all supplementary data as a single package.

2. The APIs were developed with device owner in mind

EU Data Act streamlines the data access for all data market participants - not only device owners, but also other businesses in B2B scenarios. Sharing data to other business entities under fair, reasonable and non-discriminatory terms is the core of EDA.

This means that there must be a way to share data with the company selected by the data owner in a simple and secure way. This effectively means that the sharing must be coordinated by the manufacturer, or at least the device should be designed in a way which allows to securely share the data, which in most cases requires a separate account or access API for B2B.

3. The API does not make all data accessible

The B2B data access scenarios require a carefully designed consent management system to make sure the owner has full control regarding the scope of data sharing, the way it’s shared and with whom. The owner can also revoke the data sharing permission any time.

This system falls under the partner portal purposes, not Smart Home API. Some of the global manufacturers already have partner portals which can be used for this purpose, but a sole API is not enough.

If API is not enough - what is enough?

The EU Data Act problem is not really the problem of expanding the API with new endpoints.The recommended approach, as taken by previously mentioned Samsung, is to create a separate portal solving compliance problems. Let’s briefly look also at the potential solutions for direct access to data:

  • Self-service export (download package, machine-readable +human-readable - as long as the export is fast, automatic and allows to access the data as fast as the manufacturer can.
  • Delegated access to a third party (OAuth-style authorization, scoped consent, logs).
  • Continuous data feed (webhook/stream for authorized recipients).

Those are approaches which OEMs currently take to solve the problem.

Other challenges bound to home appliance market

Home appliance connectivity is different to the automotive market. Because devices are bound to Wi-Fi or Bluetooth networks, or in rare cases smart home protocols(ZigBee, Z-Wave, Matter), they are not moving and changing owners that often.

The device ownership change happens only when the whole residence changes owners, which is either the specific situation of businesses like AirBnB, or current owners moving out - which very often means the Wi-Fi and/or ISP (Internet ServiceProvider) is changed anyway.

On the other hand, it is hard to point at the specific “device owner”. If there is more than one resident, so effectively any scenario outside “single-person household”, there is no way to effectively separate the data applicable to specific individuals. Of course, every reasonable system would create a check box or notification, that the data can only be requested when there is legal basis under GDPR, but selecting correct user or admin to authorize data sharing is challenging.

From the business perspective, the challenge also arises from the fact that there are white label OEMs manufacturing for global brands in specific market segments.The good example here is the TV market - to access the system data there can beGoogle/Android access point, diagnostic data is separate and should be provided by the manufacturer (which can be the brand selling the device, but not always). If you purchase a TV branded by Toshiba, Sharp, or Hitachi, it can be all manufactured by Vestel. At the same time the other home appliances with the same brand can be manufactured elsewhere. Gathering all the data and helping the user understand where his data is, can be tricky at least.

The one other important challenge is the broad spectrum of devices with different functions and collecting different signals. This requires complex data catalogs, potentially also integrating different data sources, and different data formats. It’s not uncommon for users to purchase multiple different devices from the same brand and request access to all data at once. The user shouldn’t have to guess whether the brand, OEM, or platform provider holds specific datasets - the compliance experience must reconcile identities and data sources to make it easy to use.

Conclusion

Navigating the EU Data Act is complicated, it does not matter which industry we focus on.When we were researching the home appliance market we have seen very different approaches - from state-of-the-art system created by Samsung compliant with allEDA requirements, to manfuacturers who explain in user manual that to “access the data” you need to open system settings and reset the device to factory settings, effectively removing the data instead of sharing. The market as a whole is clearly not ready.

Making your company compliant with EU Data Act is not that hard. The overall idea and approach is similar, does not matter which industry you represent, but building or procuring the new system to fulfill all requirements is for most of the manufacturers a must.

That’s why Grape Up designed and developed Databoostr, the EU Data Act compliance platform which can be either installed on customer infrastructure, or integrated as a SaaS system. This is the quickest and most cost-effective way to become compliant, especially considering the shrinking timeline, while also enabling data monetization.

Data Sharing & Monetization Platform

Databoostr - your customized solution for handling data sharing challenges

Check our offer
Blog

Check related articles

Read our blog and stay informed about the industry's latest trends and solutions.

Manufacturing
EU Data Act

EU Data regulations decoded: Expert solutions for IoT compliance and growth

IoT manufacturers are continuously advancing the potential of connected devices. By 2025, the global expansion of IoT is projected to generate nearly 80 zettabytes of data annually (1), highlighting the immense scale and complexity of managing this volume.

However, with innovation comes the challenge of navigating Europe’s regulatory landscape .

Three key EU data regulations – the Data Governance Act (DGA) (2), the EU Data Act (3), and the General Data Protection Regulation (GDPR) (4) – outline how businesses must handle, share, and protect both personal and non-personal data.

This article explains how these regulations work together and how IoT manufacturers can comply while opening new business opportunities within this legal framework.

Explaining the EU Data Act

The EU Data Act, set to be fully implemented in 2025, seeks to ensure fairness and transparency in the data economy. It gives users and businesses the right to access and control data generated by IoT devices , promoting innovation and fair competition.

  • User control over data : The EU Data Act allows users (and businesses) to authorize the sharing of their device-generated data with third-party service providers. This requires IoT manufacturers to build systems that enable users to easily request and manage access to their data.
  • Mandatory data sharing : In certain cases, IoT manufacturers will be required to share data with other businesses when authorized by the user. For example, third-party service providers may need access to this data. In B2B scenarios, manufacturers can request reasonable compensation for providing the data.

This regulation is particularly relevant in industries like automotive and smart cities, where multiple stakeholders rely on shared data. A connected car manufacturer, for instance, must ensure users can authorize access to their vehicle data for services like maintenance or insurance.

Introduction to the Data Governance Act

The DGA, effective since September 2023, is all about creating a trustworthy, neutral data-sharing system. It focuses on two key areas: data intermediation services and data altruism .

  • Access to public sector data: The DGA allows businesses to reuse data from public sector bodies, such as healthcare, transportation, and environmental data. This provides access to high-quality data that can be used to develop new products, services, and innovations.

Example: A company developing AI-based healthcare solutions can use anonymized public health data to create more accurate models or treatments.

  • Data intermediation services : Intermediaries are neutral third parties that help exchange data between IoT manufacturers and other data users (like third-party service providers) under B2B, C2B, and data cooperative models.

The idea emerged as an alternative to big tech platforms monopolizing data-sharing. The goal? To provide a secure and transparent space where personal and non-personal data can be shared safely.

Example: A smart home manufacturer might team up with a data intermediary to help users share energy data with utility companies or researchers looking into energy efficiency.

Manufacturers cannot act as intermediaries directly, but they can partner with or establish separate entities to manage data exchanges. If they create these intermediaries, the entities must function independently from the core business. This separation ensures data is handled fairly and transparently without commercial bias.

The goal is to build trust - intermediaries are only there to facilitate secure, neutral connections between data holders and users without using the data for their own benefit.

  • Data altruism : This is all about voluntary data sharing for the public good. Think research or environmental projects. IoT manufacturers can give users the option to donate their data, opening the door to collaborations with research bodies or public organizations.

The DGA's core focus is building user trust by ensuring data transparency, security, and fairness, whether through neutral intermediaries or data shared for a greater cause.

Key GDPR rules every business should know

The GDPR, in effect since 2018, sets strict rules for how businesses collect, store, and process personal data, including data from IoT devices.

  • User consent and transparency : IoT manufacturers must obtain explicit user consent before collecting or processing personal data, such as health data from wearable devices or location data from connected cars. Transparency about how this data is used is also required.
  • Data security and privacy : Manufacturers must implement robust security measures to protect personal data and adhere to data minimization principles - only collecting what’s necessary. Additionally, they must uphold user rights, such as providing access to their data, supporting data portability, and allowing users to request erasure (the right to be forgotten).

For example, wearable device manufacturers need to ensure the security of personal data and offer users the ability to request the deletion of their data if they no longer wish for it to be stored.

How the DGA, EU Data Act, and GDPR work together

These three EU data regulations create a well-rounded framework for managing both personal and non-personal data in the IoT space.

  • The DGA : The Data Governance Act creates neutral, secure data-sharing ecosystems, promoting transparency and fairness when multiple parties exchange data through trusted intermediaries.
  • The EU Data Act : This regulation complements the DGA by giving users control over the data generated by their devices, allowing them to request that it be shared with third-party service providers. In certain B2B cases, the data holder may request fair compensation for providing access to the data.
  • The GDPR : The GDPR adds strong protections for personal data. When personal information is involved, it ensures that users’ privacy and rights are respected.

Example:

Imagine a smart agriculture company that manufactures sensors to monitor soil and weather conditions.

Under the DGA, the company can work with neutral intermediaries to securely share aggregated environmental data with researchers studying climate change, maintaining transparency and fairness in the exchange.

At the same time, the EU Data Act allows farmers who use these sensors to maintain control over their data and request that it be shared with third-party services like equipment manufacturers or crop analytics firms. In certain B2B cases, the smart agriculture company can ask for fair compensation for sharing aggregated data insights.

If personal data is involved - such as specific information about a farm or farmer - the GDPR governs how this data is processed and shared, requiring user consent and protecting the farmer’s privacy throughout the process.

How IoT manufacturers adapt to EU data regulations

Implement robust data protection measures: Secure personal data with strong encryption, access controls, and anonymization. Obtain explicit user consent, ensure compliance with access and erasure requests, and support data portability. Processes for timely responses to data requests and identity verification are crucial.

Build systems for data access and sharing: Create mechanisms for users to easily share or revoke access to their data and establish clear frameworks for data sharing with third parties, including compensation rules where appropriate. Ensure these practices align with competition laws.

Partner with or create independent data intermediaries: Collaborate with neutral data intermediaries to handle data exchanges between parties securely and without bias or create an independent entity within your organization to fulfill this role, following the EU Data Governance Act’s guidelines.

Adopt privacy-by-design principles : Integrate privacy and security measures into the design phase of your products and services. This means designing IoT devices and platforms with built-in security and privacy features, such as anonymization, data minimization, and encryption, from the outset rather than adding these measures later.

Focus on data interoperability and standardization: Adopt standardized data formats to ensure that your IoT devices and platforms can communicate and exchange data seamlessly with other systems. This not only helps with regulatory compliance but also avoids vendor lock-in and enhances competitiveness by allowing your products to integrate more easily with third-party services.

The role of an IT enabler in navigating EU data regulatory landscape

Given today’s complex regulatory landscape, IoT manufacturers need a technology partner to stay compliant and create business opportunities. An IT enabler provides the tools, expertise, and infrastructure to help companies meet legal and compliance EU data regulations requirements efficiently. Here are the key areas where you’ll need support:

  • Regulatory compliance : Navigating complex frameworks requires a deep understanding of these regulations to ensure legal obligations are met. An IT enabler helps interpret laws, builds compliance-focused solutions, and keeps your business up to date with evolving regulations.
  • Technology solutions : To comply with privacy laws, businesses must implement secure data handling, processing, and sharing systems. Your IT partner offers scalable technology solutions to manage and protect personal and non-personal data.
  • Data exchanges : IoT manufacturers must enable secure, compliant data exchanges with external partners, including neutral data intermediaries and third-party services. An IT enabler designs and implements systems to facilitate these data exchanges while also ensuring transparency and fairness.
  • Operational simplicity : Compliance with regulations should not burden your core operations. An IT partner simplifies regulatory processes through automation, effective governance, and streamlined workflows.
  • Ongoing maintenance and updates : Once solutions are built and implemented, they require ongoing maintenance to comply with new laws and standards. A software development consultancy provides long-term support and regular updates to ensure your systems evolve alongside regulatory changes.
  • Customizable solutions : Every IoT manufacturer has unique business needs, and regulatory compliance often depends on industry-specific nuances. An sofwtare development consulting partner can develop custom-built solutions that not only meet legal standards but also align with your specific operational and business goals.
  • Integration with existing systems : Rather than replacing your entire IT infrastructure, an IT enabler integrates new compliance solutions with your existing systems, ensuring a smooth transition with minimal disruption.

At Grape Up , we provide the solutions, expertise, and long-term support to help you navigate these challenges and stay ahead in the regulatory landscape.

Need guidance on complex EU data regulations? We offer expert consulting to guide you.

Looking for secure data-sharing platforms? Our products ensure safe exchanges with third parties while keeping your business compliant.

Whether it’s managing compliance, data security, or third-party integrations, we provide the tools and expertise to support your needs.

.......................

Source:

  1. https://www.researchgate.net/figure/nternet-of-Things-IoT-connected-devices-from-2015-to-2025-in-billions_fig1_325645304#:~:text=1%2C%20By%20the%20year%202025,of%2079%20zettabytes%20%5B12%5D%20.
  2. https://digital-strategy.ec.europa.eu/en/policies/data-governance-act
  3. https://digital-strategy.ec.europa.eu/en/policies/data-act
  4. https://gdpr-info.eu/
Read more
View all
Connect

Interested in our services?

Reach out for tailored solutions and expert guidance.

Stay updated with our newsletter

Subscribe for fresh insights and industry analysis.