What the EU Data Act Means for Your Mobile Device Fleet

The EU Data Act (Regulation (EU) 2023/2854) is now in force. With a core application date of 12 September 2025 and a critical "data by design" deadline of 12 September 2026, organisations operating mobile device fleets in the UK, Germany, Switzerland, and Austria need to assess their current MDM posture now — not after the deadline.

This regulation does not simply add a new privacy checkbox to your compliance list. It fundamentally changes the rules around how data generated by connected devices — including the smartphones, tablets, and ruggedised endpoints in your fleet — can be accessed, shared, and moved. If your MDM platform, BYOD policy, or cloud infrastructure is not aligned with these obligations, the consequences range from regulatory action to loss of the right to operate connected products in the EU market.

This article provides a technical breakdown of the Data Act's key requirements, maps them to real-world MDM scenarios, and gives you a prioritised compliance checklist.

What Is the EU Data Act?

The EU Data Act (Regulation (EU) 2023/2854) entered into force on 11 January 2024. It is a horizontal regulation, meaning it applies across sectors and device categories, not just to a specific industry vertical. Its core ambition is to make data generated by connected products more accessible, portable, and reusable — moving value from data holders (manufacturers, platform vendors) toward the users and businesses that generate the data.

The Data Act operates alongside, but independently from, the GDPR. Where the GDPR governs personal data, the Data Act governs device-generated data more broadly — including operational, telemetry, usage, and configuration data that may not be personal in nature but is commercially valuable.

Key dates:

Date	Milestone
11 January 2024	Regulation entered into force
12 September 2025	Core provisions applied (data access, sharing, cloud switching)
12 September 2026	"Data by design" obligations for new connected products placed on EU market
January 2027	Cloud/data processing switching charges must be eliminated entirely

Why Your Mobile Device Fleet Is in Scope

The Data Act defines a "connected product" as any item that generates data from its use and can transmit that data via an electronic communications service or an internet connection. This definition captures:

Corporate-managed smartphones and tablets enrolled in your MDM platform
BYOD devices accessing corporate resources via containerisation or MAM profiles
Ruggedised handhelds used in logistics, warehousing, and healthcare environments
Laptops and desktops enrolled in unified endpoint management (UEM) platforms such as Omnissa Workspace ONE or Scalefusion

If a device is enrolled in your MDM and generating telemetry, compliance data, app usage logs, location data, or configuration state — that data is within the scope of the Data Act. The organisation managing that fleet is acting as a data holder, and users and designated third parties now have legally enforceable rights over that data.

The Four Compliance Obligations That Matter for MDM

1. Data Access by Default (Articles 3–5)

From 12 September 2026, new connected products must be designed so that data they generate is directly accessible by the user — securely, in real time, and free of charge. For existing enrolled devices, the obligation to provide that access on request has been in effect since September 2025.

What this means in practice:

Your MDM platform must be capable of exporting a user's device data — telemetry, compliance reports, installed application lists, usage logs — in a structured, machine-readable format upon request. If your current MDM console cannot produce this export on a per-device or per-user basis, you have a gap.

For Omnissa Workspace ONE UEM deployments, the reporting and API layer can satisfy this requirement with appropriate configuration. Scalefusion similarly exposes device-level export functionality. However, this capability must be deliberately enabled and tested; it does not work out of the box for most organisations' current configurations.

Users have the right to instruct the data holder — i.e., the organisation running the MDM — to share their device-generated data with a third party of their choice. The data must be shared in real time, in the same format as it would be made available to the data holder itself, and at no charge to the user.

MDM impact:

This creates an obligation to build (or validate) a data export/API pathway from your MDM platform to external destinations. Critically, you cannot selectively delay or degrade the quality of data shared with third parties relative to what you retain internally. For organisations using MDM data for internal analytics or security tooling, the third-party access right may require you to formally document your data flows and justify any limitations applied.

3. Contractual and BYOD Transparency (Articles 13 and 4(3))

The Data Act requires that users be informed before purchase or enrolment about:

What categories of data the device and associated services generate
Whether the data is accessible directly from the device or via a service
Whether the data is shared with the manufacturer or service provider, and for what purpose

For BYOD programmes, this obligation materialises in your device enrolment policy and acceptable use agreement. A generic "the company may monitor device activity" clause is no longer sufficient. You need explicit disclosure of the data categories generated, how they are stored, who can access them, and how a user can request their data or its deletion.

4. Cloud Switching and Data Portability (Articles 23–31)

If your MDM platform is delivered as a SaaS or cloud-hosted service — which covers the majority of Workspace ONE and Scalefusion deployments — your vendor is subject to new cloud switching obligations. From September 2025, vendors must:

Provide complete data portability: all configuration data, device records, policies, and compliance history must be exportable
Support migration to a competing platform or on-premises alternative
Remove commercial or technical barriers to switching

From January 2027, all switching-related fees (data export charges, reformatting fees, migration costs) must be eliminated entirely.

What this means for IT teams: You should be able to export your full MDM dataset from Workspace ONE or Scalefusion at any time and import it into another platform. If your current vendor contract includes data lock-in clauses or charges for bulk data export, those terms are now non-compliant with EU law. Audit your contract now.

Penalties: What Is at Stake

The Data Act does not set a single EU-wide penalty cap. Enforcement is delegated to national competent authorities in each Member State, who may be existing data protection authorities (such as the ICO in the UK post-Brexit context, or the BfDI in Germany) or newly designated regulators.

Each Member State must establish penalties that are effective, proportionate, and dissuasive. Several jurisdictions are aligning their penalty frameworks with GDPR-equivalent thresholds, which means potential administrative fines of:

Up to €20 million, or
Up to 4% of worldwide annual turnover, whichever is higher

For a 500-person organisation with £50M in revenue, a mid-range fine at 2% represents a £1M liability. For a multi-national enterprise, exposure is materially higher.

Beyond financial penalties, national authorities can issue compliance orders requiring you to halt the use of a non-compliant connected product or service — a potentially greater operational risk than the fine itself.

Technical Compliance Checklist

Work through the following checklist against your current MDM environment. Items marked Critical must be resolved before 12 September 2026.

Data Inventory and Classification

[Critical] Produce a full inventory of data categories generated by your enrolled device fleet (telemetry, compliance state, app inventory, location, usage logs)
[Critical] Document which data is retained by your MDM platform, which is transmitted to third-party integrations, and the retention period for each category
Map the above inventory against user and device groups — BYOD, corporate-owned, and shared device profiles require separate treatment

Data Access and Export

[Critical] Validate that your MDM platform can export per-user and per-device data in a structured, machine-readable format (JSON, CSV, or XML minimum) on demand
[Critical] Test the data export pathway end-to-end; confirm the output is comprehensive and includes all data categories in your inventory
Configure role-based access controls so that data access requests can be handled by your helpdesk or data owner without requiring admin-level intervention

BYOD Policy and Enrolment Documentation

[Critical] Review your device enrolment agreement and BYOD acceptable use policy; ensure it explicitly discloses all data categories generated, access rights, and the process for requesting data or requesting deletion
Implement separate MDM profiles for BYOD and corporate-owned devices to ensure data minimisation — collect only what is necessary for each profile type
Document the legal basis for collecting device telemetry from BYOD users; this intersects with both the Data Act and GDPR Article 6

Identify all third-party integrations currently receiving device data from your MDM (SIEM platforms, ITSM tools, analytics dashboards, zero trust brokers)
Implement a documented process for handling user-initiated third-party sharing requests within the timeframes required (real-time or near-real-time)
Ensure third-party integrations receive data at the same quality and latency as internal consumers

Cloud Switching Readiness

Review your MDM SaaS contract for data export terms, switching fees, and migration support clauses — flag any terms that restrict portability
Request a full data export from your current MDM vendor and validate its completeness (configuration policies, device records, smart groups, compliance rules)
Document your migration runbook: what would a move to an alternative platform require, and what is your data portability gap?

Audit Trail and Logging

Enable and retain audit logs for all data access events, export requests, and configuration changes within your MDM console
Set a log retention policy consistent with your local regulatory requirements (minimum 12 months recommended)
Ensure audit logs are tamper-evident and exportable independently of the device data they record

Mapping Requirements to Your MDM Platform

The following table maps key Data Act obligations to specific Omnissa Workspace ONE UEM and Scalefusion capabilities. Where a capability requires explicit configuration, it is noted.

Obligation	Workspace ONE UEM	Scalefusion	Configuration Required?
Per-device data export	✅ REST API + Console export	✅ Device report export	Yes — API access must be enabled
BYOD data separation	✅ Work profile / MAM-only	✅ Container profile	Yes — profile type must be selected at enrolment
Audit logging	✅ Audit log module	✅ Activity log	Yes — retention period must be configured
Compliance state reporting	✅ Compliance engine + reports	✅ Compliance dashboard	Default — review report scope
Third-party API data push	✅ Workspace ONE Intelligence	✅ Webhook integrations	Yes — connector configuration required
Cloud data export for switching	✅ Bulk export via API	✅ Admin export tools	Yes — test export completeness

If your current deployment has gaps in any of the above capabilities, a structured MDM Health Check will identify precisely what needs to be reconfigured, extended, or replaced.

Recommended Actions Before 12 September 2026

The Data Act's "data by design" deadline is not a soft deadline. Products placed on the EU market after 12 September 2026 that do not meet the access-by-default requirement will be non-compliant from day one. For organisations managing existing fleets, the core data access and sharing obligations have already applied since September 2025.

If you have not yet conducted a formal assessment of your MDM environment against the Data Act, the window to remediate is narrowing. A typical MDM compliance review, policy redraft, and technical remediation programme takes 8–12 weeks end-to-end. Starting in June gives you approximately three months — which is the minimum required to make substantive changes to a production MDM deployment without operational risk.

The three actions to prioritise this month:

Run a data inventory — you cannot disclose, share, or export what you have not catalogued
Review your BYOD policy — update enrolment documentation to meet transparency requirements
Test your data export pathway — validate that your MDM platform can produce a compliant export on demand

Book a Free MDM Health Check

If you are unsure where your current MDM deployment stands against the EU Data Act requirements, Workspace Consultants offers a Free MDM Health Check — a 30-minute remote session with an MDM specialist, followed by a written report identifying your compliance gaps and a prioritised remediation plan.

We work exclusively with Omnissa Workspace ONE and Scalefusion across UK and European deployments, and we understand both platforms at the configuration level required to implement these obligations correctly.

Book your Free MDM Health Check →

No obligation. No sales pitch. Just an honest assessment of where you are and what needs to change.

Sources and Further Reading

Workspace Consultants are independent MDM consultants specialising in Omnissa Workspace ONE and Scalefusion deployments across the UK, Germany, Switzerland, and Austria. We are not affiliated with Omnissa or Scalefusion — we give objective, implementation-level advice.

What the EU Data Act Means for Your Mobile Device Fleet

Get Expert Consultation