Blog | SEP 26, 2025
Two Regulations, One Middleware: Simplifying Data Act and CRA Compliance
Two major EU regulations are reshaping the future of IoT: the EU Data Act and the Cyber Resilience Act (CRA). Together, they will force every IoT manufacturer to rethink their platform architecture, first for data access, interoperability, and sharing (Data Act) and then for cybersecurity, resilience and vulnerability management (CRA). The challenge: two redesigns in just a few years. The solution: align both now with one architecture.
The EU is taking a bold step to regulate the digital backbone of Europe’s economy. For IoT manufacturers, two regulations are front and center: the Data Act and the Cyber Resilience Act (CRA).
The Data Act already applies since September 12, 2025, and will be extended on September 12, 2026. The Data Act requires IoT manufacturers to make device-generated data easily, securely, and interoperably accessible to users, third parties, and public authorities.
The first CRA requirements will apply from September 11, 2026 and the full regulation will be in force on 11 December, 2027. The Cyber Resilience Act (CRA) sets out mandatory cybersecurity requirements to ensure that all products with digital elements are secure by design and resilient throughout their entire lifecycle.
At first glance, the acts seem decoupled: one is about data access, the other about cybersecurity. But together they create a dual challenge: companies need to redesign their IoT solutions twice in just a few years, unless they align early.
In this article, we explain:
What the Data Act demands
What the CRA demands
The Synergies between Data Act and CRA
How Tributech helps
What the Data Act Demands
The EU Data Act fundamentally changes how IoT manufacturers must handle the data their devices generate. Key obligations include:
Secure and free user access: Connected products must be designed so that product data is easily and securely accessible to the user, free of charge, in a commonly used, machine-readable format.
Data sharing obligations: Upon user request, manufacturers must enable data sharing with third parties, such as service providers, partners, or even public authorities under certain conditions.
Fair terms for B2B data sharing: Contracts for data access must be fair, reasonable, and non-discriminatory.
Public sector access: In exceptional circumstances (e.g. emergencies, disasters, or public needs), public authorities can demand access to IoT data.
Transparency before purchase: Manufacturers must disclose what data a product will generate, how it can be accessed, how long it will be stored, and whether third parties will have access.
No dark patterns: Users’ ability to exercise their data rights must not be unduly complicated or hindered by interface design.
Timeline & Penalties
The Data Act applies from September 12, 2025. For newly placed products on the market, the obligation to provide secure user access and interoperability applies from September 12, 2026. While the Data Act does not specify fines at the EU level, it requires each member state to establish its own enforcement rules, including penalties that are effective, proportionate, and dissuasive. Depending on the country, an organization may face administrative fines similar to those under the GDPR, which can reach up to €20 million or 4% of annual global turnover.
The bottom line: IoT manufacturers must redesign their products to ensure interoperable, secure, and user-friendly data access.
What the CRA Demands
The Cyber Resilience Act is the EU’s answer to fragmented cybersecurity practices. It creates a harmonized set of rules that apply to all products with digital elements, including IoT products.
Key obligations include:
Cybersecurity risk assessments: Before placing a product on the market, manufacturers must perform and document a risk assessment that covers foreseeable use and operating conditions.
13 essential cybersecurity requirements: Cover areas such as secure by design/default, protection of confidentiality, integrity and availability of data, access control, logging, and secure data deletion/transfer. You can find more details in our deep dive blogpost about the 13 essential cybersecurity requirements.
8 vulnerability handling and reporting requirements: Including vulnerability disclosure policies, user notifications, security updates, and strict reporting deadlines to CSIRTs and authorities. You can find more details in our deep dive blogpost about the 8 vulnerability handling requirements.
Documentation and conformity: A set of documents need to be drawn up in order to comply with the CRA. This includes Technical documentation, EU Declaration of Conformity, CE marking, and conformity assessments (self-assessment for most products, notified body involvement for important/critical products).
Timeline & Penalties
The CRA will apply from December 2027, with vulnerability reporting obligations already starting to apply in September 2026. In case of non-compliance fines of up to €15 Mio., or 2,5% of the global turnover, product recalls & the denial of CE certification are imposed.
The bottom line: Manufacturers must redesign their IoT products for secure-by-design architectures, vulnerability management, and long-term lifecycle resilience.
The Synergies Between Data Act and CRA
The EU Data Act is about data access and interoperability. It forces IoT manufacturers to give users and third parties secure access to device-generated data in a machine-readable format, ensuring that data can flow across services, ecosystems, and even to public authorities when required.
The Cyber Resilience Act (CRA) is about cybersecurity and vulnerability management. It obliges manufacturers to ensure that IoT products are secure by design, continuously updated, and protected against vulnerabilities throughout their entire lifecycle.
At first sight, these regulations address different topics. But for IoT manufacturers they lead to the same reality: a fundamental redesign of the IoT platform.
September 2025/2026: In order to comply with the Data Act, you must redesign for secure access, data interoperability, and data sharing.
December 2027: In order to comply with the CRA, you must redesign for security, resilience, and long-term support.
This means two redesigns in a very short time frame, unless you start aligning them now. Companies that treat these regulations in isolation risk higher costs, technical debt, and compliance gaps.
How Tributech Helps
Cyber Resilience Act (CRA)
The Tributech IoT Middleware fulfills a majority of the CRA requirements out of the box. Security-by-design is embedded into the platform, with features such as secure provisioning & enrollment of devices, encrypted & authenticated communication, certificate lifecycle management, and data-level notarization. These capabilities directly align with the CRA’s essential cybersecurity requirements. By relying on Tributech, manufacturers can significantly reduce the time and cost of implementing CRA compliance, since the core technical safeguards are already built into the middleware. This allows organizations to focus on their product innovation while still ensuring that their IoT solutions will be ready for CRA enforcement in 2027. Learn more about Tributech's CRA offering.
Data Act
At the same time, the Tributech Middleware provides the tools needed to meet the obligations of the EU Data Act. Its integrated digital twin technology delivers a machine-readable, interoperable data format enriched with metadata information, exactly what the Data Act requires to make device-generated data understandable and usable for users and third parties. On top of the middleware, Tributech offers an access management module that enables manufacturers to control and implement the different data access rights foreseen by the Data Act. This ensures that users, third parties, and even public authorities can access data securely, without compromising confidentiality or data integrity.
By combining these two pillars, CRA compliance and Data Act compliance, the Tributech Middleware enables IoT manufacturers to redesign their platforms only once, rather than twice. They can provide secure, interoperable data access today and be fully prepared for the CRA’s cybersecurity obligations by 2027.
Conclusion
The EU Data Act and the CRA are decoupled regulations with different focus areas, data access and cybersecurity, but both require IoT manufacturers to fundamentally redesign their products.
The Data Act forces you to redesign for access, interoperability, and data sharing.
The CRA forces you to redesign for cybersecurity and resilience.
The good news: With Tributech as your IoT middleware, you can comply with the Data Act today and be fully prepared for the CRA by 2027.
If you’d like to discuss how we can help your IoT solution comply with both acts, book a call with us.
Blog | SEP 26, 2025
)
)
)
)