The EU Data Act: A Structural Re-engineering of HealthTech Data Governance, Business Models and Regulatory Risk

Foundational Regulatory Framework and Applicability

The European Union Data Act (Regulation (EU) 2023/2854) represents a paradigm shift in the governance of machine-generated data within the European data economy. As a central pillar of the EU’s Digital Decade objectives, the Data Act’s primary goal is to foster competition and innovation by mitigating technical and contractual lock-ins that historically granted manufacturers exclusive control over the data generated by connected products. This mandate has profound implications for the global Health Technology (HealthTech) sector.

The Data Act’s Context and Definitional Scope for HealthTech

The regulation applies broadly across all sectors, specifically targeting data generated by "Connected Products" and "Related Services" placed on the EU market, irrespective of the data holder’s location (extraterritorial reach).

1. Scope of Application: Connected Health Products: HealthTech is explicitly named within the scope of the Data Act, covering a vast range of devices and software. Connected products encompass any device or wearable that obtains, generates, or collects data concerning its use or environment and is capable of transmitting such data. Examples specifically enumerated include implantable medical devices (such as pacemakers), diagnostic tools (like continuous glucose monitoring (CGM) devices and MRI scanners), therapeutic aids (smart insulin pens, infusion pumps), lifestyle devices (fitness trackers, wellness wearables), and the associated software medical devices (SaMD) or applications defined as "Related Services". The extensive functional and territorial scope mandates that all global HealthTech manufacturers exporting to or operating within the EU must comply.

   
   

2. Defining Key Actors: The Data Act establishes a clear hierarchy of rights centred on the user, who is defined as the natural or legal person that owns, rents, or leases the product or receives the service. In the HealthTech context, the user may be the individual patient (B2C) or the healthcare provider (HCP), hospital, or clinic (B2B). The "Data Holder" is typically the device manufacturer or service provider who controls the technical means of access to the data. The "Data Recipient" is the third party designated by the user to receive the data, which could be a competing maintenance firm, an independent researcher, or a new digital health platform.

Regulatory Timeline and Key Milestones for HealthTech

The Data Act came into force on January 11, 2024. However, the primary compliance obligations are staggered, requiring immediate action for legal teams and long-term planning for R&D departments.

1. Core Provisions Application (September 12, 2025): The majority of the Data Act’s mandates, particularly Chapter II (user rights to access and share data) and Chapter IV (rules on unfair contractual terms), become applicable. This date marks the commencement of the legal and contractual obligations, compelling manufacturers to implement internal procedures for handling data requests and to re-paper contracts to meet new transparency requirements.

   
   

2. Product Design Mandate (September 12, 2026): A distinct compliance challenge arises one year later, as new connected products and related services placed on the market must be designed and manufactured in a manner that facilitates easy, secure, and default data access, the so-called "design-by-default" principle. This distinction in the implementation schedule creates a tiered compliance risk: manufacturers must address immediate legal and contractual liabilities in 2025, while simultaneously initiating costly, long-lead-time adjustments to product R&D pipelines to meet the physical device requirements mandated for 2026.

   
   

3. Cloud Switching Fee Removal (January 12, 2027): For HealthTech providers utilizing Software as a Service (SaaS) or Platform as a Service (PaaS) solutions, the Data Act removes switching charges, including data egress fees, making it significantly easier for users (HCPs or enterprises) to switch cloud service providers.

   
   

4. Development of Model Contractual Terms (MCTs): The European Commission is obliged to publish recommended, non-binding Model Contractual Terms by September 2025, covering data access, use, and reasonable compensation. These terms will immediately become essential benchmarks for companies as they overhaul their legal documentation in preparation for the application date.

Layered Regulatory Requirements in HealthTech

The implementation of the Data Act must be understood within the broader context of EU data strategy. The regulation applies to both personal data and non-personal data. In HealthTech, this often results in a blended dataset where device usage metrics (non-personal data) are inherently linked to the patient’s health profile (personal data), necessitating a unified governance framework.

A comprehensive HealthTech data strategy cannot address one regulation without anticipating the requirements of the other, particularly regarding data standards and security protocols.

The New Data Governance Model: User Empowerment and Mandated Access

Chapter II of the Data Act establishes the core framework for Business-to-Consumer (B2C) and Business-to-Business (B2B) data sharing, fundamentally shifting data control from the manufacturer to the product user.This transition places significant new operational and technical burdens on data holders.

Transparency and Pre-Contractual Disclosure

Manufacturers are required to provide comprehensive transparency regarding data generation before a contract for a connected product or service is concluded. This disclosure, mandated by Article 3, must cover several mandatory information points.

:

1. The nature, volume, and scope of data the product is likely to generate, including whether it generates data continuously and in real-time.

   
   

2. Clear instructions on how the user may access, retrieve, or erase that data.

   
   

3. A description of whether the manufacturer intends to use the data itself or allow a third party to use it, and the specific purposes for such use.

   
   

This immediate contractual mandate requires legal and commercial teams to undertake a rigorous and time-consuming review and re-papering of all consumer and business agreements to incorporate these transparency requirements ahead of the September 2025 application date.

Operationalising User Access and Sharing

The right of access (Article 4) is not a simple, static disclosure but an ongoing regulatory compliance burden that mandates infrastructural changes.

1. Mandate for Free and Real-time Access: Data must be made available easily, securely, and, critically, "free of charge" to the user. For connected medical devices that generate continuous physiological metrics (eg. heart rate, glucose levels), the access obligation extends to providing data "continuously and in real-time," where technically feasible. This necessitates that internal data infrastructure must evolve from a passive IT system to an obligatory, high-availability, zero-cost service platform. Manufacturers must build technical interfaces and establish internal processes specifically to respond to, manage, and execute these real-time data access requests.

   
   

2. Obligation to Share with Third Parties: The Data Act grants the user the right to designate a third-party Data Recipient to receive the data. This obligation to share is crucial for fostering competition and directly impacts the high-margin aftermarket service sector. Exclusive access to diagnostics and performance data traditionally created a strong competitive lock-in, enabling manufacturers to dominate repair and maintenance services. By mandating the transfer of this data, the Data Act neutralises this proprietary lock-in, forcing manufacturers to compete based on service quality, features, and price, rather than data monopoly.

   
   

3. Limitations on Third-Party Use: To protect the data holder’s primary market investment, the third-party recipient is subject to strict limitations : the recipient cannot use the data to develop a product that directly competes with the product from which the data was generated. Furthermore, the recipient cannot use the data to derive insights regarding the manufacturer's economic situation, assets, or proprietary production methods. The data holder is strictly limited in tracking the third party, only allowed to retain information necessary for the security and execution of the access request.

Complexity of Multi-Party Data Governance

However, the generated data is overwhelmingly personal health data belonging to the individual patient, who is the "data subject" under the GDPR.

This results in a critical multi-party governance scenario: the manufacturer (Data Holder) must reconcile the commercial user’s right to access the data with the natural person’s fundamental privacy rights. The manufacturer, when processing a hospital's request for patient data, must ensure that the hospital has a valid legal basis under the GDPR for accessing and subsequently directing the transfer of that sensitive health data. This places the device manufacturer in a fiduciary position of accountability, requiring robust protocols to verify the lawfulness of the downstream data use before facilitating any transfer.

Technical and Interoperability Obligations

The Data Act’s technical mandates necessitate a deep overhaul of HealthTech product architecture, favouring standardised, secure and open data exchange mechanisms over proprietary interfaces.

The "Design-by-Default" Imperative (Post-Sept 2026)

Article 3 mandates that new products and related services placed on the market after September 12, 2026, must be engineered to provide data in a "comprehensive, structured, commonly used and machine-readable format".

This regulatory requirement imposes extensive costs on R&D departments. Historically, HealthTech manufacturers relied on proprietary formats and interfaces for data security and commercial control. Achieving compliance demands the deep integration of data access mechanisms directly into the device’s design (hardware and software), making secure and easy accessibility a default feature.

This design requirement presents an especially acute challenge for specialized devices, such as implantable or battery-dependent medical technologies (eg. pacemakers). The continuous, real-time data provision required by the Data Act necessitates increased on-device processing and transmission capability. For devices where battery longevity is directly tied to regulatory safety and patient well-being, implementing continuous streaming functionality could lead to premature battery depletion and necessitate significantly earlier device replacement, which introduces patient risk and potentially conflicts with core safety requirements mandated by the Medical Device Regulation (MDR). The technical implementation choices must, therefore, be treated as critical legal and safety risk assessments.

Leveraging Health Data Interoperability Standards

To satisfy the requirement for "structured, commonly used" data, HealthTech organisations must adopt recognised industry data standards. Relying on proprietary data formats will result in perpetual, costly compliance hurdles and limit the functionality of data sharing.

The standard of choice, which is also foundational to the European Health Data Space (EHDS), is HL7 Fast Healthcare Interoperability Resources (FHIR). FHIR uses a modular resource approach built on modern web technologies, enabling seamless, secure, and rapid data exchange across disparate platforms.

FHIR’s capability to handle patient-generated health data (PGHD), lab results, and other critical clinical data streams makes its adoption a strategic imperative for EU market participation. By structuring device data according to FHIR standards, a company ensures it can participate in Common European Data Spaces, effectively turning a compliance expense into a strategic asset that facilitates ecosystem partnerships and enhanced market positioning.

Cloud and Data Processing Service Switching (Chapter VI)

The provisions in Chapter VI significantly disrupt the competitive dynamics of cloud-based HealthTech service providers. The Data Act mandates measures to enable customers to switch between providers of data processing services (cloud, PaaS, SaaS) quickly, smoothly, and without data loss or functionality degradation.

Providers must offer open interfaces and export data in commonly used and machine-readable formats, reinforcing the need for standards like FHIR. For HealthTech SaMD vendors, the cost and technical difficulty of moving large, complex datasets previously acted as a powerful financial and technical lock-in barrier for B2B customers. By eliminating egress fees and requiring easier switching, scheduled for removal from January 2027, the Data Act compels cloud-based services to compete primarily on the quality of their service, security and feature sets, accelerating the need for continuous innovation to maintain market share.

Navigating the Regulatory Minefield: Conflicts and Hierarchy

The Data Act is a horizontal regulation that must be successfully integrated into an already dense regulatory environment, particularly concerning fundamental rights (GDPR) and product safety (MDR/IVDR).

The Primacy of GDPR and Personal Health Data

The Data Act explicitly states it complements, and is without prejudice to, the GDPR; where personal data is involved, the GDPR prevails. Health data constitutes "special categories" of personal data, imposing stringent requirements on processing and transfer.

The Data Act does not create a new legal basis for processing; manufacturers facilitating data access must ensure the transfer is supported by a valid legal basis under GDPR Article 6 (e.g., explicit consent, legal obligation).

A critical area of conflict resolution concerns the imposition of fees for data access:

• Data Act Obligation: Data access for the user must be provided "free of charge".

• GDPR Provision: The GDPR states that a copy of personal data must be provided free of charge, though "further copies may be subject to a reasonable fee".

  
  

Since HealthTech data sets are almost invariably blended (personal data mixed with technical non-personal data), attempting to levy a fee under the GDPR’s "further copies" clause for a data transfer mandated by the Data Act is functionally untenable and significantly raises regulatory exposure. The necessity of providing a seamless, free user experience for the blended data set dictates that manufacturers must budget to absorb all reasonable costs of compliance, effectively treating all access requests as free of charge.

The functional differences between the rights established by the Data Act and the GDPR are summarised below, illustrating the need for unified data access procedures.

Comparative Analysis: Data Act User Rights vs. GDPR Data Subject Rights

Intersection with MDR/IVDR: Device Safety and Compliance

The Data Act creates significant tension with the regulatory framework governing device safety. The "design-by-default" requirements may force hardware or software modifications that could be classified as a "substantial change" under the MDR or IVDR. Substantial changes necessitate new conformity assessments and re-certification, leading to costly and lengthy delays in market deployment.

1. The Safety and Security Exception: This conflict is mitigated by a critical regulatory relief valve: the data holder may refuse to share data if it can demonstrate that the transfer would undermine the "security requirements of the connected product," resulting in "serious adverse effects to the health, safety or security of people". This provision is vital for implantable and critical care devices where data extraction methods could compromise operational integrity (eg. risk of battery drain or exposure of cybersecurity vulnerabilities). Any refusal based on safety grounds must be justified in writing and communicated to the national competent authority.

   
   

2. Data Minimisation vs. Data Availability: The competing requirements of the Data Act (maximum data availability) and the GDPR (data minimisation) also demand careful data strategy. The Data Act requires the sharing of comprehensive product data and relevant metadata. This dual mandate necessitates manufacturers implement robust data segregation layers: personal data must be retained only under strict GDPR necessity, while corresponding non-personal machine-generated data (usage, technical logs) must be retained and curated to fulfil Data Act user access requests, increasing overall storage and data management costs.

Strategic Disruption and Business Model Re-engineering

The End of Data Exclusivity and Aftermarket Lock-in

The core consequence of the Data Act is the loss of competitive advantage derived from exclusive data control. Raw usage data, once considered an unassailable asset, must now be shared. As discussed, this directly enables rival aftermarket service providers to compete effectively on maintenance and repair contracts, thereby eroding the manufacturer's traditionally high-margin revenue streams from proprietary diagnostics and service agreements.

Compensation Models for Third-Party Sharing

For Business-to-Business (B2B) data sharing, the Data Act permits compensation when data is provided to a third-party Data Recipient (eg. a competing analytics firm). However, this compensation mechanism is strictly regulated.

1. The FRAND Principle: Compensation must be non-discriminatory, reasonable, and adhere to Fair, Reasonable, and Non-Discriminatory (FRAND) terms.

   
   

2. Limitation to Direct Costs: Crucially, compensation is limited to the direct technical and organisational costs incurred in making the data available, such as costs for formatting, electronic dissemination, and storage, plus a "reasonable margin". This structure explicitly prohibits data holders from recouping the significant upfront research and development investments related to the creation of the data or the device itself through licensing fees. The economic model shifts from monetising the

   value of the data to recovering the cost of its delivery.

Developing New Value Propositions: From Raw Data to Derived Value

Future profitability relies on leveraging proprietary expertise and sophisticated data synthesis techniques that create higher-margin derived value outside the scope of raw data sharing mandates. This requires a fundamental pivot in investment allocation, prioritising software and AI development over the traditional emphasis on hardware exclusivity.

1. Focus on Derived Insights: HealthTech companies must shift their focus to selling advanced analytical services, curated aggregated data products, and sophisticated clinical decision support systems built on proprietary algorithms. While raw input and output data must be shared, the complexity and expertise required to generate meaningful clinical or operational insights from that raw stream can be monetised through high-value subscriptions.

   
   

2. Strategic Differentiation through Data Quality: While raw data must be shared, the manufacturer retains control over the initial data quality, including sensor calibration, logging frequency, and metadata richness. This proprietary control over the source of the data offers a competitive advantage. Manufacturers can establish their superior data quality and curation capabilities as a specialised service, justifying premium pricing for analytics and data cleansing, making them the preferred partner even in a competitive landscape.

   
   

The necessary strategic transition requires a comprehensive re-evaluation of revenue streams:

Strategic Shift: Revenue Models and Competitive Risks Post-Data Act

Mitigation Strategies: Protecting Intellectual Property and Trade Secrets

The Data Act acknowledges the need to protect data holders' investments and includes explicit safeguards for intellectual property (IP) and trade secrets. A proactive, meticulous strategy is required to leverage these protections against the high risk of competitive disclosure.

Identifying and Protecting Proprietary Assets

Manufacturers must conduct a rigorous internal audit to identify and formally document all data, metadata, and proprietary algorithms that qualify as a trade secret (confidential, possessing commercial value, and subject to reasonable protection measures).

The greatest vulnerability lies in proprietary algorithms, particularly those used for clinical processing, diagnostics, or sensor calibration. While the algorithm itself may be protected as a trade secret, the mandated sharing of large volumes of raw input data (from the sensor) and corresponding output data (the result) provides competitors with the foundational dataset necessary to reverse-engineer and train highly effective competing models, potentially circumventing contractual IP protections. Protection must extend beyond source code to the necessary data filtering mechanisms.

Implementing Contractual and Technical Safeguards

The Data Act permits the data holder and the third-party recipient to agree on proportionate technical and organisational measures (TOMs) necessary to preserve confidentiality.

1. Contractual Measures: Standardised contracts for Data Recipients must be robustly developed, incorporating non-disclosure agreements, strict confidentiality clauses, and explicit prohibitions on competitive use and reverse engineering. The forthcoming Model Contractual Terms (MCTs) from the European Commission will provide a critical reference point for these agreements.

   
   

2. Technical Protection Measures (TPMs): Reliance solely on contracts is insufficient given the digital nature of the data transfer. Data holders must deploy Technical Protection Measures, which may include secure, controlled access environments, mandatory authentication protocols, targeted data preprocessing (eg. redacting or aggregating highly sensitive metadata), digital watermarking, and information fingerprinting to track usage.

Navigating Refusal and the Burden of Proof

The Data Act allows a data holder to refuse access if these protective measures cannot be agreed upon or implemented by the third party. Furthermore, the data holder may refuse to share data if it can demonstrate that it is "highly likely to suffer serious economic damage" from the disclosure of trade secrets.

This threshold is significantly demanding. Industry analysis suggests that the high burden of proof creates a substantial legal and administrative risk, potentially forcing disclosure if the justification is not meticulously documented. Any decision to withhold or suspend data sharing must be justified in writing and formally communicated to the national competent authority. This introduces a novel administrative enforcement risk; unlike traditional IP disputes that are purely civil, a Data Act refusal immediately subjects the manufacturer to regulatory scrutiny, requiring legal and technical teams to prepare standardised, highly defensible justification templates in advance.

Comprehensive Strategic Compliance Roadmap

Compliance with the Data Act is not merely a legal exercise but a strategic imperative that requires deep, cross-functional organizational re-engineering across R&D, IT, Legal, and Commercial departments.

Phase 1: Regulatory Impact Assessment and Data Mapping (Immediate Action)

The initial phase must prioritise understanding the scope of liability and preparing the necessary legal infrastructure before September 2025.

1. Data Inventory and Classification: A comprehensive audit of all data generated by connected products and services must be performed. This data must be meticulously categorised, distinguishing between sharable non-personal data (Data Act scope), sensitive personal health data (GDPR scope), and proprietary trade secrets/IP.

   
   

2. Legal and Operational Gap Analysis: Current IT infrastructure, data storage formats, and existing contractual terms must be assessed against the Data Act's requirements (e.g., real-time accessibility, FHIR standards alignment). Any potential compliance friction points with the MDR/IVDR, particularly where design changes could trigger re-certification, must be identified and documented.

   
   

3. Governance Establishment: A dedicated, cross-functional Data Act compliance committee involving legal counsel, the Data Protection Officer, R&D leadership, and commercial strategy directors must be established to define clear internal accountability and data handling procedures.

Phase 2: Product Design and IT Infrastructure Overhaul (2025 – 2026)

This phase focuses on technical readiness, particularly for products launching post-September 2026.

1. Interoperability and API Development: Manufacturers must prioritise R&D investment in building robust, secure, and standardised interfaces (preferably FHIR-based APIs) to facilitate continuous, real-time data access. This effort should aim for maximum interoperability to position the company favourably within the emerging European data ecosystem.

   
   

2. Trade Secret Separation: Technical infrastructure must be architected to enable the efficient separation of sharable data from proprietary algorithms and trade secrets. This involves integrating Technical Protection Measures (TPMs). such as secure processing environments and data masking—into the sharing workflow to comply with Article 79 protective requirements.

   
   

3. Scalable Data Platform: IT infrastructure must be upgraded to a scalable, cloud-native platform capable of securely managing high volumes of zero-cost data access requests while ensuring full compliance with both GDPR and Data Act security protocols.

Phase 3: Contractual Review and Commercial Policy (2025 – 2026)

Legal teams must manage the extensive re-papering process required ahead of the 2025 application date.

1. Comprehensive Contract Updates: All B2C and B2B contracts must be updated to include the mandatory pre-contractual transparency information required by Article 3.

   
   

2. Third-Party Data Sharing Agreements: Standardised contracts for third-party Data Recipients must be developed. These agreements must be meticulously drafted to include: (a) Explicit prohibitions on competitive development and trade secret use; (b) Clauses requiring the recipient to implement agreed-upon TPMs; and (c) Pricing based strictly on FRAND terms limited to direct delivery costs.

   
   

3. GDPR Compliance Verification: A formal process must be implemented to verify that a third party requesting patient data has a valid GDPR legal basis (eg. explicit patient consent) for processing the sensitive health data, thereby mitigating the manufacturer’s residual GDPR liability.

Conclusion

Successful navigation of this transformative period requires treating compliance as a catalyst for innovation rather than solely a regulatory burden. Companies must strategically pivot their revenue models away from data exclusivity and toward the sophisticated monetisation of derived insights, specialised algorithms, and superior, high-quality service offerings.

By proactively adopting interoperability standards (like FHIR), investing in secure, scalable data access infrastructure, and establishing rigorous legal frameworks to protect trade secrets and reconcile conflicting GDPR and MDR mandates, global HealthTech firms can secure market access and competitive positioning in the emerging European data economy. Delaying implementation efforts beyond the immediate need to update contractual terms (September 2025) and initiate R&D overhauls for new products (September 2026) will result in insurmountable compliance debt and commercial vulnerability.

Nelson Advisors > MedTech and HealthTech M&A

Nelson Advisors specialise in mergers, acquisitions and partnerships for Digital Health, HealthTech, Health IT, Consumer HealthTech, Healthcare Cybersecurity, Healthcare AI companies based in the UK, Europe and North America. www.nelsonadvisors.co.uk

Nelson Advisors regularly publish Healthcare Technology thought leadership articles covering market insights, trends, analysis & predictions @ https://www.healthcare.digital 

We share our views on the latest Healthcare Technology mergers, acquisitions and partnerships with insights, analysis and predictions in our LinkedIn Newsletter every week, subscribe today! https://lnkd.in/e5hTp_xb 

Founders for Founders > We pride ourselves on our DNA as ‘HealthTech entrepreneurs advising HealthTech entrepreneurs.’ Nelson Advisors partner with entrepreneurs, boards and investors to maximise shareholder value and investment returns. www.nelsonadvisors.co.uk

#NelsonAdvisors #HealthTech #DigitalHealth #HealthIT #Cybersecurity #HealthcareAI #ConsumerHealthTech #Mergers #Acquisitions #Partnerships #Growth #Strategy #NHS #UK #Europe #USA #VentureCapital #PrivateEquity #Founders #BuySide #SellSide#Divestitures #Corporate #Portfolio #Optimisation #SeriesA #SeriesB #Founders #SellSide #TechAssets #Fundraising#BuildBuyPartner #GoToMarket #PharmaTech #BioTech #Genomics #MedTech

Nelson Advisors LLP

Hale House, 76-78 Portland Place, Marylebone, London, W1B 1NT

lloyd@nelsonadvisors.co.uk

paul@nelsonadvisors.co.uk

Meet Us @ HealthTech events

Digital Health Rewired > 18-19th March 2025 > Birmingham, UK 

NHS ConfedExpo  > 11-12th June 2025 > Manchester, UK 

HLTH Europe > 16-19th June 2025, Amsterdam, Netherlands

Barclays Health Elevate > 25th June 2025, London, UK 

HIMSS AI in Healthcare > 10-11th July 2025, New York, USA

Bits & Pretzels > 29th Sept-1st Oct 2025, Munich, Germany  

World Health Summit 2025 > October 12-14th 2025, Berlin, Germany

HealthInvestor Healthcare Summit > October 16th 2025, London, UK 

HLTH USA 2025 > October 18th-22nd 2025, Las Vegas, USA

Web Summit 2025 > 10th-13th November 2025, Lisbon, Portugal  

MEDICA 2025 > November 11-14th 2025, Düsseldorf, Germany

Venture Capital World Summit > 2nd December 2025, Toronto, Canada