Products
© Fiskil 2026. All rights reserved.
Products
© Fiskil 2026. All rights reserved.
A structured approach to implementing Data Act compliance across technical, legal, and operational domains.
Scoping: Determine which products and obligations apply
Technical: Implement data access infrastructure with consent management
Organizational: Update contracts, establish processes, train teams
This framework helps organisations plan their implementation approach and allocate resources across the seven key phases of compliance.
Regulatory Context
Key Obligations
Article 3: Design requirements for new products (by September 12, 2026)
Article 4: User data access rights (applicable since September 12, 2025)
Article 5: Third-party data sharing (applicable since September 12, 2025)
Article 6: Data format and interoperability requirements
Article 8: Compensation for data access (FRAND terms)
Articles 14-22: Public sector body data access (applicable since September 12, 2025)
Articles 23-32: Cloud switching facilitation (applicable since September 12, 2025)
Implementation Reality
Challenges
1. Scoping & Gap Analysis: 4-8 weeks (determine which products, services, and obligations apply)
2. Technical Architecture: 8-16 weeks (design APIs, data formats, authentication, logging)
3. Infrastructure Build: 12-20 weeks (develop and deploy data access infrastructure)
4. Contract Updates: 4-6 weeks (revise terms, add required clauses, notify customers)
5. Testing & Validation: 4-8 weeks (pilot with friendly users and third parties)
6. Organizational Readiness: 2-4 weeks (train staff, establish processes, designate owners)
7. Continuous Compliance: Ongoing (monitor requests, update guidance, maintain infrastructure)
Solution
Pre-Built Infrastructure
Data Provider includes consent management, recipient onboarding, API infrastructure with JSON format support, and audit logging. Reduces implementation from 18-24 months to 8-12 weeks.
Implementation Tracking
Dashboard tracks progress through scoping, technical setup, contract updates, and testing phases. Clear visibility into completion status.
Configuration Approach
Configure data access policies, consent requirements, and recipient permissions rather than building custom infrastructure.
Regulatory Updates
Platform adapts to new Commission guidance and Member State clarifications, maintaining compliance as frameworks evolve.
Trust & Proof
Proven compliance methodology (GDPR experience)
Built by teams who implemented GDPR 2017-2018
Step-by-step approach validated with enterprises
Regulatory audit support included
Checklists used by automotive, manufacturing, energy sectors
Pilot implementations: 4-8 weeks (vs. 12-20 weeks in-house)
Deployed at scale with Fortune 500 organisations
95%+ on-time completion rate
Start with scoping: Identify which of your products are "connected products" under Article 3, determine whether you are a data holder, manufacturer, or related service provider, and map which obligations apply to your specific role. This scoping phase typically takes 4-8 weeks and is critical for prioritising implementation efforts.
Article 4 requires data in structured, machine-readable formats like JSON. Implementation involves: consent management for user authorization, data recipient onboarding for third-party access, API infrastructure with secure authentication, and audit logging for compliance documentation. Fiskil's Data Provider handles these requirements through pre-built infrastructure.
In-house implementation typically takes 18-24 months across all 7 phases. Organizations using pre-built platforms like Fiskil can reduce this to 8-12 weeks by skipping the infrastructure build phase (steps 2-3). Since the application date was September 12, 2025, organisations should prioritise speed.
Update: (1) Customer/user agreements (add Article 3 pre-contractual information and Article 4-5 data access rights), (2) Third-party recipient agreements (FRAND terms under Article 8), (3) Cloud service agreements (switching facilitation under Articles 23-32), and (4) B2G agreements if public sector access applies. Review for unfair terms prohibited by Chapter IV.
Article 3 requires connected products placed on the EU market after September 12, 2026, to be designed for "direct user access" to data. This is "data by design" - products must enable data access by default, not as an afterthought. If you're launching new products in 2026, build data access into the product architecture from day one.
Designate: (1) Data Act compliance owner (accountable executive), (2) Technical implementation lead (engineering), (3) Legal/contract review lead (update terms), (4) Customer support process for data access requests. Train teams on handling access requests, managing third-party recipients, and responding to public sector body requests under Articles 14-22.
Pilot with friendly users and third parties: (1) Invite selected customers to request data access, (2) Onboard 2-3 third-party recipients and test their data access flows, (3) Simulate high-volume access requests to test scalability, (4) Conduct legal review of documentation and contracts, (5) Perform security audit of data access infrastructure. Pilots typically take 4-8 weeks.
Yes. We provide tailored implementation roadmaps based on your specific products, infrastructure, and timeline requirements. Our compliance architects will work with you to adapt this 7-phase framework to your organization, including detailed sub-steps, timelines, responsible party assignments, and templates for scoping, gap analysis, and testing. Book a consultation to receive your customised roadmap.
Talk to our team about your EU Data Act compliance needs.