From IoT data access portals to high-risk AI transparency, 2026 is the year the EU Data Act and AI Act move from drafting to daily practice.
Topics: EU Data Act, EU AI Act, IoT, AI Governance, Transparency
In Europe, 2026 is not about new principles; it is about operational deployment. The EU Data Act and the EU AI Act now move from drafting to daily practice.
Beyond GDPR: Portability, Fairness, And Access
GDPR remains the baseline for data protection and individual rights. However, the EU Data Act expands the discussion from privacy to access, portability, and economic fairness.
It focuses on data generated by connected products and related services. This includes IoT devices, smart hardware, and many industrial systems that produce continuous streams of usage data.
Crucially, the Act requires that users can access this data by default in a usable format. Therefore, manufacturers must design products and services with data access pathways built in from the start.
September 12, 2026: Manufacturer Obligations Land
Key manufacturer obligations under the Data Act arrive on September 12, 2026. By this date, organisations must ensure users can access data generated by their connected products without facing artificial friction.
This means clear interfaces, documentation, and technical measures that allow users to download or share their data. It also limits contractual or technical tricks that prevent customers from switching service providers.
Consequently, product teams must treat data accessibility as a core feature rather than a later integration. They need roadmaps for building "Data Access Portals" that meet security, usability, and legal requirements.
EU AI Act: Transparency For High-Risk Systems
Alongside the Data Act, the EU AI Act introduces strict obligations for high-risk systems. These include AI used in recruitment, credit scoring, and other contexts that significantly affect individuals’ lives.
High-risk AI must meet standards for transparency, human oversight, and robustness. Users impacted by these systems should understand when AI is involved and how decisions can be challenged.
This requires documentation of training data, model behaviour, and risk controls. It also requires clear processes for handling objections and correcting adverse outcomes.
The Operational Challenge For 2026
For many organisations, the challenge is not interpreting the regulations; it is operationalising them. Privacy, data, and product teams must collaborate more closely than ever.
IoT manufacturers need data inventories that link device telemetry to customers and legal bases. They must also ensure access pathways do not undermine security or intellectual property.
Meanwhile, AI teams must integrate risk assessments into development lifecycles. They need to track where models are deployed and whether those contexts fall into high-risk categories.
How Privacy360 Supports Data And AI Governance
Privacy360 is designed to help organisations move from reactive compliance to structured governance across privacy and AI. Its platform combines assessments, DSARs, vendor oversight, and AI governance in a single environment.
For the EU Data Act, Privacy360 can support:
- Data mapping for connected products and IoT services, including data flows and legal bases.
- Design and governance of "Data Access Portals" that allow users to download IoT data in near real time.
For the EU AI Act, Privacy360 enables:
- AI Impact Assessments (AIIA) that document risk, transparency controls, and human oversight for high-risk systems.
- Centralised registers of AI use cases, linking models to business processes and regulatory categories. See the full set of operational modules for details.
When additional expertise is required, Formiti provides consulting services for Data Act and AI Act readiness. Their team helps design AI governance frameworks, review high-risk deployments, and align contracts with new access obligations. Details are available at Formiti – Global Data Protection Consultancy.
Do you already maintain a central register of AI use cases and connected product data flows, or is that still being mapped?