European Data Regulation & Cyber Resilience Act

The European Union developed a data strategy years ago. The rollout of this strategy involves many new European regulations that directly apply to Dutch businesses and consumers.

The European Union recently introduced two regulations that impact technology companies: the European Data Regulation (Data Act) and the Cyber Resilience Act (CRA). In this newsletter, we explain both regulations.

What is the European Data Regulation (Data Act)?

The Data Act aims to make data sharing between companies, consumers, and governments in the European Union easier and fairer. For technology companies, this means, among other things, that products and services that generate data must also make that data available to users. Think of IoT devices, machines, or smart software.

Key points from the Data Act:

• Users gain more control over the data their devices generate.
• Companies must enable data access technically and contractually.
• Clear rules will be introduced for data sharing in emergency situations.
• Unfair contractual terms (including between companies) regarding data, but also regarding the resulting liability and rights of customers, will be void or voidable.

Entry into force

The Data Act has been in effect since September 12, 2025. The Data Act applies to manufacturers of connected products (such as smart devices), providers of related services (apps, IoT), cloud providers (SaaS), governments, and users (both consumers and businesses).

What is the Cyber Resilience Act (CRA)?

The CRA focuses on the cybersecurity of all digital products sold in the EU, such as software, IoT devices, and connected hardware. The CRA sets cybersecurity requirements throughout a product's entire lifecycle.

Key points of the CRA:

• Products must be “secure by design” and “secure by default”.
• Manufacturers/importers are responsible for providing timely security updates throughout the product lifecycle (minimum 5 years).
• Vendors must actively monitor and resolve vulnerabilities.
• Mandatory safety documentation and declarations of conformity will be introduced. 

Entry into force

The CRA came into effect on December 10, 2024. From September 11, 2026, a reporting requirement for actively exploited vulnerabilities and incidents will apply. From December 11, 2027, all products with digital elements must comply with the CRA. The CRA applies to manufacturers, importers, distributors, and authorized representatives.

What to do?

We recommend that you check whether you are subject to the Data Act and/or CRA, and whether your company complies with the obligations. It's also wise to review relevant agreements with parties in the supply chain. For example, check for unreasonable contractual terms (Data Act) or agreements with suppliers of hardware or software from outside the EU that you import.

Knowing more?
Do you have questions about how these new rules affect your work? Please contact Sander Pieroelie, attorney at Vestius Advocaten in Amsterdam and affiliated with FHI through FHI Advies. FHI Advies can be reached via legal@fhi.nl

The above text is a substantive contribution from our partner Vestius Advocaten.