The EU Data Act Creates Enforcement Fragmentation Dutch Entrepreneurs Can’t Ignore

What the EU Data Act Changes for Dutch Businesses

The EU Data Act went live on January 12, 2025. Most Dutch entrepreneurs running cloud services, SaaS products, or IoT devices think compliance means updating privacy policies.

Wrong.

This regulation demands fundamental changes to how you architect data access. You must redesign systems so users can extract their generated data by default. Free of charge. In machine-readable formats.

Compliance requires a unified approach: legal, compliance, security, and development must coordinate seamlessly.s.

The problem isn’t technical complexity. The real exposure lives in enforcement fragmentation.

How EU Data Act Enforcement Differs from GDPR

GDPR gave you predictable enforcement through the “one-stop-shop” mechanism. Your lead supervisory authority handles cross-border matters. You know who investigates. You know the penalty structure.

The Data Act abandoned that model. Each EU member state designates its own competent authorities, each with its own independent penalty framework.

Malta imposes penalties of up to 5% of turnover through its Digital Innovation Authority. Germany’s draft assigns fines up to €50,000 under the Federal Network Agency. The Netherlands splits enforcement between the Consumer and Market Authority and the Data Protection Authority, with penalties up to €1,030,000 or 10% of EU-wide turnover.

If you operate across multiple EU markets, you face parallel investigations with inconsistent interpretations.

Jurisdictional uncertainty means it’s unclear which authority will investigate first or which standards apply.

Non-EU entities that fail to designate an EU legal representative are subject to universal jurisdiction. Every competent authority gets to pursue enforcement.

Enforcement is fragmented; risk multiplies in each EU market you serve.

Why the GDPR-Data Act Overlap Creates Dual Penalties

You face a classification trap.

The Data Act requires you to share user-generated data. GDPR restricts how you process personal data. When telemetry logs, usage patterns, or device data contain both personal and non-personal elements, you must classify correctly. Get this wrong, and you face penalties from both models.

Misclassify data as non-personal when it’s personal: GDPR fines reach €20 million or 4% of global turnover through the Autoriteit Persoonsgegevens.

Classify everything as personal to avoid risk: You trigger Data Act violations by refusing legitimate access requests.

The regulatory structure creates enforcement overlap. Data protection authorities handle personal data. Member states designate separate authorities for non-personal data. In the Netherlands, the AP and ACM both have the option to pursue enforcement depending on the data classification.

Separating personal from non-personal data in connected devices is difficult. IoT telemetry often contains identifiable patterns even when direct identifiers are stripped. You need a case-by-case assessment for every data transfer request.

Most small businesses lack the legal capacity to perform this analysis consistently.

Critical point: The overlap between GDPR and Data Act means two separate enforcement authorities can investigate the same data transfer. Classification errors create exposure on both sides.

What Data-by-Design Architecture Requires

From September 12, 2026, new connected products must enable data access by default. This isn’t optional.

Articles 3 and 4 of the Data Act require that products are “designed and manufactured, and related services must be designed and provided, so that the product data and related service data are easily, securely, and freely accessible to users.”

Your systems must deliver data in comprehensive, structured, machine-readable formats through secure, easily accessible channels. Where technically feasible, users must access data directly through dashboards or APIs.

The regulation shifts compliance from policy to infrastructure. You won’t achieve this by improving your terms and conditions.

The requirement demands “technical redesign: ensuring products are data-accessible by design, which calls for significant R&D investment and changes to existing product lines.”

For Dutch micro and small businesses, this creates permanent technical debt. You need ongoing oversight, version control, and product testing to preserve compliance as your systems evolve.

Key reality: Compliance becomes a continuous engineering process. You won’t bolt this onto existing products. The architecture must support data access from the foundation.

When Trade Secrets Can and Cannot Excuse Data Sharing

You might assume proprietary algorithms or business logic qualify as automatic exemptions.

The Data Act preserves trade secret protection. You can’t simply refuse access requests by claiming confidentiality. You must demonstrate serious economic harm even after implementing protective measures such as encryption, access controls, and confidentiality agreements.

The regulation creates two tiers:

Regular trade secrets: Require “proportionate” safeguards that you and the data recipient agree upon.

Particularly sensitive trade secrets: Must cause serious economic damage to qualify for non-disclosure.

If you refuse to share on grounds of trade secrets, you must notify the national competent authority. This creates an administrative burden and exposes your claim to regulatory scrutiny.

What this means: Trade secret defenses work only as a narrow exception, not a blanket shield. You need documented evidence of economic harm and safeguards in place before refusing to share data.

How Competitors Use Data Portability as Competitive Intelligence

The Data Act grants users the right to designate third parties as data recipients. The third party is your competitor.

Your rival can encourage customers to exercise transfer rights, legally accessing operational data you previously controlled exclusively.

The regulation requires you to provide “the same set of product, service, and metadata available to third parties in the same quality as would be provided to the user directly.”

Data portability transforms from consumer protection into competitive intelligence gathering.

A competitor can systematically harvest real-time data on machinery performance, usage patterns, or service metrics that reveal your business processes. Companies that relied on exclusive control of device data for aftermarket services or competitive advantage now face new competition from independent EU service providers who access the same data streams.

For budget-limited Dutch businesses, this creates asymmetric pressure. Compliance costs are high. Strategic benefits accrue to larger players who exploit portability rights at scale.

Strategic reality: Your compliance infrastructure becomes a competitive tool for rivals. Data you once controlled exclusively is now legally accessible through customer transfer requests.

What You Need to Do Before Enforcement Accelerates

Member states must notify the European Commission of their enforcement frameworks by September 12, 2025. The Netherlands has already designated the ACM and AP as competent authorities.

You have limited time before enforcement becomes routine.

Assess your current data architecture.

Map every connected product and cloud service you operate. Identify what data users generate. Determine whether your systems currently allow structured, machine-readable extraction. Document where personal and non-personal data intermingle.

Determine necessary technical changes.

Work with your development team to evaluate what redesign is required. Can users access data directly through dashboards or APIs? Do you need to build new export functionality? What security controls must you implement to prevent unauthorized access during data transfers?

Develop documented classification procedures.

Create a repeatable process for assessing whether data qualifies as personal under GDPR. Train your team to recognize edge cases where telemetry appears non-personal but contains identifiable patterns. Establish internal review processes before responding to data access requests.

Draft coordinated compliance policies

Unify your Data Act and GDPR compliance framework. Establish clear, coordinated decision rules for handling requests involving mixed data types. Develop joint escalation procedures and a shared methodology for assessing trade secrets in ACM or AP challenges.

Structure is cheaper than parallel enforcement actions.

The Real Risk Is Delayed Recognition

Most Dutch entrepreneurs won’t face enforcement under the Data Act in the first six months.

That delay creates risky complacency.

Enforcement fragmentation means you don’t know when the investigation begins or which authority initiates things. The classification trap between GDPR and the Data Act creates exposure. This increases over time as you process more data requests. Design-by-default requirements become exponentially more expensive to retrofit into existing products.

The founders who treat this as a 2026 problem will discover architectural changes require months of development work, not weeks of policy updates.

The system doesn’t care about your intentions. It measures proof, structure, and technical capability.

If you fail to demonstrate compliant data access by design, you’re building liability into every connected product you ship.

Frequently Asked Questions

Does the EU Data Act apply to my Dutch business?

Yes, if you provide connected products, IoT devices, or cloud services where users generate data. The Act applies to products placed on the EU market from September 12, 2026, and related services from January 12, 2025. If you sell smart devices, SaaS platforms, or services that collect user-generated data, you’re covered.

What’s the difference between GDPR and Data Act enforcement?

GDPR uses a centralized “one-stop shop” where your lead supervisory authority handles cross-border issues. The Data Act has no central coordination. Each of the 27 EU member states designates separate competent authorities with independent penalty frameworks. You face potential parallel investigations with inconsistent interpretations throughout markets.

Can I refuse to share data to protect trade secrets?

Only in narrow circumstances. You must demonstrate serious economic harm even after implementing safeguards like encryption and access controls. Regular trade secrets require proportionate protective measures agreed with the data recipient. You must notify the national competent authority if you refuse to share, creating an administrative burden and regulatory scrutiny.

How do I classify data as personal vs. non-personal?

You need a case-by-case assessment for every data transfer request. IoT telemetry often contains identifiable patterns even when direct identifiers are removed. If you misclassify personal data as non-personal, you face GDPR fines up to €20 million or 4% of global turnover. If you classify everything as personal to be safe, you trigger Data Act violations for refusing legitimate access requests.

Can competitors really access my customer data?

Yes. Users may designate third parties as data recipients. Your competitor can encourage customers to exercise transfer rights, legally accessing operational data, usage patterns, and service metrics you previously controlled exclusively. You must maintain the same data quality for third parties as you do for users directly.

When do I need to comply with the Data Act?

Related services must comply from January 12, 2025. New connected products placed on the EU market must enable data-by-design from September 12, 2026. Member states must notify enforcement protocols by September 12, 2025. The Netherlands has designated the ACM and AP as competent authorities. Enforcement is already active.

What penalties do Dutch businesses face for non-compliance?

In the Netherlands, penalties reach €1,030,000 or 10% of EU-wide annual turnover. Different member states have different penalty structures. Malta imposes fines up to 5% of turnover. Germany proposes fines up to €50,000. If you operate across multiple EU markets, you face exposure in each jurisdiction.

Do I need to rebuild my entire product architecture?

For most connected products, yes. Articles 3 and 4 require products designed and manufactured so that data is easily, securely, and freely accessible to users. You need structured, machine-readable formats via secure channels. Where feasible, direct access through dashboards or APIs. This isn’t policy work. This is a fundamental engineering redesign.

Key Takeaways

• The EU Data Act creates enforcement fragmentation, with 27 separate member-state authorities and no central coordination, unlike the GDPR’s one-stop-shop mechanism.
• Dutch businesses face dual enforcement exposure from both the ACM and AP when data contains mixed personal and non-personal elements, with penalties up to €1,030,000 or 10% of turnover.
• Compliance requires engineering-driven architectural changes to enable user data access by design, not policy updates, nor terms and conditions modifications.
• Trade secret protection works only as a narrow exception requiring documented economic harm proof and implemented safeguards, not as a blanket refusal mechanism.
• Competitors can legally harvest your operational intelligence through customer data transfer requests, transforming consumer protection portability into competitive intelligence gathering.
• Design-by-default requirements apply from September 12, 2026, for new products and become exponentially more expensive to retrofit inside existing systems.
• The GDPR-Data Act classification trap exposes organizations on both sides, as misidentifying data can trigger separate penalties from different enforcement authorities.