CRA and Data Act: EU’s new rules for connected tech and cloud services

Europe is in the middle of a quiet but far reaching reset of how connected products and cloud services are designed, secured and commercialised. Two new instruments sit at the heart of this shift: the Cyber Resilience Act (CRA) and the EU Data Act. For tech companies selling devices, software or cloud services into the EU, these laws will shape product roadmaps, security engineering and contract strategy over the rest of this decade.

This article looks at what they do, how they fit together, and what in house legal teams should be doing now.

A new baseline for cybersecurity: the Cyber Resilience Act

The CRA is the EU’s attempt to hard wire cybersecurity into the lifecycle of digital products. It will apply from December 2027, with some incident reporting obligations becoming applicable earlier, from September 2026.

At its core, the CRA imposes cybersecurity requirements on “products with digital elements” made available on the EU market. That term is intentionally broad. It covers any connected hardware or software product, including its remote data processing solution. In practice, this means everything from mobile devices, apps and laptops to smartwatches, smart home devices, firewalls, microprocessors, smartcards and even chatbots.

An Annex to the CRA identifies certain “important” and “critical” products. All in scope products must meet a set of essential cybersecurity requirements, but important and critical products face more stringent obligations: they must comply with harmonised standards and undergo formal certification.

Responsibility sits primarily with manufacturers, but importers and distributors are not off the hook. Across the supply chain, organisations will be expected to:

• design and build products to meet the essential cybersecurity requirements;
• carry out conformity assessments and, where required, obtain certification;
• monitor for vulnerabilities and notify relevant Member State authorities of cybersecurity vulnerabilities and incidents; and
• provide users with appropriate security information and updates.

For many tech businesses, this will require a shift from treating security as a feature or add on to treating it as a regulatory baseline. Product development processes, vulnerability management and incident response will all need to be aligned with CRA expectations.

Data access and cloud switching: the EU Data Act

If the CRA is about making products more secure, the EU Data Act is about making data more usable and cloud markets more contestable.

The Data Act entered into force on 12 September 2024 and contains a range of obligations. Two are particularly relevant for tech companies: B2B data sharing for connected products and cloud switching for data processing services.

Connected products and related services: giving users control over data
The first pillar of the Data Act targets entities that sell, lease or rent “connected products” on the EU market, and providers of “related services”.

A connected product is essentially any device that collects data about its use or environment and is remotely connected to a server. This captures a wide spectrum of Internet of Things devices: smartwatches, connected home equipment, agricultural machinery, transport trackers, terminal tracking devices, wind turbine monitoring equipment, vehicle tracking and monitoring systems and more.

Related services are digital services provided with the product that allow it to perform its functions. A typical example is over the air software update services for mobile phones.

The central obligation is straightforward but powerful: data generated through the use of connected products and related services – “product data” and “related services data” – must be made available to the user and to certain third parties designated by the user, to the extent the user does not already have direct access.

The policy aim is to ensure that users can control and re use the data generated by their devices – for example, when switching to a competing product or service – and to support the development of downstream data driven services.

To deliver this in practice, providers of connected products and related services must:

• design products so that relevant data is directly accessible “by design”;
• inform users about what data is collected and how it can be accessed; and
• use contract clauses that comply with the Data Act’s requirements when granting access to such data.

For manufacturers and service providers, this will have implications for product architecture, APIs, user interfaces and contractual frameworks.

Cloud switching: tackling vendor lock in

A different chapter of the Data Act focuses on providers of data processing services – essentially cloud service providers, including IaaS, PaaS and SaaS. The objective is to make it easier for customers to switch to other providers of similar services and to reduce dependence on a single cloud provider.

The obligations are significant:

• Users must be able to switch at any time, even during a fixed term contract. Providers cannot refuse to enable switching, although they may still agree early termination fees.
• Providers must support switching within strict timelines and implement open interoperability standards to facilitate it.
• Any fees charged for switching services must be phased out, ultimately by January 2027.

The intention is to prevent users from becoming locked in and to stimulate competition and innovation in cloud markets. However, there is still considerable uncertainty about the scope of “data processing services”, particularly as regards more customised SaaS offerings.

The European Commission’s Digital Omnibus proposal would introduce exemptions for cloud service providers in relation to switching where contracts for custom-developed cloud services were entered into before 12 September 2025. That may ease the transition for some legacy arrangements, but it does not resolve the broader question of whether custom developed services should fall within the switching regime at all.

How the CRA and Data Act fit together

Although the CRA and Data Act are separate instruments, they will often apply to the same products and services.

A manufacturer of connected devices may find that:

• its products are “products with digital elements” under the CRA, triggering cybersecurity by design and incident reporting obligations; and
• the same devices are “connected products” under the Data Act, requiring data access for users and designated third parties.

Similarly, a cloud provider may need to:

• comply with CRA requirements where it offers software products or platform services that qualify as products with digital elements or remote data processing solutions; and
• implement Data Act compliant switching and interoperability measures for its data processing services.

For in house teams, the key is to avoid treating these regimes in isolation. Security design, data access and switching obligations will need to be reconciled in product and contract strategy.

What in house legal teams should be doing now

The lead time for compliance with the CRA and Data Act requirements may be lengthy. Redesigning products, re engineering cloud architectures and renegotiating contracts can easily become multi year programmes.

A pragmatic roadmap might include:
1. Scoping and inventory

• Identify which of your products are likely to be “products with digital elements” and which are “connected products” with related services in the EU.
• Catalogue the product data and related services data generated and how it is currently stored, accessed and used.
• Map your cloud and data processing services (IaaS, PaaS, SaaS) and assess whether they fall within the Data Act’s concept of data processing services.

2. Gap analysis

• For connected products, assess whether users already have direct access to relevant data and whether your current information to users meets the Data Act’s expectations.
• For cloud services, review your switching, termination and interoperability provisions and your technical ability to support switching within the required timelines.
• For CRA, compare your existing security requirements, development processes and incident reporting against the CRA’s essential cybersecurity requirements.

3. Governance and contracts

• Embed CRA and Data Act considerations into product governance, including design reviews and go to market approvals.
• Update standard contracts for device sales/leases, related services and cloud services to reflect data access rights, switching obligations and allocation of responsibilities for security and incident reporting.

4. Planning for uncertainty

• Monitor the Digital Omnibus process and secondary legislation, particularly around:
  • the scope of data processing services;
  • exemptions for custom developed cloud services; and
  • detailed CRA standards and certification schemes.
• Build flexibility into contracts and product plans to accommodate further guidance and potential adjustments to timelines.

Looking ahead

The CRA and Data Act are part of a broader EU effort to create a more secure, interoperable and competitive digital ecosystem. For tech companies, they are not optional extras: they will define the regulatory expectations for connected products and cloud services in the EU for years to come.

The organisations that move early – by understanding their exposure, engaging product and engineering teams, and aligning contracts and governance – will be better placed to treat these laws as a competitive differentiator rather than a last minute compliance burden.