Regulating data in the maritime sector

by | Apr 3, 2026 | Digitalisation, Maritime regulations, News, SWZ|Maritime

Regulating data in the maritime sector digital twin by Bureau OMA

From the magazine – The European Union (EU) Data Act has entered into force on 12 September 2025, and aims to create fair access to data [1]. The Act determines who controls data generated by connected products or services, with the aim to enhance technological innovation and contribute to a competitive European data market. This includes data generated by systems on board of ships, which makes the Act highly relevant for the maritime industry, particularly considering the increased use of digital twins.

Lenneke Sprik
Lenneke Sprik, PhD

This article originally appeared in SWZ|Maritime’s February 2026 issue and was written by Lenneke Sprik, Professional Doctorate candidate in Maritime Law at NHL Stenden.

The European Council has claimed that implementation of the Data Act could result in a € 270 billion increase in the EU’s gross domestic product by the end of 2028 [2]. This article addresses the changes the Data Act brings about for the maritime sector, focusing on how existing data governance and data-sharing practices should develop in order to comply with the Act.

Also read: Report: Shipping must master data to remain competitive

EU Data Act

The implications of the EU Data Act are threefold. First, the control over data shifts from the data holders (original equipment manufacturer (OEM)) to the user of the connected product or service. An OEM is a company that develops equipment and parts that may be marketed by another manufacturer under licence [3]. The data holder must provide users with real-time, secure and direct access to the data generated by the product or service [4] and also share the data with third parties if requested by the user.

In a maritime context, this may include operational data generated by onboard systems such as engines or energy management systems, which a shipowner may want to share with an independent service provider for performance monitoring or predictive maintenance. The user should be able to export the data directly, if relevant and technically realistic.

OEMs may neither use the data themselves without the explicit consent of the user, nor use the data to gain insight into the use of the product or service by the user that could undermine the user’s market position. Also, the user (shipowner) may not use the data to develop a product that competes with the product from which the data originates.

Second, the data holder may request ‘reasonable compensation’ for sharing data with third parties, whereas users should be able to access the data free from cost. For small and medium-sized enterprises, the compensation may not exceed the costs of making the data available. Data will only be disclosed to third parties insofar as this is strictly necessary to achieve the purpose agreed between the user and the third party. Contracts about data sharing between businesses, in particular between the OEM and third parties, should be fair, reasonable, and non-discriminatory (FRAND) [5].

Third, users are given the opportunity to switch between service providers to prevent vendor lock-in and to create a more competitive drive between service providers [6]. This also applies to cloud providers for data storage. To facilitate easy switching between providers, the EU Data Act sets standards for interoperability.

Impact for the maritime sector

Ships and onboard systems generate large amounts of data, such as data regarding engine performance, fuel consumption and the automatic identification system (AIS). Traditionally, operational ship data has been controlled by OEMs and software providers, who determined which data were accessible, in what form, and for what purposes. Shipowners and operators typically had limited insight into the data generated by their ships and were dependent on the OEM’s services for maintenance and performance optimisation.

This data concentration reinforced the so-called vendor lock-in for service and maintenance, and restricted competition by independent service providers, as they lacked access to real-time operational data. The EU Data Act fundamentally alters the starting point for OEMs, shipowners and service providers, as it applies to all data generated within the EU, regardless of the geographical location of the OEM or user.

Visualisation of a digital ecosystem surrounding a smart ship, showing how operational vessel data is shared with multiple stakeholders (Bureau OMA)
Visualisation of a digital ecosystem surrounding a smart ship, showing how operational vessel data is shared with multiple stakeholders. The structured data flows illustrate the role of digital twins as a hub for analysis, innovation, and data governance under the EU Data Act (illustration by Bureau OMA).

With operational data not exclusively in hands of OEMs, competition in maintenance will increase with competing companies offering these services at a potentially lower rate. This reduces the dependency on the OEM, and allows shipping companies to switch between service providers to maximise cost-efficiency. The wider availability of real-time data for analyses and innovation creates a new business model, which contributes to the optimisation of the systems used in shipping.

However, the intended redistribution of control is not absolute, as the Act introduces exceptions to the data access requirement.

Exceptions: security and trade secrets

Two exemptions to the access requirement in the EU Data Act are worth highlighting. First, access to data may be restricted by the OEM and shipowner if this would compromise the security requirements of the product, for example requirements included in European or national legislation such as the NIS-2 regulation or Cybersecurity Act. Access to data is considered a risk if it has negative consequences for the health, safety or security of persons.

Second, data sharing may be refused if it can be demonstrated that the company would suffer serious, irreparable economic damage as a result of sharing trade secrets. In practice, this gives OEMs significant room to restrict access by invoking trade secrets or security concerns.

Digital twins as ‘stress test’ for the Data Act The increasing use of digital twins in the maritime sector makes the implications of the EU Data Act particularly tangible [7]. Digital twins rely on continuous data flows between the physical vessel and its digital counterpart and typically involve multiple actors, including shipowners, OEMs and software providers.

As a result, questions about who has access to data, under which conditions data may be shared, and how contractual limitations apply are no longer abstract legal issues, but operational concerns. Digital twins thus act as a “stress test” for data regulation, with tensions visible between old contractual practices and new statutory data rights.

Traditionally, data sharing in the maritime sector has been governed primarily by contracts. The Data Act challenges this model by introducing mandatory rules aimed at standardising data access and limiting contractual control over data [8]. The black and grey lists included in the Act explicitly prohibit certain contractual provisions, such as one-sided liability limitations, restrictive data retention clauses and unilateral authority to determine data quality. Contracts containing such clauses are not binding and will need to be revised.

In the context of digital twins, where data is shared in real-time among multiple parties, this shift highlights that data sharing can no longer be addressed solely through bilateral contracts, but requires a governance framework to allocate responsibilities and manage risks.

Also read: SWZ|Maritime’s February 2026 issue: Designing the digital maritime future

Challenges and frictions

The Data Act largely limits data sharing to “in situ” access, meaning that users or third parties can only access data via the OEM’s server and cannot obtain independent access [9]. While this may reduce risks associated with data transfers, it also limits user control, as the OEM remains in control of the data infrastructure.

The obligation to share data may reduce incentives to generate data in the first place, particularly where OEMs do not benefit financially from data sharing [10]. After-sales services are an important driver for OEMs to invest in technology and innovation. Mandatory data sharing could thus negatively affect innovation incentives. Reluctance towards large-scale data sharing is therefore likely to persist, also due to concerns over security and the risk of reverse engineering based on shared operational data. These concerns are particularly prevalent among OEMs and software developers.

Although the Data Act refers to interoperability, it does not create an obligation to create technical access or interoperability with the product or service itself. This means that OEMs can still determine which software will be used on board, and that independent maintenance of systems will depend on the OEM’s willingness to provide technical access. Sector wide agreements and standards would be required to regulate this and minimise technical dependency on OEMs.

Finally, revising existing contracts between OEMs, service providers and shipping companies is likely to be costly and time-consuming. OEMs operating in markets with limited competition may pass these costs on to third parties through higher prices. In addition, the concept of “reasonable compensation” for data sharing remains open to interpretation, which creates further legal uncertainty.

Tensions with other regulations and data practices While the EU Data Act grants users a formal right to access data, the practical value of this right is constrained by a combination of factors. Tension arises for example from the interaction with the GDPR, which continues to apply to mixed datasets containing personal and non-personal data. In practice, compliance with both regimes may require anonymisation and data minimisation, limiting the scope and usability of shared data.

Moreover, the Data Act focuses on access to raw, product-specific data, whereas innovation in the maritime sector increasingly depends on aggregated and derived datasets, particularly in the context of digital twins and autonomous shipping.

At the same time, the legal position of neutral data intermediaries remains unclear [11], despite their potential role in real-time data sharing. Finally, differences in data readiness and maturity between maritime stakeholders comes with the potential risk of higher compliance costs for smaller suppliers. Whether the Data Act leads to genuine competition will depend on how the access requirements are implemented in practice.

Next steps for maritime stakeholders

A first step towards compliance with the Data Act within companies and the sector as a whole is identifying for which products and services the Act is relevant. Then, revision of contracts and data clauses is recommended. To facilitate the transition towards a new business model and to ensure that the sector benefits from opening up the market, internal data governance for the maritime sector is key, also to establish trust and transparency. Otherwise there may be a risk of fragmentation.

Interoperability needs further work to reap the benefits of the opportunities offered by data sharing, which can be achieved by continuing to work on further standardisation within the sector. To increase data maturity, shipping companies, OEMs and service providers can train staff members to increase data literacy. Preparing cloudswitching scenarios will furthermore help to determine how maritime companies can reduce cost in data storage and maintenance of systems.

All of this should not be done in isolation, but in cooperation: sector-specific implementation is essential, also to keep oversight of the level playing field that the Data Act aims to establish [12]. An example of a cooperative approach is the Maritime AI Innovation Lab [13], within which legal interpretations of EU data and AI regulations are developed in close interaction with maritime practice.

Also read: How a digital twin can support planning when building a ship

Towards a more cooperative sector

The EU Data Act creates a legal framework for fair data access and with that has the potential to shift the sector’s business model from highly competitive to more cooperative with the aim to innovate. Whether the Act will contribute to the intended goals depends on its implementation in practice. The sector has traditionally been governed by contracts and has been dependent on OEMs. All actors involved will have to join forces to work on sector-specific governance of data and standards for data sharing.

References

  1. Dominik Wittenberg and others, ‘Information Requirements and Legal Framework for Multimodal Transport System Coordination’ (2024), 8 Logistics, 15
  2. David Saive, ‘What the EU Data Act means for logistics, data sharing, and open source innovation’ (Open Logistics Foundation, 14 August 2025), https://openlogisticsfoundation.org/what-the-eu-data-act-means-for-logistics-data-sharing-and-open-source-innovation/, accessed 12 January 2026
  3. Marine Digital, ‘What are OEM and ODM in maritime?’ (Marine Digital, n.d.), https://marine-digital.com/article_what_are_oem_and_odm, accessed 14 January 2026
  4. Artikel 4(1) of Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act) (2023) OJ L 2854, applied from 12 September 2025
  5. Juan Montero, Matthias Finger and Francisco Miguel de Abreu Duarte, ‘Policy Brief: Aviation and Multimodal Digital Mobility Services in the EU’ (European Transport Regulation Observer, 2023)
  6. Hans Graux, ‘What is data ownership, and does it still matter under EU data law? An exploration of traditional concepts of data ownership, and of the expected impact of the Data Act’ (European Commission 2024)
  7. Asli Arda, ‘The Digital Twin of a Ship and Data Issues in the EU’, Lloyd’s Shipping and Trade Law (2022), 22 Lloyd’s Shipping and Trade Law, 4
  8. Peter Georg Picht, ‘Caught in the Acts: Framing Mandatory Data Access Transactions under the Data Act, further EU Digital Regulation Acts, and Competition Law’ (2022), 14 Max Planck Institute for Innovation and Competition Research Paper Series
  9. Wolfgang Kerber, ‘Governance of IoT Data: Why the EU Data Act Will not Fulfill Its Objectives’ (2023), 72 GRUR International 120, 124
  10. Nathalie Jorzik, Paula Johanna Kirchhof and Frank Mueller-Langer, ‘Industrial data sharing and data readiness: a law and economics perspective’ (2023), 57 European Journal of Law and Economics 181, 183
  11. Picht 31
  12. Jorzik, Kirchhof and Mueller-Langer 201
  13. For more information about the Maritime AI Innovation Lab, see www.nhlstenden.com/projecten/maritime-aiinnovation-lab

Picture (top): Digital twins rely on continuous data flows between the physical vessel and its digital counterpart and typically involve multiple actors, including shipowners, OEMs and software providers (illustration by Bureau OMA).