Urgently Needed: More Clarity in the IoT Regulatory Jungle

Cyber Resilience Act, Data Act, AI Act & Co: Which new requirements are relevant for IoT companies, what is behind the individual laws - and why it pays to understand regulatory objectives. The eco Competence Group IoT is here to guide you through the regulatory jungle.

From data protection, data law and cybersecurity to the regulation of services and markets: Companies have to comply with a wide range of European regulations if they want to bring digital business models and connected products to market. The complexity of the numerous EU legal acts poses challenges for companies in the IoT environment in particular: overlapping regulations, uncertainty in interpretation and extensive compliance requirements are often the order of the day.

Small and medium-sized enterprises (SMEs), which often do not have the specialised expertise or resources to implement complex regulations, are particularly hard hit.

Practicality instead of over-regulation

eco - Association of the Internet Industry is committed to coherent, technology-neutral and practical regulation that enables innovation. This is the only way to create a functioning, trustworthy and competitive European internal data market.

The eco Competence Group IoT webinar on 2 April 2025 also focused on this objective and aimed to provide practical guidance on the most important regulations and their impact on the IoT industry. Dr Jens Eckhardt, Attorney-at-Law, expert in IT law, data protection and IT compliance and Board member of EuroCloud Deutschland_eco, provided a comprehensive analysis.

Why is there so much being regulated?

The large number of new regulations is partly the result of the European data strategy, which aims to facilitate access to data - also in order to strengthen data-driven business models from the EU on the global market. It also wants to promote so-called data altruism initiatives - i.e. the voluntary sharing of data in the public interest and for research purposes.

Although some of the new legal acts overlap in their application, they were not developed in a coordinated manner. They come into force at different times, pursue different objectives and sometimes use inconsistent terminology. In practice, this leads to implementation uncertainty, especially for companies with limited compliance resources. It is therefore crucial to understand the individual laws in the context of their objectives - this is the only way to realistically assess the actual impact on business models and technological development.

Relevant acts at a glance

Data Act (DA)

• Regulates the Whether (right of access) and How (use, obligations) of data sharing (including cloud switching)
• In conjunction with the overriding obligations of the GDPR when personal data is involved
• Also includes the obligation to provide non-discriminatory consideration and a ban on unfair contract terms

Data Governance Act (DGA)

• Aims to create a framework for voluntary data sharing for public or commercial purposes
• Regulates, for example, the access of companies to public sector data and trustworthy exchange channels
• Sets out requirements for neutral data brokerage services

Cyber Resilience Act (CRA)

• Defines cybersecurity requirements for connected products
• Obliges manufacturers to close vulnerabilities early, provide regular updates and ensure a robust security architecture

AI Act

• Regulates the development and use of AI-based systems used in IoT products, especially in safety-critical areas
• Defines risk-based requirements for AI systems, including a ban on AI systems with particularly high risk potential
• Sets transparency, risk management and compliance requirements to minimise incorrect or risky AI decisions

Digital Services Act (DSA)

• Sanctions the misuse of digital services such as search engines or social media platforms and the distribution of illegal content

Digital Markets Act (DMA)

• Regulates the competitive obligations and limits of providers such as hosting providers and large gatekeepers - to prevent abuse of power by large online platforms

NIS-2-Richtlinie

• Requires increased cyber protection of the IT systems and processes of certain organisations and services, particularly in the area of critical infrastructure

Digital Operational Resilience Act (DORA)

• Aims to increase the digital operational resilience of EU financial institutions and their ICT service providers as well as a harmonised supervisory framework across the EU
• Obliges financial companies to carry out comprehensive surveillance and risk management
• Sharpening objectives, creating orientation

Sharpening objectives, providing orientation

If you want to maintain an overview of regulatory requirements, you need to understand their background and objectives - this is the only way to realistically assess their impact on business models and development. This is exactly where the eco IoT Competence Group comes in: with expertise, dialogue and a political voice.

Help shape the IoT sector!

You can drive these and other topics forward as part of the eco IoT Competence Group. By joining forces in the association, companies have the opportunity to position themselves on current regulations in order to influence their design. If you would like to find out more about our activities and become a member, you can contact us here at any time.

The eco Association also regularly organises information events and networking formats that are open to all interested parties.

An overview of all eco positions in the area of politics and law can be found here.