The EU Data Act and the Ongoing Battle between On-Premises and Cloud-Based Supply Chain Management Systems

The Data Act is a cross-sectoral regulation created by the European Union (EU) as a core pillar of Europe’s data strategy, which entered into force on January 11, 2024 and will become applicable in September 2025. The measures are set to complement the Data Governance Act, which became applicable in September 2023.

While the Data Governance Act regulates processes and structures that facilitate voluntary data sharing, the new Data Act clarifies who can create value from that data and under what conditions. To achieve this, the Data Act enforces a set of measures, including:

• Establishing rules on the permissible use of data; facilitating the transfer of data between holders and users, while upholding confidentiality; and developing model contract clauses to help draft fair data-sharing contracts.
• Safeguarding enterprises with a weaker market position to avoid the abuse of contractual imbalances that impact equal data sharing.
• Enabling public sector bodies to access and use data held by the private sector to respond to public emergencies.
• Obligations on providers of cloud services to enable customers to switch to other providers or take the processing in-house.
• Internet of Things (IoT) device and service providers must make data available to the end user.

The act requires switching from one cloud provider to another to both be quick and ensure service continuity. While a cloud service provider can charge for costs directly associated with switching, all such charges must be phased out by 2027. Cloud providers must also comply with open specifications and standards that help facilitate the use of multiple cloud services, for example, allowing end users to share computing workload across multiple clouds.

By giving end users more control and forcing cloud providers to facilitate easier switching, the act has the potential to create better competition within the cloud computing space. Given the significant costs currently associated with cloud services and the growing requirements to facilitate adoption of Artificial Intelligence (AI)-enabled systems, regulation that enables fluidity will provide end users with a greater degree of leverage when exploring new service providers.

The new regulations are also aimed at democratizing IoT data, allowing users to both access and leverage the wealth of IoT data that are currently available in the market and growing exponentially. Only a very small proportion of the data being produced by IoT devices across the supply chain are currently being accessed and mostly leveraged by the largest companies. Obligations on IoT device and service providers include:

• IoT data must be in a structured, commonly used, and machine-readable format. Where technically feasible, data should be directly accessible by the user, or provided on request.
• Connected device providers must inform users of the data collected, and data must be available to the user prior to entering a contract.

• Data must be made available to third parties where requested by the end user.

The supply chain industry is acutely aware that data availability is no longer an issue, but being able to access and leverage the available data is top of mind. By taking steps toward democratizing the data being produced by an increasing number of connected devices and regulating access, both end users and aftermarket providers stand to benefit.

• For End Users: By making the performance data generated by things like industrial equipment and operational systems more accessible, companies can optimize operational cycles, productions lines, and supply chain management processes.
• For Aftermarket Service Providers: Enabling greater access to device and equipment data, particularly when users can grant them access as the “third party,” allows the provider to be put on a level playing field with Original Equipment Manufacturers (OEMs) that are offering similar services, such as repair and maintenance. It also allows aftermarket service providers to enhance and innovate their offerings, creating competition that can both improve the services available in the market and lower prices.

The act is a welcome regulation to an industry that is becoming increasingly cloud-native, and swimming in IoT data. All leading supply chain software providers have been pushing for and basing their entire system strategy on cloud-native systems. For the end user, the benefits include rapid deployment, scalability of functions and price, and greater accessibility. For the provider, deploying as Software-as-a-Service (SaaS) creates recurring business, simplifies implementation, opens avenues for growing investment, and creates a single product version that’s easier to update and support.

And while all providers are moving in this direction, end users continue to demand on-premises solutions. Whether it be a port, warehouse, or terminal, operational continuity and data security are critical. With cybersecurity attacks on the rise, operators of critical infrastructure still don’t trust that cloud-based systems can guarantee security of their data and are acutely aware of the risk to their operation if the network is compromised. Cost is also a major factor. While up-front costs of on-premises solutions can be higher, the Total Cost of Ownership (TCO) can be much lower by removing hefty recurring cloud fees and taking ownership of upgrade cycles.

The greater control being given to the end user by the Data Act is likely to work in one of two ways:

1. By simplifying cloud migrations, companies may use it as a tool to take back control and shift their data processing to on-premises or hybrid solutions.
2. Or it could work in the favor of cloud-native systems, by supporting companies’ use of the cloud, making it more attractive, accessible, and competitive in terms of pricing.

AI adoption will have some sway here. With an on-premises solution, adopting AI requires strong internal expertise, can significantly lengthen time-to-value due to lengthy implementation and Proofs of Concept (POCs), and can be difficult to update and keep up with the pace of innovation. Whereas for cloud-native systems, deployments can be simple, quick, scalable, and remove the need for internal development, these benefits are caveated by the associated cloud fees. The decision will ultimately come down to what infrastructure is being operated. For a port operator, the need for security and operational continuity is so great that on-premises will likely always win. Many warehouse operators also feel the same, with few seeing how AI-enabled software can outweigh this.

The EU’s Data Act will be a welcome addition for supply chain operators and is a necessary step in democratizing cloud and IoT data access. While it is certainly expected to support use of the cloud, the case for on-premises systems remains strong, something that supply chain software providers must continue to cater to in order to capture new business and not alienate site operators.