We measure change not by what is promised, but by what is quietly normalised.
Prologue: A Note on Method and Perspective
This post is written in the style of a reflective retrospective—one year after the EU Data Act came into force. While the events described are not drawn from post-implementation data, the analysis is grounded in a careful blend of evidence and foresight.
To craft this piece, we drew on:
The contents of Enode’s original article, which outlines the Act’s aims, mechanisms, and implications for the energy industry.
Known provisions of the EU Data Act and adjacent regulatory frameworks, including GDPR and the Data Governance Act.
Design and behavioural patterns observed in past digital consent systems.
A structured series of scenario-based analyses conducted in earlier phases of this review—including red teaming, interface critique, and strategic implications.
This reflection was prompted by ongoing discussions around data-sharing, identity frameworks, and consumer empowerment in Australia and other jurisdictions.
This post has been prepared to help those involved in similar efforts—particularly in Australia and other emerging energy data markets—learn from the EU’s example and explore what the first year of implementation might reveal.
This is not a forecast, nor a verdict. It is a forward-looking reflection on what may emerge when regulation meets practice—and where attention might be most useful before assumptions harden into outcomes.
The reflections that follow are intended as prompts, not conclusions.
Introduction
One year after the EU Data Act formally came into effect on 12 September 2025, the landscape of energy data feels both altered and familiar. Rights were granted, access enabled, and interfaces updated—but how much has truly shifted beneath the surface?
Has user control become a lived experience, or a regulated assumption? Have energy markets opened up to new actors, or merely reconfigured around existing ones? And are the dynamics of trust, governance, and innovation moving forward—or sideways?
This post explores what has changed, what hasn’t, and what this early implementation period might suggest about the longer arc of energy data regulation in Europe—and what observers elsewhere might take from it.
Visible Shifts: The Surface of Implementation
Sometimes, compliance looks like progress.
In the twelve months since the Act came into force, many energy firms moved swiftly to meet visible obligations—creating the appearance of widespread transformation.
Certain patterns stand out:
Consent mechanisms are now ubiquitous: Platforms now prompt users to allow access to their device data, often through pop-ups or onboarding flows.
API endpoints have multiplied: Device manufacturers, software providers, and aggregators have adopted standardised interfaces to enable third-party access.
Dashboards have become a norm: Many platforms now offer portals where users can see which apps have access and what data is shared.
These are tangible indicators of legal alignment. But functionality doesn’t always equal empowerment. Underneath this progress lie deeper continuities—and emerging tensions.
Quiet Continuities: What Hasn’t Changed
Structure resists where interface adapts.
While surface-level implementation has been rapid, many underlying dynamics remain largely intact. Data still flows unevenly, control still concentrates, and energy markets still operate through established gatekeepers.
Some persistent realities:
Users still lack practical agency: Most people do not change default settings, review permissions, or meaningfully engage with consent beyond the initial prompt.
Platform power is more entrenched: Aggregators and middleware providers have become even more central—managing access at scale, and monetising it.
Trust has not increased proportionally: Public understanding of energy data rights remains low, and scepticism around digital consent remains common.
In other words, the rules have changed, but the habits—and hierarchies—often have not.
That said, pockets of meaningful change are emerging where actors have leaned into the spirit, not just the letter, of the law.
Emergent Practice: Where Innovation Happened
Where ambiguity exists, creativity follows.
In areas where the Data Act left room for interpretation, some actors have used that ambiguity to test new models of consent, access, and trust.
Encouraging developments include:
Time-based consent models: Some apps now allow access for a defined window (e.g., 7 days), prompting users to renew rather than forget.
Community-led access frameworks: A few local energy communities have developed shared dashboards where data governance is managed collectively.
Transparency overlays: Some platforms have added “data journeys” that visualise how and where data is used, updated in real time.
These aren’t yet widespread—but they signal how innovation often occurs at the margins, in response to emerging expectations rather than fixed obligations.
Yet even as new practices arise, deeper tensions continue to shape the regulation’s impact.
Latent Tensions: What’s Emerging Beneath
The act of sharing often reveals deeper asymmetries.
Even where the Act has been implemented faithfully, new challenges are surfacing:
Delegated access without meaningful recourse: Once users grant access, revoking it is often unclear—and the impact on historical data is rarely explained.
Small actors struggling to keep up: While large platforms can build compliant infrastructure, smaller device makers often lack resources—leading to uneven enforcement.
APIs without accountability: Standardised interfaces enable data flow, but don’t always track what happens after access is granted.
These tensions suggest that future regulation may need to address not just the mechanics of consent, but the responsibilities attached to using that access well.
As we look beyond the first year, a different kind of shift may be required—one that moves from form to function.
Beyond the Letter: The Work Still Ahead
Adoption is not the same as alignment.
While Year One has seen significant technical and regulatory compliance, the deeper promise of the EU Data Act—genuine user empowerment, market innovation, and trust restoration—remains only partially fulfilled.
To move forward meaningfully:
Policy must include design: Consent must be felt, not just formatted.
Trust must be cultivated: Platforms should move beyond minimum compliance to embrace participatory transparency.
Accountability must follow access: Third-party data users should face traceability and public obligations—not just private opportunity.
The next year will test whether the Act becomes a foundation for democratic data governance—or simply another checkbox in the digital compliance toolkit.
Change is visible in how systems look—but transformation is revealed in how they are experienced.
Geoff … what an extraordinary exemplary contribution on this subject. I’m pleased to have played a small part in bringing this discussion to your attention …
Looking forward to further discussions, and access to NEMlog data and insights, to help me in my role as the DSAC’s - Data Standards Advisory Committee’s - Consumer Representative.
👏🏻👏🏻