From fragmented risks to trusted, connected ecosystems

The Internet of Things (IoT) has transformed how data is captured and exchanged. Billions of devices are now woven into our homes, workplaces, cities, and supply chains. Yet while this connectivity creates new value, it also introduces unique challenges: fragmented technologies, complex supply chains, long product lifecycles, uncertain data ownership, and heightened exposure to security threats. Unless these risks are understood and managed, IoT can quickly shift from an enabler of innovation to a source of liability.

Why this matters

The General Data Protection Regulation already establishes strict requirements for personal data generated by connected products. The new EU Data Act goes further, granting users rights to access and share data generated by the devices they use, while obliging data holders to provide it in fair, transparent, and secure ways. At the same time, the Cyber Resilience Act introduces baseline security and update obligations for all products with digital elements, including IoT.

Together, these frameworks reshape how data holders, service providers, and users must interact. Without compliance, organisations face legal and reputational risks. With it, they can unlock new forms of trusted collaboration, innovation, and market growth.

The Data Act and IoT

The EU Data Act directly affects connected products and IoT services. It requires that data generated by the normal use of connected devices must be made accessible to the user, free of charge, in real time where possible. Users can also authorise third parties to receive this data. Data holders, usually manufacturers or service providers, must design devices and interfaces that make this access possible.

We support organisations in applying these new rules, both those required to share data (data holders) and those entitled to request it (recipients or users).

Our approach

We provide structured support to help organisations manage IoT risks across the full lifecycle of devices. This includes:

• Multi-layer risk modelling – mapping risks from design to deployment, maintenance, and decommissioning.
• Data access and rights management – implementing GDPR and Data Act requirements to ensure data is shared responsibly, with clear controls and transparency for both holders and recipients.
• Security and resilience by design – aligning device architecture and processes with Cyber Resilience Act obligations, including secure updates, vulnerability handling, and incident reporting.