In 2026, you cannot keep your customers’ data locked behind your service.
That is the calm translation of what enters into force on 12 September 2026: Article 3(1) of EU Regulation 2023/2854 — the EU Data Act. From that day forward, anyone who builds a sensor, connects a machine, ships an app that generates data must consider, from the very first design sketch, that the data belongs to the user — and must be reachable for them.
It is not a new topic. It is an expiry date.
What applied so far, what applies from September
The regulation has been in force since January 2024. The first round of duties landed on 12 September 2025: data access rights for users of existing products, fair cloud-switching conditions, protection against abusive B2B contractual terms. Most small businesses did not feel it directly — pressure came from the top of the supply chain, where large manufacturers had to react. Their SME suppliers benefited without noticing.
On 12 September 2026 the addressee changes.
From that day, the design obligation applies to every new connected product placed on the EU market. „Data by design" is the official phrase. Translated: if your product generates data — and almost every product does, from heating control to workshop systems — your customer must be technically able to reach that data without asking your permission.
It sounds academic. It is a bombshell.
What this means for three typical houses
Machine builders with an IoT component. Anyone who wants to sell a connected workshop control unit in 2027 must have decided by September 2026: which data does the device generate? Who is allowed to reach it? How does the buyer access it without going through our backend? Whoever does not solve this has a product that is no longer legally saleable in the EU — not because an inspector arrives, but because the first major customer asks the question in their procurement specification.
Software companies with a cloud service. What happens when a customer says: „I am taking two years of machine data with me and going elsewhere"? If the answer is „technically only possible if you book our premium tier", you are exposed from September 2026 onwards. The Data Act prohibits artificial switching barriers. Data belongs to the customer, not to the contract.
Association software, practice management, workshop IT. The threshold is lower than people think. As soon as your software generates data for other businesses — member data, patient data, order data — you are part of the supply chain. The duty does not end at the large industrial names. It ends at the last bit of data a person or machine inside the product has produced.
Why this collides with the CLOUD Act
The Data Act says: data belongs to the user. The 2018 CLOUD Act says: US authorities may access data controlled by US companies — wherever the server stands. Schrems II has said since 2020: US law does not provide adequate protection for EU data.
If you build a connected product in 2026 and store its data with a US hyperscaler — even in an „EU region" — your customer faces a conflict they cannot resolve themselves. Their right to data access meets the right of a foreign authority to interrupt that access. Architecture decides, not contract.
This is exactly the trap many small companies have walked into in the past five years. They chose large US cloud platforms because it was fast and cheap. They thereby tied their data architecture to a legal regime that is in tension with the Data Act. In September 2026, that tension becomes visible — not in a courtroom, but in the next customer’s procurement document.
What a different architecture makes possible
An operational backbone running on servers you control is not a political statement. It is a technical answer to a legal question. Your customers’ data sits where you can reach it — not where another country’s prosecutor can reach it. Interfaces are documented. Exports are built in. Switching to another provider is possible because the format is open — not because a clause promises it.
That is the form of clarity the Data Act is asking the European economy for in 2026. Not as a gesture. As a precondition for continuing to sell.
The honest question
Imagine in October 2026 a major customer asks you during an audit: „Where exactly is our data, and can we reach it without going through you?" What is your answer?
If the answer is „yes", you are fine. If the answer is an explanation, you should start today.
What now?
What Tycho Platform does differently — operational backbone on your server →
Three questions, one answer — the digital freedom check →
Read also: Europe answers the CLOUD Act →
This article describes Regulation (EU) 2023/2854 in the form applicable from 12 September 2026. It does not replace legal advice. To examine a specific case, please consult an IT-law specialist.