From the Data Act to the Cyber Resilience Act (CRA): Giovanni Coppa, Leader of the eco Internet of Things (IoT) Competence Group, explains which regulations particularly affect the IoT industry and what new obligations arise for it. He will moderate the webinar ‘EU Data Protection Law at a Glance for IoT Companies’ (in German) on 2 April – participation is open to everyone.
Mr Coppa, in recent years the EU has created a large number of new legal acts that have a direct impact on companies that collect, process and distribute IoT data. Are IoT companies more affected by these regulations than traditional cloud or artificial intelligence (AI) providers?
Giovanni Coppa: The use of IoT is the norm today. Almost all companies, especially in the industrial sector, are heavily affected by the regulations, as they not only process large amounts of data, but usually also operate physical devices and critical infrastructures. This brings additional challenges in terms of data protection (GDPR), cybersecurity (NIS2, CRA) and data access (Data Act, DGA). In addition, IoT devices often generate personal data and interact directly with consumers – resulting in stricter compliance requirements.
In Europe, we have already developed a strong awareness of how the use of data can impact our economy and lives. It remains important to curb potential misuse.
Why is that? What do companies need to keep in mind when using IoT data?
IoT applications are particularly worth protecting for several reasons. Firstly, IoT devices often collect very personal and sensitive data, such as health data, location data or data about behaviour in private spaces. This significantly increases the requirements for data protection and data security. In addition, IoT devices are often vulnerable to cyberattacks, which can lead to potentially serious consequences, such as the failure of critical infrastructure. As a result, companies and organisations are faced with stricter cybersecurity requirements. Malfunctions of IoT devices and sensors can cause considerable damage. The question of who is liable for this damage is often complex and associated with additional regulatory requirements.
Last but not least, IoT ecosystems are often very heterogeneous, which makes interoperability difficult. The European regulations therefore also aim to create open and secure standards for interoperability and thus unite the entire European territory. eco – Association of the Internet Industry is also working on projects of this kind, such as FACIS.
From the Data Act to the Data Governance Act (DGA) and the Cyber Resilience Act (CRA): is it possible to say which of the new regulations affects IoT companies the most?
It is almost impossible to identify a single regulation as the single most important one. After all, all the laws mentioned cover aspects that are relevant to companies that implement or use IoT. The most important ones for the industry are certainly:
- The Data Act, which regulates data sharing between companies and users.
- The CRA (Cyber Resilience Act), as it sets out minimum requirements for the cybersecurity of connected devices.
- But also the DGA (Data Governance Act) for companies that share data between different players or act as data intermediaries.
To summarise, however, it can be said that the Data Act and the Cyber Resilience Act certainly have the greatest direct impact on the IoT industry at present: While the CRA is likely to have the greatest impact on IoT hardware providers, and the Data Act is particularly important for data-driven IoT business models.
However, it must also be said that nowadays it is almost normal for companies to have software that has been developed in accordance with these guidelines. Nevertheless, industry get-togethers such as the eco Association’s webinar on EU data law and the Hannover Messe are always a great opportunity to exchange ideas with other (Industrial) Internet of Things companies on the latest requirements and changes.
You are a full-time Digital Innovation Lead at Research Industrial Systems Engineering (RISE), a consultancy for research, development and large-scale projects. With a view to the continuous further development of data-driven business models: Do you recommend that, in principle, all IoT providers, manufacturers and operators should also familiarise themselves with the EU AI Act?
Yes, this is essential, as many IoT applications are based on AI in order to fully process the information collected. For example, this is necessary for predictive maintenance, intelligent assistants or automated control systems.
In addition, many IoT companies are affected by the EU AI Act anyway, as it regulates high-risk AI systems in particular – those that are used in critical infrastructure, healthcare or biometric identification and process IoT data.
IoT hardware and software providers will need to adapt their AI-based solutions to meet the necessary compliance requirements. The best software solutions are certainly those that offer an integrated ecosystem and are able to provide the customer with the right information in a homogeneous way, on the basis of which they can make important decisions – this is best done with the help of AI.
The IoT Competence Group webinar on 2 April 2025 will provide a detailed overview of the most important legal acts on EU data law for IoT companies (in German) – register here!
Future webinars of the eco Competence Group IoT will also continue to deal with relevant questions on EU data law. Stay informed here!
