The EU Data Act 2025: A Practical Playbook for Insurers
Sep 15, 2025
Data serves as the foundational element of modern insurance. Telematics informs underwriting. Smart sensors enhance insurance service delivery by providing critical incident context for faster, more accurate claims verification. Third-party feeds improve fraud detection capabilities like KYC checks, identity verification, and transaction monitoring.
The EU Data Act, a new cross-sector regulation on data access, sharing, and fair contractual terms, will fundamentally change this landscape. It redefines who can control device and service information, how access is granted, and what insurers must be ready to accept and provide.
The Act became applicable on 12 September 2025. Insurers that treat it as a marginal compliance exercise risk missing a major strategic shift.
The Significance of the Data Act
At its heart, the Data Act makes it easier for users — both consumers and businesses — to retrieve and move data generated by connected products and services. It covers multiple data types, from personal and non-personal to telemetry and industrial sensor streams.
The regulation clarifies user rights to instruct data holders to share information with third parties. It also asks the European Commission to publish non-binding model contractual terms (MCTs) to reduce vendor lock-in.
Furthermore, the law introduces critical safeguards for trade secrets and establishes new rules for emergency public-interest access.
For insurers, this means claims records, telematics signals, OEM vehicle logs, IoT feeds, and even cloud storage systems could soon be more accessible and subject to stricter governance. In other words, the walls around data are coming down. At FRISS, we are already preparing for this shift so that our partners are ready to manage both inflows and outflows seamlessly.
Why This Matters to Insurers: Four Concrete Ways
Underwriting and pricing get richer if you can get signals. The Act strengthens users’ rights to device-generated data. That makes telematics, maintenance logs, and smart home telemetry easier to obtain. Since data includes everything from raw source data to enriched readings, insurers can create sharper usage-based and parametric products if they have the right ingestion pipelines.
Claims handling accelerates. Access to more detailed event data and metadata reduces manual investigation time. It directly supports core business priorities like cutting loss adjustment expenses, improving efficiency, and enhancing customer satisfaction. When combined with machine learning and fraud detection tools, even unstructured or processed data can generate valuable insights that strengthen the bottom line.
Vendor relationships will change. The Commission’s model contractual terms and non-mandatory cloud clauses will become market references. Expect renegotiations over what counts as raw or source data, fees for sharing, and IP carve-outs. Larger buyers who can handle different data formats and enforce data integrity standards will gain leverage. Insurers operating across the US and UK should also keep watch, as regulators there may take cues from the EU approach.
Privacy and compliance become more complex. The Data Act sits on top of GDPR. When a device feed contains sensitive data, insurers must make choices about anonymization, lawful basis, and data security while still honoring users’ rights to data access.
The Provisions Insurers Need to Map to Action
Here are the Data Act elements most likely to impact insurers and why they matter.
User access and third-party sharing. Users can instruct data holders (e.g., OEMs, device manufacturers, platform providers) to share data with a third party, such as an insurer or analytics vendor. Insurers must prepare data lakes or other repositories to receive these feeds at scale. Properly managed, the growing amount of data will provide a foundation for stronger automation and advanced data analysis.
Model contractual terms and unfair clauses. The European Commission will recommend MCTs to guide fair contracts, including rules around compensation and protection for trade secrets. These are non-binding but will shape negotiations. Insurers should look for services including terms that cover liability, handling of enriched datasets, and reasonable cost-sharing.
Switching and cloud portability. The Act obliges cloud and data-processing providers to support easier movement between platforms. For insurers, that means stronger planning for cloud service migration, testing different public clouds, and reviewing how storage costs and performance affect long-term policy administration and analytics strategies.
Emergency and public-interest access. In emergencies, public bodies may request data. Insurers must know how to document disclosure, safeguard data integrity, and respond within timelines without disrupting customer trust.
Enforcement and penalties. Member States must set effective and proportionate penalties. Insurers risk significant fines if data sharing rules collide and trigger a sensitive data breach involving personal data.
Practical Implications: Five Operational Shifts
Data ingestion becomes a product. Treat APIs and exports as product features. Operationalize schema validation, data formats mapping, and provenance tracking so auditors can follow each datapoint.
Contracts and SLA renegotiation. Vendors will push back on definitions of raw data versus processed data. Make sure procurement processes demand clarity and preserve insurer rights.
Model governance widens. Actuaries and data scientists must show how source data flows through models to support pricing and claims decisions. This builds transparency and strengthens regulatory defense.
Privacy engineering ramps up. With sensitive data in play, insurers must enforce anonymization and strict data security controls to prevent reputational and financial penalties.
Switching and migration playbooks. Build tooling and test scenarios across multiple public clouds. Insurers with clear switching plans will avoid surprises in provider negotiations.
A 6-Step Readiness Plan: Start This Quarter
Map the data estate. Think of it as drawing your treasure map. Identify every connected-device input, data lake, cloud platform, and the contracts that govern them.
Contract triage. Time to play detective. Flag clauses that block access, use ambiguous “service including” language, or leave ownership terms vague before they turn into disputes.
Open the pipes. Data should flow, not drip. Build ingestion and export capability with APIs, standardized exports, and validation checks to maintain data integrity.
Govern with care. No shortcuts here. Carry out DPIAs, protect sensitive data, and document how processed data supports models to stay both compliant and transparent.
Switch seats. Test-drive migrations across at least two cloud service providers now, so you’re not forced into sudden moves later by regulators or outages.
Pilot the future. The best way to prepare is to experiment. Launch a usage-based or parametric pilot that leverages device signals to prove cost savings and generate valuable insights.
This staged approach can help insurers build confidence. A two-week mapping sprint followed by a six-week pilot is a pragmatic way to show compliance readiness while uncovering new business opportunities.
Turning Compliance into Competitive Advantage
The insurers who profit from the Data Act will do three things at once: comply, innovate, and communicate. Build ingestion as a product with SLAs and data integrity metrics. Use new data-sharing rights to design usage-based products and faster claims journeys. And market readiness as a selling point for fleets and enterprises that generate huge amounts of data and want freedom to move it.
When executed well, the Data Act is not just another compliance line item. It acts as a growth lever that reduces claims costs, enables better pricing accuracy, and unlocks valuable insights from the data insurers already collect. Forward-looking carriers will treat it as a catalyst, not a burden.