As of 12 September 2025, the EU Data Act officially came into force — a major shift for anyone using connected devices, digital services, or cloud platforms. Alongside that, reports show a sharp rise in cyber‑attacks on small businesses; and at the European Commission, work is progressing on updates to ePrivacy / cookie rules, cybersecurity incident reporting, and simplifying digital identity.
What’s New This Week: What You Should Know
The EU Data Act is now applicable
If your business offers connected products (smart devices, IoT), cloud services, or processes data, you now have new obligations. That includes giving users access to data generated by devices, allowing switching between cloud providers, and ensuring contracts are fair about data usage.
Cyber‑attack risk rising for small businesses
Even very small firms are now frequent targets. Attack‑as‑a‑Service tools make it easier for even amateur threat actors to attempt attacks. If you deal with customer data, financial info, or rely on online tools, this is a red flag. Strengthening your cybersecurity (backups, patching, training) is more urgent than ever.
Proposed updates on privacy / cookies / digital identity
The European Commission is consulting on modernising how cookies and tracking work, clarifying digital identity rules, and beefing up obligations to report cybersecurity incidents. These may alter how you collect or use user data, how transparent you must be, and how quickly you must act after breaches.
What You Should Do Now
- Audit your contracts — make sure any agreements with customers or suppliers reflect the new rights under the Data Act (data access, switching, transparency).
- Review your tech stack & devices — check if any devices or services you use generate or share data, and whether you can comply with the obligations (e.g. letting users export data, or switch providers).
- Boost basic security measures — strong passwords, up‑to‑date software, good backups, and staff awareness are essential. A small breach can cost far more than prevention.
- Watch upcoming regulatory proposals — changes to cookies / tracking, incident reporting, privacy rules are coming. Staying informed lets you adapt without scrambling.
Pocket Snapshot
EU Data Act becomes the new normal
From 12 September 2025, the EU Data Act (Regulation (EU) 2023/2854) is in force across all member states.
For small businesses, that means connected devices and digital service providers must:
- Provide users with access to data generated by their device (both personal and non‑personal).
- Allow easier switching between cloud/data service providers without unnecessary fees or lock‑in.
- Ensure contracts clearly describe what data is collected, how it’s used, and who owns or shares it.
This is one of those changes that will affect many more people and companies than might expect — worth acting early.
Looking Ahead
- Keep an eye out for formal guidance and tools from regulators (both EU and in Spain) to help interpret the Data Act in real‑world terms.
- Watch responses to the consultations on tracking / cookies / ePrivacy updates — they could change how marketers, websites, and apps request consent or handle user privacy.
- Monitor threats: as cyber‑attacks on small businesses rise, insurers, clients, or partners may demand stricter evidence of cybersecurity readiness.
Other Articles
The EU Data Act: What It ACTUALLY Means for Small Businesses
Working with AI: Frustration, Riches, and Reality
