Navigating the Dual Challenge of EU Data Act and Cyber Resilience Act
This episode explores how the EU Data Act and Cyber Resilience Act together are setting a new standard for IoT platform design. Margaret and David break down key requirements, discuss the shared challenges, and examine how Tributech’s middleware serves as a bridge for compliance. Perfect for security architects and manufacturers preparing for sweeping regulatory change.
This show was created with Jellypod, the AI Podcast Studio. Create your own podcast with Jellypod today.
Get StartedIs this your podcast and want to remove this banner? Click here.
Chapter 1
Introduction to the topic
Margaret Ellis
Welcome back to Come Reflect Act, the podcast where we make sense of the ever-shifting regulatory landscape for connected products. I’m Margaret Ellis, here with David Evans, and today we’re unpacking a rather big question—what happens when two of the EU’s sweeping tech regulations hit IoT manufacturers practically back to back?
David Evans
Yeah, hi everyone. So we’ve talked a lot about the Cyber Resilience Act—the CRA—and its huge implications. But there’s also this other big player on the field: the EU Data Act.
Margaret Ellis
Right, it’s a bit relentless, isn’t it? The EU isn’t pulling any punches with this. So, if you’re an IoT vendor, you’re now staring down not just one overhaul of your platform architecture but potentially two. The Data Act leans heavily on data access, interoperability, sharing. Then the CRA, as we’ve discussed, is all about product cybersecurity and resilience—making sure they are built secure by design and stay protected over time.
David Evans
Exactly. And if you treat these separately—like, first chasing Data Act compliance, then scrambling for CRA later—you’re basically baking in more costs, more technical debt, and honestly just a lot of unnecessary pain for your development teams. That’s really what we wanna get into today—how you can rethink your IoT architecture so you’re ready for both sets of rules, not just stuck playing regulatory whack-a-mole every couple of years.
Margaret Ellis
So, let’s set the scene: two big regulations, some deadlines have already been reached, some are looming, but also, as we’ll show, one smarter pathway. Let’s start by breaking down the Data Act first. David, do you want to kick us off?
Chapter 2
Understanding the EU Data Act
David Evans
Sure. The EU Data Act—it might be one of the most far-reaching data access laws we’ve seen in a while. For IoT manufacturers, it’s no longer just about building a device and moving on. You’ve gotta make sure that the data those devices generate is easily, securely, and interoperably accessible—not just to the owner but to third parties and even public authorities under some circumstances.
Margaret Ellis
And critically, that data access has to be free of charge, and provided in a commonly used, machine-readable format. Everything from user interfaces to backend systems needs a rethink.
David Evans
Yeah, and there are these transparency obligations before anyone even buys your product. You’ve got to spell out, for example, what data your device collects, how people can access it, how long it’s kept, and whether any third parties might touch it. And one other thing that—honestly, I wish we’d had in some of these older regulations—the law explicitly bans what they call “dark patterns.” Design tricks that, you know, make it deliberately hard for users to get at their rights, those are a no-go now.
Margaret Ellis
Mmm, really important point. And don’t forget the sharing obligations—if a user asks, manufacturers need to provide ways to share their data with service providers or partners, again in a fair, non-discriminatory way. And, in rare cases, public authorities can request data too, especially in emergencies or for public needs.
David Evans
Exactly. The Data Act is now in force as of this September, and for new products there are even more obligations from September 2026. And the fines? Well, think GDPR level—up to €20 million, or 4% of annual global turnover, whichever’s higher. It’s not something you can put off and hope it’ll be forgiven later.
Margaret Ellis
The bottom line: you need to redesign your IoT products for secure, interoperable, and user-friendly data access pretty much, uhh, yesterday. For many manufacturers, that’s proving to be a far bigger lift than expected, especially as many are only now waking up to the regulation’s demands. But of course, that’s just the first half of the compliance puzzle we will be talking about today. The other half is the CRA, which we’ll dive into next.
Chapter 3
Cyber Resilience Act Requirements and Impact
Margaret Ellis
Alright, so let’s talk Cyber Resilience Act. If you listened to our earlier episodes, especially the one where we dug into the 13 essential requirements and the 8 vulnerability handling obligations, you’ll remember: the CRA is about shifting from “build and forget” to “secure and support for life.”
David Evans
Totally. The CRA is, like the EU's answer to these fragmented and often quite patchy cybersecurity approaches we've seen with a harmonized rulebook. So, manufacturers need to do a full-on cybersecurity risk assessment before products hit the market—thinking through not just normal operation but potential misuse and all those “what if” scenarios.
Margaret Ellis
And it’s not just about ticking boxes. The 13 cybersecurity requirements—secure by design and default, proper access control, event logging, even secure data deletion—these touch every layer of your tech stack.
David Evans
And on top of all that, as we have talked about, you’ve got the eight vulnerability handling rules: you need policies, processes, real user notifications if a vulnerability pops up, rapid security updates, and, crucially, strict reporting deadlines to things like CSIRTs and authorities. Actually, I always forget these reporting windows—are they 24 hours? Or shorter?
Margaret Ellis
It varies slightly, but you’re right, the timelines are tight and very much in line with what GDPR requires for breach notifications. The main point is: you can’t drag your heels, and you need clear communication channels built in before a crisis hits.
David Evans
Definitely. And let’s not forget the documentation: you need technical files, an EU Declaration of Conformity, your CE mark, the works. And if your product is “important” or “critical,” you might need third-party certification on top of self-assessment. The first CRA rules—mainly around vulnerability management—kick in September 2026, but the full set applies by December 2027. Fines? Up to €15 million or 2.5% of global turnover, plus risks around losing your CE mark and potential product recalls.
Margaret Ellis
It’s a lot to take in. But the big thing to remember is, if you wait to address the CRA until you’ve already rebuilt your platform for the Data Act, you’re in for yet another costly rework. What we really advocate at Tributech, and what we want to get practical about now, is how you can bring both worlds together with the right architectural approach.
Chapter 4
Aligning IoT Design with Middleware Innovation
David Evans
Yeah. This is kinda where we see companies falling into that trap: treating the Data Act and CRA as these silos, doing all the work for one, then realizing, oh no, we’ve got to go back and rip apart our system for the other. It's a classic recipe for technical debt and, honestly, just developer burnout.
Margaret Ellis
That’s why there’s a strong case for finding solutions that align with both regs from the outset. And here’s where Tributech Middleware really comes into play. Instead of reinventing the wheel—or, rather, rebuilding the whole car twice—this middleware can give you compliant building blocks for both sets of demands, right out of the box.
David Evans
So take device provisioning—you’ve gotta do this securely, with proper certificates and access controls for CRA, right? But you also need to make sure users and third parties can actually get at the data they’re supposed to have, which the Data Act obligates. Middleware that handles secure enrollment, encrypted comms, digital twin technology with rich metadata, that’s—it just cuts both ways, ticking boxes for each regulation.
Margaret Ellis
Plus, fine-grained access management—being able to precisely control who gets access to what data, when, and under what terms—is basically the bridge between those requirements. And, by having things like encrypted, authenticated data flows and certificate lifecycle management embedded, you’re ready for CRA enforcement, while digital twins and machine-readable formats knock out the Data Act’s interoperability and transparency bits.
David Evans
So, in practice, instead of facing a double rebuild in quick succession—first for access and sharing, then for cybersecurity—you’re setting yourself up to cover both now, with a single platform redesign. That means a lot less risk, lower long-term cost, and, let’s be honest, way less stress for everyone involved.
Margaret Ellis
Well summed up. Ultimately, thinking holistically and leveraging the right middleware can mean you’re not just surviving this regulatory onslaught—but actually using it to build better, more trusted products. And, you know, not dreading what the next EU directive’s going to throw at you.
David Evans
Exactly. Look, it’s a lot, but with the right strategy—and the right tools—a single, streamlined architecture is within reach. And if it sparks interest, we can explore more specific technical strategies and case studies in future episodes, so, Margaret, I think that’s a good spot to wrap?
Margaret Ellis
Absolutely. Thanks as always for joining us on Come Reflect Act. We hope today’s chat helps you navigate this dual challenge with a bit more clarity—and maybe even a little less stress. David, thanks for your insights.
David Evans
Thank you, Margaret. And thank you to all our listeners—we’ll see you next time!