There’s something uniquely predictable about data regulations. When they are announced, they often land without a big sense of urgency. This approach is by design. Legislators provide lots of lead time for organizations to adjust their processes and systems to the regulations. Three to five years is not uncommon.
As a result of this, on day 1 after the announcement, usually nothing happens. People are busy with everyday work, and hey, who really cares what happens in five years?
Data regulation gains importance slowly over time
At some point, the 2-year mark passes, and organizations start to build task forces. Teams are being built to analyze what is needed to comply with the regulation. Those teams meet every two weeks, and progress is slow.
Some projects follow a waterfall approach. They begin with an initial analysis and then proceed to further analysis. And at some point, they stop analyzing. This is the moment that can lead to paralysis as they realize they won’t make it in time. Often, the regulator extends the deadline by a year or two or announces that fines for not complying are moved further out, which gives breathing room and lets other priorities take over again.
But at some inevitable point, the regulation takes effect. After this point, noncompliant companies will be fined. Things get serious.
The European Union and data regulation
Nowhere is this more true than in the European Union. The EU loves regulations. This means that we routinely deal with a complex and changing policy environment in many areas, including data. For example, the General Data Protection Regulation (GDPR), which came into force in 2018, is one of the most prominent in the tech industry. It sets out a series of rules and policy guidelines for the collection, processing, analysis, and use of data at all levels.
The EU Data Act extends the policy directives set down in GDPR, with meaningful implications for the data industry. It was agreed in June 2023 and became applicable on September 12, 2025.
That means that today is one of those days where things get serious.
Want to know more? Let’s unpack the details.
What is the EU Data Act?
First things first. The EU Data Act and the GDPR act in concert with one another, not in opposition. They are complementary, not dependent, regulations that address different aspects of data. This means that the policy environment for the data industry is governed by both pieces of legislation, which makes understanding their similarities, differences, and overlaps an important first step.
GDPR vs EU Data Act
GDPR is foundational, but also focused on particular scenarios and use cases. In particular, it exclusively governs the processing of personal data, ensuring its privacy and security for individuals.
The EU Data Act, on the other hand, focuses on enabling access to and fair use of both personal and non-personal data, particularly industrial data, to foster innovation and competition.
The two acts act in tandem. The EU Data Act explicitly states it does not affect GDPR provisions and must be read alongside it. This means that data shared under the EU Data Act must comply with data protection rules set out by the GDPR if it contains personal data.
What are the key components of the EU Data Act?
Like any piece of complex policy legislation, the EU Data Act is made up of several components. Each of these pieces is important when considering its impact on the data industry.
Overall, you can think of the EU Data Act as having three key components:
- Data Sovereignty and Data Residency
Organizations must ensure that data is processed and stored within specific geographical boundaries and protected from foreign access. - Data Sharing, Portability, and Interoperability
The EU Data Act promotes data sharing, interoperability, and portability between organizations. Organizations must provide mechanisms for data access and transfer among different services and platforms.
- Governance, Security, and Compliance Assurance
The EU Data Act increases obligations for both technical and contractual safeguards for data sharing.
How the EU Data Act impacts AI
One of the most significant implications of the EU Data Act involves AI. It sets out directives governing the proper use of data in AI applications, and acts in concert with other legislation like the EU Artificial Intelligence Act.
This guidance is timely and will greatly shape the development of AI initiatives across the EU and beyond. In the past few years, companies have focused a lot on getting their first AI use cases up and running.
While pursuing those efforts, many IT and data leaders have realized that the foundation for strong AI data architecture results is strong data management. This is much harder to achieve than just adding a general GenAI model to some sample data.
With the EU data act as an additional regulation to meet, efforts to improve data management will yield a significant return on investment.
How Starburst helps organizations comply with the EU Data Act
The EU Data Act is driven by the twin goals of broadening access to data and strengthening individual control over that data. It is designed to promote a competitive market, free from vendor lock-in, while laying the foundation for a fair and secure data economy.
For those familiar with Starburst, these goals may sound familiar.
A shared vision of choice over your data
Starburst supports both objectives: establishing a solid data foundation for AI and meeting the compliance demands of the EU Data Act.
In many ways, the EU Data Act’s intent aligns with the principles on which Starburst was founded. From the beginning, Starburst has been built on a single core principle: optionality.
What is optionality?
Optionality is a Starburst value, and our central methodology when it comes to data. In a word, it means choice.
It means you are never locked into a specific technology when using Starburst. Interoperability is part of our core mission. You can keep using the storage systems you already depend on, the file formats you prefer, the table format that fits your requirements, and the client tools your teams already know.
Starburst sits in the middle, connecting these pieces and making them interoperable. If you decide to switch technologies, Starburst provides the flexibility to integrate and adapt without disruption.
Let’s dive into the key requirements mentioned above and how Starburst will help with compliance with the EU Data Act.
Understanding data sovereignty and data residency
Data sovereignty and data residency focus on ensuring that data, especially sensitive information, remains subject to the laws and governance of the jurisdiction where it was collected or generated.
This means organizations must ensure data is processed and stored within specific geographical boundaries, often within the EU, to comply with local regulations and protect it from foreign access.
How Starburst helps improve data sovereignty and data residency
Starburst takes a direct role in helping organizations to achieve their data sovereignty and data residency goals. Our technology accesses data at the source, eliminating the need to create copies and unnecessary data processing.
Let’s look at how Starburst’s architecture and functionality support data sovereignty and residency.
Data federation
Starburst’s ability to federate data access across diverse data sources means that data can remain in its original location, within specific geographical boundaries (e.g., within the EU), while still being accessible for analysis. This minimizes the need for data movement, which is critical for maintaining data residency.
Starburst Stargate
Starburst Stargate enhances data sovereignty further. It enables secure, high-performance access to data across different cloud regions or on-premise environments without moving that data. This allows organizations to keep data in specific sovereign territories while enabling global access for authorized users, thus complying with data sovereignty requirements.
Multi-Region Cluster Deployment
Starburst Enterprise clusters can be deployed locally. In this scenario, data is processed only within the region. For global use cases, clusters can also be deployed in multiple regions, allowing organizations to process and store data in the specific jurisdictions where it was collected or generated. This ensures that data remains subject to the laws and governance of that region.
In-Country Data Processing
Starburst enables organizations to process data within their country of residence, directly supporting data residency mandates. This reduces the risk of non-compliance by preventing data from leaving a designated geographical area without proper authorization.
Auditing Cross-Border Queries and Data Egress Control
Starburst provides robust auditing capabilities that track cross-border data access and movement. Additionally, features for controlling data egress allow organizations to prevent unauthorized data transfers out of specific regions, which is crucial for complying with data residency and sovereignty laws.
By offering these capabilities, Starburst helps customers enforce data sovereignty and residency using their technology. This approach ensures that data is processed and stored in compliance with the EU Data Act and other local and international regulations at all times.
Data Sharing, Portability, and Interoperability
Data sharing has not been the first priority for organizations in the past. Organizations have usually imposed boundaries on data sharing to protect their own intellectual property. As a side effect, they also made it harder to share data within the company, which hindered the development of new use cases. In this sense, data sharing has been an exception rather than the rule within organizations. This slows down innovation and reduces the return on investment in data teams.
How data governance allows access to the right data at the right time
Today, data governance is a major concern for organizations of all sizes. Getting access to the right data at the right time is still one of the biggest challenges that organizations face. It can often take weeks or months to process data through multiple stages, from raw, unvalidated data in the bronze layer, to cleaned and standardized data in the silver layer, and finally to aggregated, business-ready datasets in the gold layer, which are optimized for analytics, reporting, machine learning, and AI.
Once the data is available, the requirements might have changed already, and the process starts again. The image below shows how this process typically works.
How Starburst offers a governed, single point of access
Starburst offers a single, open access layer to diverse sources, avoiding vendor lock-in, and supporting open table formats (Iceberg, Delta, or Hudi). This aligns with regulatory encouragement of data portability and open interoperability in the EU Data Act.
Self-service data exploration and data democratization are key principles for Starburst. We provide instant access to various data sources and break down data silos. Lengthy processes of data harmonization, cleansing, and preparation can be avoided. Data users can explore the value of the data immediately as if it were already prepared for them in a data warehouse.
How data governance is enhanced by data products
Data access can then easily be governed using a data product. Data products within Starburst act as curated, self-service datasets that abstract away the underlying complexity of various data sources.
Starburst’s data products are designed to address the challenges of data sharing, promoting accessibility and controlled distribution in line with the EU Data Act’s emphasis on portability and interoperability:
- Simplifying Data Access: Users can access well-defined data products through a single, governed interface, eliminating the need to navigate disparate systems. This accelerates the process of finding and utilizing relevant data.
- Enhancing Portability: Data products make it easier for organizations to transfer data between different services and platforms without vendor lock-in. By supporting open formats (Iceberg, Delta, Hudi), Starburst ensures that data held or shared is not locked into proprietary platforms.
- Streamlining Interoperability: By creating standardized “views” of data, data products foster interoperability, ensuring that data from different sources can be combined and analyzed effectively.
- Enabling Self-Service: Data products empower users with self-service capabilities, allowing them to discover and consume data independently, reducing the time and effort traditionally required to obtain data for new use cases.
- Facilitating Controlled Sharing: Governance and access controls applied to data products ensure that data sharing is not only easy but also secure and compliant with regulatory requirements, allowing organizations to share data externally or internally with confidence.
Want to know more? Discover how data products play a crucial role in establishing a semantic layer for AI use cases in this blog article.
Why the EU Data Act is a landmark for data protection and data sovereignty
As with any regulation, complying with the EU Data Act is not just a matter of implementing a single technology. Proper implementation will depend on the organization’s configuration and broader governance framework.
Data technology supporting the EU Data Act
However, technology also plays a large part. Starburst’s architecture and platform capabilities directly support organizations in meeting the EU Data Act’s requirements by enabling strong safeguards, centralized management of cross-platform data, and full traceability of data access and use.
How Starburst supports the EU Data Act
Starburst provides optionality, which helps to comply with the EU Data Act’s requirements to avoid vendor lock-in. It acts as a middle layer between an organization’s data sources and consumers, adding a single point of access and governance that allows it to switch tools in the data architecture seamlessly.
Data products enable the requirements of data sharing and portability.
Where regulations typically hinder business operations, the EU Data Act presents an opportunity to enhance the underlying data architecture, preparing it for a range of use cases, from analytics to AI.
