tractorjuice/arckit-eu-data-act

⚠️ Community-contributed command — not part of the officially-maintained ArcKit baseline. Output should be reviewed by qualified DPO / RSSI / legal counsel before reliance. Citations to ANSSI / CNIL / EU regulations may lag the current text — verify against the source.

You are helping an enterprise architect generate a EU Data Act Compliance Assessment (Regulation EU 2023/2854) for an organisation that manufactures connected products, holds data generated by those products, or provides data processing services. Most Data Act obligations apply from 12 September 2025.

User Input

$ARGUMENTS

Instructions

Note: Before generating, scan projects/ for existing project directories. For each project, list all ARC-*.md artifacts, check external/ for reference documents, and check 000-global/ for cross-project policies. If no external docs exist but they would improve output, ask the user.

Step 0: Read existing artifacts from the project context

MANDATORY (warn if missing):

• REQ (Requirements) — Extract: product type (connected product vs software service), data generation and collection requirements (DR-xxx), data sharing requirements (INT-xxx), cloud service type (IaaS/PaaS/SaaS)
  • If missing: warn that Data Act scoping requires understanding of product type and data flows

RECOMMENDED (read if available, note if missing):

• DATA (Data Model) — Extract: data types generated, data flows, personal data vs non-personal data, industrial/IoT data categories
• RISK (Risk Register) — Extract: data sharing risks, trade secret risks, cloud lock-in risks
• SECD (Secure by Design) — Extract: data access controls, API security for data sharing

OPTIONAL (read if available, skip silently):

• RGPD (GDPR Assessment) — Extract: personal data handling in data sharing — Data Act applies alongside GDPR when data contains personal data
• SECNUM (SecNumCloud) — Extract: cloud provider sovereignty — complements Data Act Article 27 (international transfer restrictions)

Step 0b: Read external documents and policies

• Read any external documents in external/ — extract existing data sharing agreements, product technical specifications, cloud provider contracts, trade secret registers
• Read any global policies in 000-global/policies/ — extract data governance policy, data sharing policy, trade secret protection policy

Step 1: Identify or Create Project

Identify the target project from the hook context. If the project doesn't exist:

1. Use Glob to list projects/*/ directories and find the highest NNN-* number
2. Calculate the next number (zero-padded to 3 digits)
3. Slugify the project name
4. Use the Write tool to create projects/{NNN}-{slug}/README.md
5. Set PROJECT_ID and PROJECT_PATH

Step 2: Read Source Artifacts

Read all documents from Step 0. Identify:

• Role(s): manufacturer / data holder / data processing service provider / public sector body
• Connected product presence: IoT, industrial equipment, smart appliances, vehicles, medical devices
• Cloud/data processing services: IaaS, PaaS, SaaS, edge — triggers switching obligations
• Personal data involvement: Data Act applies alongside GDPR when personal data is in scope

Step 3: Data Act Template Reading

Read the template (with user override support):

• First, check if .arckit/templates-custom/eu-data-act-template.md exists in the project root
• If found: Read the user's customized template
• If not found: Read .arckit/templates/eu-data-act-template.md

Step 4: Role and Scope Determination

Before generating the assessment, determine applicable roles and chapters:

| Role | Trigger | Applicable Chapters | |------|---------|-------------------| | Manufacturer of connected product | Makes/imports product that collects data | Chapter II (user access), Chapter III (B2B sharing) | | Provider of related service | Provides digital service linked to connected product | Chapter II, Chapter III | | Data holder | Has right/obligation to make data available | Chapter II, III, V | | Data processing service provider (DAPS) | IaaS/PaaS/SaaS/edge cloud provider | Chapter VI (switching) | | Public sector body | Government requesting exceptional data access | Chapter V |

Show role determination before proceeding.

Step 5: Generate Data Act Assessment

CRITICAL: Use the Write tool to create the assessment document.

1. Detect version: Check for existing ARC-{PROJECT_ID}-DATAACT-v*.md files:

   • No existing file → VERSION="1.0"
   • Existing file → minor increment if refreshed, major if scope changed

2. Auto-populate Document Control:

   • Document ID: ARC-{PROJECT_ID}-DATAACT-v{VERSION}
   • Status: DRAFT
   • Created Date: {current_date}
   • Next Review Date: {current_date + 12 months}
   • Role: from Step 4 determination
   • Data Act Application Date: 12 September 2025

3. Section 1: Role and Scope

   • Role determination table with rationale
   • Connected product in-scope assessment
   • Data types: personal data, non-personal data, trade secrets (mixed data sets common in IoT)
   • GDPR intersection note: Data Act does not affect GDPR — both apply when personal data is involved

4. Section 2: User Data Access Rights (Chapter II) (Manufacturer / Data holder)

   • Pre-purchase disclosure obligation (Article 3): users informed of data generated
   • Real-time access by users (Article 4): free of charge, machine-readable format
   • Third-party sharing at user instruction (Article 5): FRAND conditions
   • Contact point for data access requests
   • Trade secret protection when providing access

5. Section 3: B2B Data Sharing (Chapter III) (Data holder)

   • Data sharing obligation conditions (Article 8)
   • FRAND terms requirement (fair, reasonable, non-discriminatory)
   • SME protection: compensation capped at cost of sharing (Article 9)
   • Use restrictions: no re-identification, no use to compete with data holder (Article 8(4))
   • Dispute resolution mechanism (Article 10)
   • Trade secret safeguards (Article 12)

6. Section 4: Public Sector Exceptional Access (Chapter V) (Data holder / Public sector body)

   • Emergency situations and exceptional necessity conditions (Article 15)
   • Response timeline and format requirements
   • Compensation at cost recovery only
   • If not applicable: mark section N/A

7. Section 5: Data Processing Service Switching (Chapter VI) (DAPS)

   • Switching process requirements (Article 23)
   • Maximum timelines: 30-day notice, 180-day completion
   • No financial or technical barriers to switching
   • Customer data export in interoperable format (Article 26)
   • Egress charge elimination by September 2027 (Article 29)
   • Register of services and interoperability information
   • If not DAPS: mark section N/A

8. Section 6: International Data Transfer Restrictions (Article 27)

   • Non-EU government access without lawful EU/member state basis prohibited
   • Technical and organisational measures to prevent unlawful transfer
   • Obligation to contest unlawful requests
   • Interaction with DINUM cloud doctrine and SecNumCloud (complements sovereignty requirements)

9. Section 7: Interoperability (Chapter VII)

   • Interoperability specifications for data exchange
   • Smart contracts requirements (Article 36) if applicable
   • Open data formats and APIs

10. Section 8: GDPR Intersection

    • Personal data in shared data sets: both Data Act and GDPR apply
    • Data minimisation: Data Act sharing doesn't override GDPR purpose limitation
    • Transfer restrictions: GDPR Chapter V applies to personal data transfers
    • Recommend running $arckit-eu-rgpd if personal data is involved

11. Section 9: Gap Analysis and Timeline

    • Role-based gaps with Data Act application dates
    • September 2025: most obligations
    • September 2027: egress charge elimination

Before writing the file, read .arckit/references/quality-checklist.md and verify all Common Checks pass.

Write the document to:

projects/{project_id}/ARC-{PROJECT_ID}-DATAACT-v{VERSION}.md

Step 6: Summary Output

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ EU Data Act Assessment Generated
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

📄 Document: projects/{project_id}/ARC-{PROJECT_ID}-DATAACT-v{VERSION}.md
📋 Document ID: {document_id}
📅 Assessment Date: {date}
⏰ Data Act Application: 12 September 2025

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🔧 Role Assessment
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Roles in scope: {Manufacturer / Data holder / DAPS / Public body}
Connected product: {Yes / No}
Personal data involved: {Yes — GDPR also applies / No}

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📊 Obligations Summary
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

| Obligation Area         | Status      | Gaps |
|------------------------|-------------|------|
| User data access (Ch.II) | {status}  | {N}  |
| B2B sharing (Ch.III)    | {status}   | {N}  |
| Cloud switching (Ch.VI) | {N/A or status} | {N} |
| Intl. transfer (Art.27) | {status}   | {N}  |

Total Gaps: {N} ({N} high)

Next steps:
1. {If personal data: Run $arckit-eu-rgpd}
2. {If procurement: Run $arckit-fr-marche-public for data sharing clauses}
3. Run $arckit-risk to register Data Act gaps
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Important Notes

• Application date is September 2025: Most obligations apply 20 months after entry into force (January 2024 + 20 months = September 2025). Plan implementation now.
• Data Act ≠ Open Data Directive: The Data Act concerns privately-generated data (IoT, connected products) and cloud switching. The Open Data Directive covers public sector data. Do not confuse.
• GDPR still applies: Data Act does not override GDPR. When IoT data includes personal data (which is common — usage patterns, location, health data from wearables), both apply simultaneously.
• Trade secrets are explicitly protected: Manufacturers/data holders can refuse sharing if it risks exposing trade secrets — but must prove this and cannot use it as blanket refusal. Document trade secret identification process.
• Cloud egress fees: The September 2027 egress fee elimination is a significant commercial change for cloud providers. If this project involves multi-cloud or cloud switching, flag this in procurement.
• Use Write Tool: Data Act assessments span multiple roles and chapters. Always use the Write tool.

Key References

| Document | Publisher | URL | |----------|-----------|-----| | Data Act (Regulation 2023/2854) — full text | EUR-Lex | https://eur-lex.europa.eu/eli/reg/2023/2854/oj | | European Commission — Data Act implementation page | European Commission | https://digital-strategy.ec.europa.eu/en/policies/data-act | | European Data Innovation Board (EDIB) — guidance | European Commission | https://digital-strategy.ec.europa.eu/en/policies/european-data-innovation-board | | GDPR full text (applies alongside Data Act for personal data) | EUR-Lex | https://eur-lex.europa.eu/eli/reg/2016/679/oj | | EUCS — EU cloud certification scheme (complements Art. 27) | ENISA | https://www.enisa.europa.eu/topics/cloud-security | | SecNumCloud (French cloud sovereignty — complements Art. 27) | ANSSI | https://cyber.gouv.fr/secnumcloud |

Note for reviewers: The Data Act (September 2025) is distinct from the GDPR and the Open Data Directive. It governs access to data generated by connected products (IoT, industrial equipment, smart appliances, vehicles) and switching between cloud providers. Key concepts: data holder (entity with right/obligation to make data available), DAPS (Data Processing Service provider — cloud IaaS/PaaS/SaaS), FRAND (fair, reasonable, and non-discriminatory terms for B2B data sharing). Article 27 restricts cloud providers from handing EU data to non-EU governments without a lawful EU/member state basis — directly reinforcing the DINUM cloud doctrine and SecNumCloud requirements in France.

Success Criteria

• ✅ Assessment document created at projects/{project_id}/ARC-{PROJECT_ID}-DATAACT-v{VERSION}.md
• ✅ Organisation role(s) determined (manufacturer / data holder / DAPS / public body)
• ✅ Connected product in-scope status assessed
• ✅ Personal data / non-personal data split identified
• ✅ User data access rights (Chapter II) assessed if manufacturer/data holder
• ✅ B2B data sharing obligations (Chapter III) assessed with FRAND requirements
• ✅ Public sector exceptional access (Chapter V) assessed or N/A
• ✅ Cloud switching obligations (Chapter VI) assessed if DAPS or N/A
• ✅ International transfer restrictions (Article 27) assessed
• ✅ GDPR intersection documented with recommendation to run $arckit-eu-rgpd
• ✅ Gap analysis with Data Act application timeline (Sep 2025 / Sep 2027)

Example Usage

$arckit-eu-data-act Assess Data Act compliance for an industrial IoT platform collecting sensor data from 50,000 connected machines in EU factories, selling analytics as SaaS, B2B sharing with factory operators required

$arckit-eu-data-act Data Act scoping for 001 — cloud SaaS provider (IaaS switching obligations focus), assess egress charge elimination timeline and switching process requirements

$arckit-eu-data-act Data Act for a smart home appliance manufacturer (France), connected devices collecting usage data, assess user access rights and B2B sharing with maintenance service providers

Suggested Next Steps

After completing this command, consider running:

• $arckit-eu-rgpd -- Assess GDPR obligations for personal data in the data sharing flows (when Data sharing includes personal data)
• $arckit-fr-marche-public -- Include Data Act data sharing obligations in procurement clauses (when Data sharing involves public sector bodies or procurement)
• $arckit-risk -- Integrate Data Act compliance gaps and data sharing risks into the risk register