EU Data Act and e-commerce – who really controls the data in your sales ecosystem?

For many years, the discussion about data in e-commerce focused mainly on sales analytics, customer data, personalization, remarketing, GA4 reports, campaign effectiveness and conversion optimization. Data was treated as fuel for marketing and a tool for making better business decisions. Companies analyzed where users came from, which products they viewed, where they abandoned the cart, which campaigns generated sales and how the order value changed.

This way of thinking remains important, but it is no longer sufficient to describe what data is becoming in modern e-commerce. Increasingly, data is no longer only an analytical resource. It is becoming an element of business architecture, part of supplier relationships, a foundation for automation, a condition for efficient integrations, a source of operational advantage and, at the same time, an area of growing regulatory requirements.

The EU Data Act shows this change very clearly. It is not a regulation written exclusively with online stores in mind, but its importance for trading companies, manufacturers, distributors, brands and organizations developing digital sales may be significant. Especially when e-commerce does not function as a simple catalogue with a cart, but as part of a larger ecosystem: with ERP, PIM, WMS, CRM, marketplaces, B2B platforms, connected products, digital services, cloud, mobile applications, customer portals and automation systems.

The Data Act, Regulation (EU) 2023/2854 of the European Parliament and of the Council, was published in the Official Journal of the European Union on 22 December 2023 and has applied since 12 September 2025. The European Commission describes it as a legal act intended to provide greater clarity around access to data and its use, as well as an important element of the European data economy.

From the perspective of e-commerce, the most important question is therefore not only: “does the Data Act apply to us?”. A much more important question is: “do we know who really controls the data in our sales ecosystem?”. Because if a company does not control where data is created, who has access to it, in which systems it is stored, how it can be transferred, how it is used by technology providers and whether it can be safely shared, then the problem does not start with regulation. The problem starts with architecture.

Why the Data Act is becoming important right now

The Data Act was designed as part of the broader European data strategy. Its goal is to increase data availability, create fairer rules for its use and reduce situations in which data generated by devices, services or systems remains under the exclusive control of one entity. The European Commission indicates that the Data Act gives users greater control over data generated by connected products and related services, while also making it easier to use data in the economy.

At first glance, it may seem that the topic mainly concerns manufacturers of IoT devices, industry, machinery, cars, agriculture, medical equipment, electronics, applications connected with devices or services based on data generated by products. It is true that the Data Act strongly refers to data from connected products and related services. The European Commission gives examples such as smartwatches, industrial equipment or equipment used in agriculture, and one of the assumptions of the regulation is to enable users to have better access to data generated by such products.

However, limiting this topic only to device manufacturers would be too narrow. In modern e-commerce, more and more products, services and processes are connected with data. A store sells connected devices, accessories, spare parts, products requiring service, subscriptions, extended warranties, digital services, applications, products integrated with manufacturers’ platforms or B2B solutions that generate data during their life cycle. At the same time, the e-commerce infrastructure itself operates on cloud services, SaaS, PaaS, marketing automation tools, analytics systems, marketplaces, payment integrators and logistics platforms.

The Data Act also affects the area of data processing services, including cloud. The European Commission indicates that the regulation is intended to allow cloud users to switch more easily between service providers or use services from several providers in parallel. This is highly relevant for e-commerce companies, which are often strongly dependent on infrastructure, systems and technology providers. The more online sales rely on data and integrations, the more important the ability to control, transfer and further use that data becomes.

In practice, the Data Act fits into the same direction we are already seeing with the Digital Product Passport, AI governance, B2B automation, PIM and ERP integrations or agentic commerce. The market is moving toward greater data transparency, better interoperability, greater responsibility for architecture and lower tolerance for closed, non-portable and difficult-to-audit ecosystems.

Data in e-commerce is no longer owned only by marketing

In many companies, data is still understood in a very fragmented way. The marketing department thinks about campaign data, traffic, conversion and customer segments. The e-commerce department thinks about the catalogue, prices, inventory, orders and products. The IT department thinks about integrations, databases, APIs, security and access. The B2B sales department thinks about customers, discounts, commercial terms and order history. The operations department thinks about logistics, deliveries, returns and stock levels. Each team sees a fragment, but there is not always one shared answer to the question of how data flows through the entire organization.

In simple e-commerce, such a model may work for some time. The problem begins when the company grows, adds more sales channels, enters new markets, develops B2B, integrates marketplaces, implements PIM, automates marketing, uses several analytics tools, builds a mobile application, expands the ERP system or starts selling products connected with digital services.

Then data stops being an addition to sales. It becomes the circulatory system of the entire business. If this system does not work properly, the company starts to feel the consequences in many places at once: incorrect stock levels, inconsistent prices, problems with complaints, chaotic integrations, incomplete reports, unreliable personalization, manual work by teams and limited ability to change technology providers.

The Data Act strengthens the need to organize this area because it shifts the discussion about data from the level of “what can we do with it in marketing?” to the level of “who has access to it, who controls it, who can transfer it, who can use it and how do we have this documented?”. The European Commission indicates that the Data Act complements the Data Governance Act and provides legal clarity around access to data and its use.

For e-commerce companies, this means the need for a new level of maturity. It is not enough to have a lot of data. You need to understand its origin, structure, value, risks, flows and technological dependencies. Data that a company cannot map, transfer or safely share is not a truly controlled asset. It is rather a hidden cost that will become visible during a system change, audit, new regulatory requirement, AI implementation or platform migration.

The biggest mistake: thinking that the Data Act concerns only the legal department

One of the biggest mistakes companies can make in relation to the Data Act is treating it solely as a legal task. Of course, the regulation requires legal analysis, contract review, assessment of obligations and adjustment of procedures. However, in practice, a large part of the problems related to data does not result from the wording of the contract itself, but from how the technological ecosystem is designed.

If a company does not know where data is stored, which system generates it, which provider has access to it, in what format it can be exported, whether it can be separated from other customers’ data, whether integrations allow it to be transferred and whether it is described in technical documentation, the legal department will not solve this problem on its own. It can indicate obligations, risks and contractual provisions, but it will not design the data architecture.

This is because the Data Act touches not only the formal right of access to data, but also the practical ability to manage it. If data is locked in a SaaS tool, export works only partially, the API is limited, integration documentation is incomplete and key processes require manual action from the provider, the company may formally have certain rights, but operationally it remains dependent on one system or partner.

This is a very common problem in e-commerce. The sales platform is connected with ERP, PIM, marketplaces, a mailing system, a recommendation tool, a loyalty system, payments, couriers, BI, CRM and advertising tools. Each of these systems collects or processes some fragment of data. If there is no architecture that organizes these dependencies, the company may appear to operate effectively for years. Only a system change, conflict with a provider, the need to migrate data or a new regulatory requirement shows that no one has full control over the ecosystem.

That is why the Data Act should be an impulse not only to review contracts, but also to review architecture. It is necessary to check what data is generated, where it goes, who can read it, who can modify it, how it can be exported, whether transfer mechanisms exist, whether integrations are documented and whether the company can change provider without losing control over processes.

Data from connected products as a new element of sales and customer service

One of the most important areas of the Data Act is data generated by connected products and related services. The European Commission indicates that the regulation gives users greater control over data generated by their connected devices and may make it easier to choose more cost-effective repair and maintenance services or perform such activities independently.

For e-commerce, this matters especially in industries where the product does not end its role at the moment of sale. This applies to consumer electronics, sports equipment with applications, smart home devices, machinery, tools, medical products, beauty tech devices, industrial equipment, consumables, vehicles, household appliances, monitoring systems, sensors, B2B solutions and many categories in which data is generated during product use.

In such a model, the online store or B2B platform is no longer only a place of transaction. It can become a center for customer service, documentation, warranty, service, spare parts, operational recommendations, repeat orders and post-sales communication. Product data may be relevant for repair, maintenance, replenishment, accessory recommendations, purchase automation or verification of warranty conditions.

If a company sells connected products, it should understand what data is generated during the product life cycle, who holds it, what rights the user has, how data can be shared with a third party and how this information is connected with customer service. The Data Act does not mean that every store must automatically build full infrastructure for handling device data. However, it does mean that companies selling such products should increasingly understand where their sales responsibility ends and where the role of data in the entire product life cycle begins.

In B2B, this topic may be even more strategic. A business customer who buys devices, machines, systems or consumables may expect access to data that helps optimize work, plan service, control consumption, analyze costs and manage processes. If the sales platform can connect purchasing, service, product and operational data, it can become an important element of the customer relationship, not just an order placement channel.

Cloud, SaaS and the risk of vendor lock-in in e-commerce

The second area of the Data Act that is particularly important for e-commerce is data processing services and the ability to change providers. The European Commission emphasizes that the Data Act is intended to make it easier for cloud users to switch between providers or use several providers in parallel.

This is very important because modern e-commerce is increasingly based on external services. A sales platform may operate in a SaaS, PaaS, self-hosted or hybrid model. Product data may be in PIM, customer data in CRM, orders in ERP, automations in marketing automation, segments in CDP, reports in BI, logs in an observability tool, files in the cloud and customer communication in external systems. In practice, a company often does not have one system, but a network of dependencies.

The risk of vendor lock-in appears when an organization cannot easily change provider because data is difficult to export, formats are unclear, integrations are non-standard, documentation is insufficient and knowledge about processes sits with one technology partner. Then the system that was supposed to support business development begins to limit the ability to change.

In e-commerce, vendor lock-in is not only a technical problem. It can become a financial, operational and strategic problem. A company may want to change platform, but data migration turns out to be very expensive. It may want to integrate a new sales channel, but the current system does not allow meaningful API access. It may want to launch advanced analytics, but data is scattered and inconsistent. It may want to change its operating model, but all business logic has been embedded in custom solutions that no one can quickly recreate.

The Data Act will not replace good architecture design. It can, however, strengthen the expectation that companies will be more aware of their rights, data, formats, integrations and dependencies on providers. From a management board perspective, this is a very specific question: does our e-commerce platform increase business independence, or is it gradually locking us into a model from which exit will become increasingly expensive?

Where companies most often lose control over data

Loss of control over data rarely happens in one moment. Most often, it is the result of many small decisions made over the years. A company implements a new newsletter tool because it quickly needs segmentation. It adds a marketplace integration because it wants to increase sales. It introduces PIM, but only for part of the assortment. It connects ERP with the store through a custom connector. It launches BI, but pulls data from several inconsistent sources. It creates non-standard fields in the platform, but without a clear data model. It implements a loyalty application that stores customer data in a separate system.

Each decision may make sense locally. The problem arises when no one designs the whole. Data begins to live in many places, and the organization loses the answer to basic questions. Which system is the source of truth for the product? Which for the price? Which for inventory? Which for the B2B customer? Which for order history? Which for marketing consents? Which for complaints? Which for service data? Which for reporting?

In such an environment, every change is risky. A price update may not reach all channels. A product status change may appear in the store, but not in the marketplace. A new attribute may be available in PIM, but not in e-commerce. Customer data may be segmented in one tool but inconsistent with what CRM shows. A sales report may not match a financial report because systems define an order, return or margin differently.

The Data Act puts the topic of control over data at the center, but for e-commerce companies it is also a matter of operational efficiency. If data is disorganized, the company not only risks regulatory problems. It loses time, money and development opportunities every day. Teams manually correct information instead of scaling sales. IT maintains workarounds instead of developing new features. Managers make decisions based on reports they are not sure about. The customer sees inconsistencies that reduce trust in the brand.

The Data Act as a test of sales ecosystem maturity

From our perspective, the Data Act is a good test of sales ecosystem maturity. Not because every e-commerce will be affected by the regulation in the same way. Rather because the questions resulting from the Data Act very quickly lead to foundations that are important for every growing trading organization.

Do we know what data we generate? Can we identify its sources? Do we control access? Is the data portable? Do our systems communicate through stable APIs? Do we document integrations? Can we separate operational data from marketing, product and transactional data? Do we know where data created by external providers is located? Can we change provider without business paralysis?

These are regulatory questions, but at the same time very business-oriented ones. A company that knows the answers is better prepared not only for the Data Act. It is also better prepared for platform migration, B2B development, PIM implementation, international sales growth, process automation, AI, agentic commerce, ESG reporting and further digital regulations.

A company that does not know the answers will usually discover problems only when pressure appears. A new market requires different data. A B2B customer expects integration. A technology provider raises prices. The team wants to implement AI, but does not have consistent access to information. The regulator requires transparency. System migration turns out to be more expensive than planned. Each of these situations reveals the same problem: data was not designed as part of the business architecture.

That is why the Data Act is worth treating not as another administrative obligation, but as an opportunity to organize the question of ownership, availability, portability and data quality. In e-commerce, this question has a direct impact on scalability.

What the Data Act means for B2B e-commerce

In B2B, the topic of data is particularly complex. The sales platform does not handle only simple transactions, but relationships between companies, organizational structures, user roles, individual prices, credit limits, approval processes, commercial terms, repeat orders, offers, documents, complaints, service and integrations with the customer’s systems.

In such an environment, data is not only supporting information. It is part of the commercial process. If a B2B customer sees the wrong price, outdated stock, incomplete documentation or no access to order history, the problem does not concern UX. It concerns trust in the entire sales channel. If the B2B platform does not show reliable data, the customer returns to email, phone or direct contact with a sales representative.

The Data Act may be relevant for B2B companies on several levels. First, in relationships with customers who use connected products, machines, devices, systems or services that generate data. Second, in relationships with technology providers who store, process or share data within platforms and cloud services. Third, in designing their own architecture, which should enable secure data exchange with customers, partners and external systems.

In practice, B2B e-commerce will increasingly require a data-first approach. The business customer will expect not only the ability to place an order, but also access to documents, technical information, product data, logistics statuses, transaction history, data for reporting and integration with their own procurement system. If a company can share this data in an organized way, it can build a stronger customer relationship. If it cannot, its B2B platform remains only a digital layer on top of a traditional process.

This is particularly important in the context of larger organizations that treat B2B e-commerce as an element of digital transformation. Data must be available, but not randomly. It must be shared according to roles, permissions, commercial terms and customer context. Good architecture should combine openness with control.

What the Data Act means for B2C and retail

In B2C, the Data Act topic may be less obvious, but it is certainly not less important. Retail increasingly sells products that are not only physical objects. They are connected with applications, user accounts, additional services, warranty, subscription, service, usage data or the manufacturer’s environment.

A customer buying a smart device, electronic equipment, an accessory with an application, an activity-monitoring product, a home device or a digitally supported solution may expect greater transparency. They may want to know what data is generated during product use, who has access to it and how it may be used. The Data Act strengthens the direction in which the user is to have greater control over data generated by connected devices.

For retail, this means the need to better connect sales information with post-sales information. A product page may not be enough in the future if the customer expects clear information about data generated by the product, access terms, service options, compatibility with services, the manufacturer’s policy or integration with an application. Customer service may also require better knowledge of where the seller’s responsibility ends and where the responsibility of the manufacturer or digital service provider begins.

Retailers should also pay attention to their own technological dependencies. B2C e-commerce often uses many SaaS tools that store fragments of customer data, orders, behavior, segments, recommendations, consents, ratings, reviews and campaigns. If this data is difficult to transfer or connect, the company loses flexibility. It may have a good store, but poor control over the ecosystem that powers that store.

In this sense, the Data Act is also a reminder that modern retail should design technology with portability and interoperability in mind. Even if the regulation does not immediately force changes in every area of the store, the market direction is clear: closed, opaque and difficult-to-migrate environments will become an increasing risk.

The role of integrations: data cannot end in one system

In e-commerce, data is valuable only when it can flow to where it is needed. Product data must move from PIM to the sales platform, marketplaces and catalogues. Order data must go to ERP, WMS, payments, invoicing and customer service. Customer data must be consistent with CRM, the B2B system, marketing automation and transaction history. Logistics data must be up to date in the store, customer panel and post-sales communication.

If integrations are well designed, data supports processes. If they are chaotic, data begins to block development. Every new channel requires additional work. Every new tool requires manual mapping. Every migration becomes risky. Every change in ERP may cause problems in the store. Every new report shows a different version of reality.

The Data Act strengthens the importance of interoperability because access to data only makes sense when the data can be used in practice. Having a CSV export alone does not yet mean control over data. If data is incomplete, poorly described, inconsistent, not connected with processes or difficult to import into another system, the company remains limited.

That is why integrations should be designed not only for the current use case, but also for future change. A company should know which API is stable, what the limits are, how authorization works, what data is available, which processes are synchronous, which are asynchronous, how errors are handled, how flows are monitored and how the process can be recreated in another system.

This is particularly important in larger-scale e-commerce implementations. If the platform is to support B2B, B2C, many markets, several languages, different currencies, local commercial terms, marketplaces, PIM, ERP and automation, integrations cannot be an add-on. They must be part of the architecture from the first stage of the project.

Why Shopware responds well to this direction

Shopware is a good example of a platform that fits the direction of greater openness, integrability and work within a data ecosystem. Official Shopware materials emphasize an open API-first architecture and the ability to integrate with the systems the business depends on. For companies that want to reduce vendor lock-in and build a more flexible sales environment, this approach is highly important.

In practice, Shopware can serve as the central element of an e-commerce ecosystem that communicates with ERP, PIM, WMS, CRM, payment systems, marketing tools, headless frontends, mobile applications and B2B portals. Shopware documentation indicates that the platform provides HTTP APIs, including Store API for customer-facing interactions and Admin API for administrative and system operations.

This is important in the context of the Data Act because companies need increasing control over data flows. An e-commerce platform cannot be a closed box from which information is difficult to extract or which is difficult to connect with the rest of the environment. It must be part of a broader architecture in which data is available in a controlled way, according to the system’s role, security and business needs.

Shopware also supports the headless approach. Official materials indicate that Shopware 6 was designed with headless commerce in mind, and the API-first approach is intended to provide flexibility in delivering shopping experiences across different channels and devices. This is important for companies that do not want to build e-commerce as one rigid storefront, but as an environment capable of supporting multiple interfaces and sales models.

Of course, this does not mean that implementing Shopware alone automatically solves the Data Act topic. No platform can replace a data strategy, good architecture, proper integrations and organizational responsibility. However, Shopware provides a foundation that can be designed in a more open, scalable way and prepared for future requirements. What matters is how the platform is implemented, what it is connected with, what sources of truth are established and how data will flow.

How companies should prepare for the Data Act from a technology perspective

The most sensible preparation does not begin with panic or creating another procedure that will be placed in a compliance folder. It begins with a data map. The company should understand what data is created in its sales ecosystem, which data is generated by products or services, which data is processed by technology providers, where data is stored, who has access to it and what the possibilities are for transferring it.

The second step is a system map. It is necessary to check which tools create and process data: the e-commerce platform, ERP, PIM, WMS, CRM, marketplaces, payments, marketing automation, BI, customer service, mobile applications, loyalty systems, service systems, analytics tools and cloud infrastructure. For each system, it is worth answering the question of what data is stored in it, whether the system is the source of truth or only a data recipient, how export works, what API is available and what happens when the provider changes.

The third step is a review of integrations. Many companies then discover that some integrations are well documented, some depend on one provider, some operate on manual files, some have performance limitations, and some were created years ago and no one is sure how they work. In the context of the Data Act and more broadly understood control over data, this situation is risky. Integrations should be described, monitored and designed so that the company understands data flows.

The fourth step is an analysis of contracts with technology providers. Here, legal and technological cooperation is needed. A contract may refer to access to data, but the technical team should check whether this access is practically possible, in what format, how often, through which API and with what limitations. Regulatory compliance without technical feasibility does not give the company real control.

The fifth step is designing the target data architecture. Not every company immediately needs a huge data management platform. However, every growing e-commerce company should know which systems play key roles, how data flows, where permissions are controlled, how integration with BI works, where product data is created and how changing provider affects sales processes.

Data governance as an element of scaling e-commerce

Many companies do not like the term governance because it sounds administrative. In practice, data governance means something very specific: it is clear who is responsible for data, who can change it, who can read it, where the source of truth is located, how changes are approved, how errors are monitored and how the company responds to inconsistencies.

Without governance, even the best platform begins to produce chaos over time. The product team adds attributes in its own way. Marketing creates its own segments. B2B sales maintains separate lists of commercial terms. IT builds integrations under time pressure. Customer service manually adds statuses. The marketplace has its own data logic. After a few years, the company has many systems, a lot of data and less and less certainty about what is current.

The Data Act strengthens the need for governance because access to data and its use require clarity. In e-commerce, governance should cover not only personal data, but also product, transactional, operational, technical, service, logistics data and data generated by external systems. This is not a topic only for large corporations. It is a topic for every company that wants to scale sales without a sudden increase in operating costs.

Well-designed governance should not block business. It should accelerate work because it reduces the number of questions, errors and exceptions. If it is clear which system is responsible for the price, it does not need to be manually corrected in several channels. If it is clear who approves product data, there is no need to look for responsibility after the fact. If it is clear how data export works, migration or integration does not start with chaos.

In this sense, the Data Act can become an impulse for better data management, even if specific regulatory obligations will differ depending on the company’s business model. The need itself to understand data, access, portability and dependency on providers is universal.

From regulation to organized sales architecture

At CREHLER, we look at the Data Act not as an isolated legal topic, but as part of a larger change in e-commerce. Online sales increasingly depends on data quality, system interoperability, integration capabilities, control over technology providers and the organization’s ability to respond quickly to new requirements.

That is why in e-commerce projects we do not start only with a list of features visible in the store. We analyze how the entire ecosystem works: where product data is created, how it is connected with ERP, which processes PIM supports, how orders move to operational systems, how customer data reaches CRM, how B2B works, how the company reports sales, how integration with payments, logistics, marketplaces and marketing tools works.

In the context of the Data Act, it is particularly important that the e-commerce platform is not a closed element, but part of a well-designed architecture. Shopware provides a solid foundation here thanks to its open approach, API-first and the possibility of working in a headless and integration-oriented model. However, the final value depends on implementation: whether systems are properly connected, whether data has its sources of truth, whether integrations are stable, whether the company retains control over platform development and whether it can scale the platform without losing transparency.

We help companies design e-commerce so that it responds not only to today’s sales needs, but also to future requirements regarding data, regulations, automation, AI, B2B self-service and international development. In this approach, the Data Act is not an obstacle. It is another signal that a modern sales platform must be built on solid foundations of data and integrations.

Companies that control data use market changes faster

The EU Data Act should not be treated only as another regulation that needs to be checked with a lawyer and filed away in a document folder. For companies developing e-commerce, it is an important signal of the direction in which the market is heading. Data is becoming increasingly strategic, while at the same time it can less and less be locked in opaque systems, accidental integrations and dependencies on one provider.

The greatest advantage will belong to organizations that can answer the question of who really controls data in their sales ecosystem. Not only formally, but operationally. Not only in the contract, but in the architecture. Not only in a declaration, but in the everyday work of systems, teams and processes.

A company with organized data, well-designed integrations and an open e-commerce architecture is better prepared for new regulations, provider change, AI development, international expansion, personalization, B2B automation and new sales models. A company operating on undocumented workarounds, scattered data and closed systems will increasingly pay for this with slower development, higher costs and greater risk.

That is why the best moment to talk about the Data Act is not the day of an inspection or the moment of system migration. The best moment is the stage of designing or developing an e-commerce platform. Then it is still possible to consciously decide which data is key, where it should be located, how it should flow, how it should be secured and how the company will retain control over it in the long term.

At CREHLER, we help companies build scalable e-commerce platforms based on Shopware that are not just online stores, but part of an organized ecosystem of sales, data and integrations. If you want to check whether your organization really controls the data in its e-commerce, it is worth starting with a conversation about architecture – before further regulations, migrations or market requirements show how much the lack of this control costs.