Apidays London 2024 - The Hidden Power Brokers in the EU Data Act Enforcement by David Vazquez Cortizo, apinity

Transcript

1. APIs - The hidden power brokers in the EU Data

   Act enforcement David Vazquez Cortizo Managing Director @apinity.io

2. Agenda • Intro to EU Data Access regulation • Implications

   for the impacted actors • Technical readiness journey • Summary

3. 3 EU Broader context of data access regulation

4. 4 EU Data Act due in Sep 2025 The EU

   Data Act is a regulation on harmonised rules on fair access to and use of data. Designed to enhance the EU’s data economy and foster a competitive data market (in particular for the IoT industry), it clarifies who can use what data and under which conditions. The Data Act gives users of connected products (businesses or individuals that own, lease or rent such a product) greater control over the data they generate, while maintaining incentives for those who invest in data technologies. It also lays down general conditions for situations where a business has a legal obligation to share data with another business.

5. 5 EU Data Act due in Sep 2025 Chapter II

   on business-to-business and business-to-consumer data sharing in the context of IoT: users of IoT objects can access, use and port data that they co-generate through their use of a connected product. Chapter III on business-to-business data sharing: this clarifies the data-sharing conditions wherever a business is obliged by law, including through the Data Act, to share data with another business. Chapter V on business-to-government data sharing: public sector bodies will be able to make more evidence-based decisions in certain situations of exceptional need through measures to access certain data held by the private sector. https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained

6. 6 Implications on the affected industries and players Data holders

   (e.g. your connected car company) is obliged to grant users access to generated data -> includes non personal data Users are entitled to share their data with third parties for predefined purposes -> direct competition purposes excluded Data holders are obliged to make data accessible to third parties under “reasonable terms” -> Reasonable compensation must be agreed upon Data holders must provide “necessary data” access to public authorities -> Free of charge in case of public emergencies

7. 7 Implementing EU Data Act / FIDA technical readiness Only

   mandated in FIDA Not spoken of in the EU Data Act

8. 1. Prepare Your Systems & Data Identify which core product

   data needs to be exposed & prepare core system 2. Expose APIs to the outside - securely at scale APIs must be exposed securely - Authorization is controlled by user consent Large and very dynamic number of consumers supported 3. Build Customer Dashboards Expand data model to support customer consent dashboards Implement customer consent dashboard application(s) 4. Verify and upgrade your IAM Verify capabilities of your Identity and Access Management (IAM) - OIDC 5. Integrate & Validate Integration and validation of end2end use cases Monetize your APIs API Monetization readiness EU Data Act / FIDA Readiness in a nutshell 1 5 2 3 4 6

9. 9 Technical readiness for EU Data Act / FIDA as

   Data Holder ／ Identify product data that has to be exposed # There will be a certain amount of uncertainty that has to be managed # Amount of uncertainty should not be used as an excuse for inaction ／ Evaluate readiness of software architecture to expose data through secure APIs, including data mapping capabilities # Your IAM must support OAuth2 # Your APIs must be access controlled using OAuth2

10. 10 Technical readiness for EU Data Act / FIDA as

    Data Holder ／ Redesign/expand the data model of your core system # To be able to link product, user identifiers and list of Data Users # (FIDA required) Customer dashboards will be based on this extended data model ／ Implement customer dashboard as consent interface # Explicitly mandated for FIDA only, arguably needed for the EU Data Act case anyway # For easy management (e.g. revoke access capability) of given consents by users ／ Implement new business logic (application, module, microservice) # To manage new consents # To revoke consent requests

11. 11 ／ Ensure your Identity and Access Management (IAM) system

    # supports OAuth2 and OIDC (OpenID Connect) -> 3 legged tokens # serves web pages/iframes so that users can grant access to Data Users (third parties) # supports fine grained access control -> using OAuth2 scopes / claims in the JWT token # can generate an audit log to resolve potential litigation issues (e.g. customer claiming that his data was accessed without his/her consent) ／ Identify and support End2end integration scenarios # User consent management flows # Data access from third parties (Data Users) Technical readiness for EU Data Act / FIDA as Data Holder

12. 12 ／ Address API Monetization # Externalize the capability by

    onboarding your APIs on an API Marketplace # Choose vendor providing API Management solution with metering & billing capabilities # Develop internally Technical readiness for EU Data Act / FIDA as Data Holder

13. 13 ／ Breaking down silos: EU Data Act promotes data

    sharing across industries ／ New business models enabled by cross-sector data access ／ Opportunities for SMEs - Fair access to data ／ Increased transparency and competition in the market The EU Data Act as a catalyst for cross-sector innovation:

14. 14 ／ The EU is using regulation to drive open

    data markets # EU Data Act is a transversal law with specific focus on the IoT industry # FIDA is specific for the financial industry (including P&C insurance) ／ Product and User data will be exposed through APIs ／ Technical readiness includes # Identify and expose relevant product data via secure APIs # Extend data models to support user consent management # Specific requirements for the Identity and Access Management system # API Monetization - Consider use of API Marketplaces (public or SaaS) Summary

15. The API marketplace company E-Commerce Journey | Gateway agnostic |

    Regulated Industries Meet us for a Chat Thank you