The Role of ISPs in Ensuring Secure and Compliant Data Flows Under the EU Data Act
Broadband operators aren't directly regulated by the Data Act the way IoT manufacturers are — but the regulation creates significant implications for the infrastructure layer that carries connected-product data across Europe.
The EU Data Act’s primary obligations fall on manufacturers and operators of connected products. Broadband ISPs are not in scope in the same way. But as the infrastructure layer that carries connected-device data between products, users, manufacturers, and third parties, ISPs are deeply implicated in how the Data Act works in practice — and increasingly involved in enabling compliant data flows for their business customers.
ISPs under the Data Act
The regulation does not directly impose data access or portability obligations on network operators. What it does do is require that the data pipelines connecting connected products to their users and authorized third parties are secure, reliable, and structured to support the access rights the regulation creates. This affects ISPs in two ways.
First, enterprise ISPs increasingly serve IoT manufacturers and operators as customers — providing the connectivity layer for connected product fleets. These customers now have compliance requirements around how their data is transmitted, logged, and protected in transit. ISPs that can demonstrate security practices aligned with Data Act requirements are more attractive partners for these customers.
The infrastructure obligation
The second, more direct implication is around data transit security. The Data Act’s requirements for secure third-party data sharing create implicit expectations about transport security that run through the network infrastructure layer. Data shared between a manufacturer, a user, and an authorized third party must be protected against interception and tampering — and while this is primarily an application-layer concern, the network layer is part of the security picture.
Enterprise ISPs providing managed connectivity for IoT deployments are increasingly being asked to demonstrate that their infrastructure meets the security expectations implicit in Data Act-compliant data sharing. This includes documentation of transit encryption standards, network segmentation practices, and incident response procedures relevant to IoT data flows.
"The network is not neutral when it comes to compliance. The infrastructure layer is part of the trust architecture that the Data Act is building — and ISPs that understand this are already differentiating on it."Steelbridge · Infrastructure
The partnership opportunity
The most forward-looking broadband operators are positioning themselves not just as connectivity providers but as trusted infrastructure partners for Data Act compliance. This means offering managed connectivity products that are explicitly designed for Data Act-compliant IoT deployments — with documented security standards, SLA commitments relevant to real-time data access requirements, and the audit logging needed for compliance documentation.
It also means building integration partnerships with compliance infrastructure platforms that can layer access management, consent, and audit logging onto the connectivity layer — creating a more complete compliance stack for enterprise IoT customers. The Data Act doesn’t just create obligations; it creates a market for infrastructure that helps companies meet those obligations. ISPs with the right positioning and partnerships are well-placed to serve that market.
About Steelbridge
Steelbridge Oy is a Helsinki-based compliance infrastructure company. Our platform handles the technical and legal obligations of the EU Data Act as a managed service, enabling IoT and connected-device manufacturers to go live in weeks rather than months.
Contact: contact@steelbridge.fi
