Skip to main content
Maritime

General information about EU Data Act

On this page you can find information about your rights pursuant to the EU Data Act (Regulation (EU) 2023/2854) and how Kongsberg Maritime AS ("KM") complies with the legislation. These rights will only apply to you if you are a EU company/resident.

The EU Data Act is a European law that sets out rules on fair access to, and use of data generated by connected products and related services. Furthermore, the EU Data Act lays down rules regarding interoperability of, and right to switch between, data processing services.


KM delivers products and services which may fall within the scope of the EU Data Act, respectively as:

1)    A "Connected Product" (an item that obtains, generates or collects data concerning its use or environment and that is able to communicate product data via an electronic communications service, physical connection or on-device access, and whose primary function is not the storing, processing or transmission of data on behalf of any party other than the user); and/or
2)    A "Related Service" (a digital service, other than an electronic communications service, including software, which is connected with the product at the time of the purchase, rent or lease in such a way that its absence would prevent the Connected Product from performing one or more of its functions, or which is subsequently connected to the product by the manufacturer or a third party to add to, update or adapt the functions of the Connected Product); and/or
3)    A "Data Processing Service" (a digital service that is provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction).

As an EU user/customer of KM's products or services within the scope of the legislation, you have certain rights. Read more about your rights as a user of KM Connected Products and Related Services or as a customer of KM Data Processing Services in the chapters below. 

Contact us

You may send inquiries relating to the EU Data Act, including data access requests, to .

For faster handling, please include: 
•    Your name and organisation;
•    Product/service name;
•    Vessel name and IMO number;
•    Proof of ownership or usage rights, and EU residency;
•    A description of your request (see further information on how to make a request below).


How to make a data access request:
•    Tell us what you need: Identify the product/service, time period, and data categories. If designating a third party, specify the recipient, contact details and purpose.
•    Verify identity/authority: If necessary, we may ask for documentation to confirm you are the user (or have the user’s authorisation) and, if relevant, that the third party acts on your instruction.
•    Delivery: We will make the data available to you or transmit it directly to your designated third party through secure channels.

How to request a switch between Data Processing Services:
•    Tell us what you need: Identify the service, the target provider, desired timelines, and scope of data/assets to be transferred.
•    Verification and plan: We will verify your authorisation and agree on a standardised switching plan (including cutover window, validation steps, and data integrity checks).
•    Execution: We prepare export packages and/or enable secure transfer to the destination environment. We will keep you informed of progress and any dependencies.

The user's rights related to KM connected products and related services

When KM is a manufacturer of Connected Products and Related Services, or data holder of data generated by such products or services, KM will entrust you as a user residing within the EU with practical, secure and reliable access to the data. 

What you can expect:
•    Transparency before purchase or use: We inform you which categories of data your Connected Product or Related Service generates, how you can access it, and how you can share it with a third party you choose. Details can be found in the specific quotation/offer.
•    Access to your data: You can obtain data generated by your use of the product/service in a clear, structured, and machine readable format, without undue delay. Where technically feasible, we provide continuous or near real time access.
•    Sharing with a third party you designate: On your instruction, we will provide your data directly to a third party (e.g., a repair/maintenance provider or analytics service) under conditions that protect privacy, security, and confidential information.
•    Easy channels: You can make requests via the contact details listed in Section 2. Where available, we also offer a self service portal/API for data export and third party access management.
•    Format and interface: Data is provided using commonly used, machine readable formats and, where appropriate, via interoperable APIs documented by KM.
•    Timing: We respond without undue delay and will inform you of expected timelines if the request is complex or requires technical preparation.
•    Costs: Access to data within scope is free of charge for you as a user. If you direct us to share your data with a third party, we do not charge you for that sharing. However, the third party may bear reasonable, cost based fees for access, in line with the EU Data Act.
•    Privacy: If the data includes personal data, the GDPR applies. We will only share personal data where a valid legal basis exists (for example, your consent) and with appropriate safeguards. Please refer to our privacy notice for further information about our handling of personal data.
•    Security and trade secrets: We may apply proportionate measures (e.g., filtering certain fields, aggregation, confidentiality undertakings) where necessary to protect trade secrets, intellectual property, cybersecurity, or the rights of others, as permitted by the EU Data Act.
•    Responsible use by third parties: Third parties receiving your data must use it only for the purpose you specified, must keep it secure, and must not attempt to re identify individuals or share the data onward without authorisation.

What may be limited:
We are committed to enabling data access. In some cases, however, your rights may be subject to proportionate limitations permitted by the EU Data Act:

•    Data that would compromise cybersecurity or the rights and freedoms of others.
•    Data revealing trade secrets or IP, unless protective measures can reasonably mitigate the risk.
•    Data that includes third party confidential information.
•    Data we do not hold or cannot technically access without disproportionate effort.

General Terms and Conditions
The KM General Terms and Conditions for Connected Products and Related Services apply for all KM Connected Products and Related Services, with further specification provided in the relevant quotation/offer.


The customer's rights related to KM Data processing services

As a customer of KM Data Processing Services, you have the right to request switching and portability so you can move your data and digital assets to another provider or back on premises, with minimal disruption.

Your switching and portability rights

•    Port your data and digital assets: You can port your exportable data and digital assets securely, in a structured, commonly used, machine readable format.
•    Transparency: We inform you of available procedures for switching and porting to the data processing service, including information on methods, formats and fees (see further below) as well as restrictions and technical limitations which are known to KM. We also provide a reference to an up-to-date online register with details of all the data structures and data formats as well as the relevant standards and open interoperability specifications. Details can be found in the specific quotation/offer.
•    Privacy: If the exportable data includes personal data, the GDPR applies. We will only share personal data where a valid legal basis exists (for example, your consent) and with appropriate safeguards. Please refer to our privacy notice for further information about our handling of personal data.
•    Assistance: We provide commercially reasonable switching assistance (documentation, tools, support) to help you transition toward functional equivalence, where required under the Data Act.
•    Interfaces and formats: We use interoperable interfaces and publish documentation for export/import to facilitate switching.
•    Timing: We will carry out switching without undue delay once you initiate the process and complete any required security and verification steps.
•    Fees and charges: Any fees related to switching (including data egress) are limited and cost based, and will be eliminated by 12 January 2027. We will be transparent about any applicable fees before you proceed. Details can be found in the specific quotation/offer.
•    Contractual clarity: Our contracts comply with your right to contractual clarity regarding the switching process, timelines, deliverables, formats, and any support included, consistent with the EU Data Act.

Interoperability of KM Data Processing Services 

To support switching and multi provider strategies, we design our Data Processing Services with interoperability in mind, in line with the EU Data Act.
•    Open, documented interfaces: We provide documentation for relevant APIs, data models/schemas, export/import tools, and event formats to enable integration and migration.
•    Standard, commonly used formats and protocols: Where appropriate, we support widely used, machine readable formats and protocols to facilitate portability and integration.
•    Identity and access integration: We support industry standard identity federation and access control approaches to help you align user and service identities and policies across environments, where technically feasible.
•    Networking interoperability: We provide necessary network information and support standard secure connectivity methods for data transfer.
•    Observability and automation: Where applicable, logs, metrics, and deployment artifacts are available in commonly used formats to assist validation and automation during migration.
•    Compliance with specifications and standards: We align with applicable open interoperability specifications and standards, such as ISO/IEC 19941:2017 and European standards adopted under the EU Data Act and will implement new standards within the prescribed timelines.

What may be limited

We are committed to enabling switching and interoperability. In some cases, however, your rights may be subject to proportionate limitations permitted by the EU Data Act:
•    Functional equivalence: We will make best efforts to support your transition toward functional equivalence, but complete feature parity may not be achievable due to differences in providers’ architectures or proprietary features.
•    Custom-built features: Where all or the majority of main features or components have been custom-built to accommodate the specific needs of an individual customer, and are not offered at broad commercial scale, we may not be able to provide functional equivalence or compatibility, or reduced switching charges.
•    Security and service integrity: We may sequence or adjust migration steps, or apply controls, if necessary to maintain cybersecurity, service integrity, or prevent misuse.
•    Protection of intellectual property and trade secrets: We may avoid disclosing source code, proprietary implementation details, or other trade secrets or intellectual property rights.
•    Third party rights and licenses: We cannot transfer third party licensed components or data where license terms or law prohibit it; you may need separate licenses with the destination provider.
•    Legal and compliance constraints: We may be unable to process a switching request that would breach applicable law, regulatory requirements, sanctions, export controls, or binding orders.
•    Technical infeasibility or disproportionate effort: If a specific migration path is not technically feasible or would require disproportionate effort relative to the scope of data/services involved, we will propose reasonable alternatives (e.g., different formats, staged migration).
•    Customer side prerequisites: Switching may depend on your completion of prerequisites (e.g., providing decryption keys, aligning identity/role models, preparing target environment, or ensuring sufficient bandwidth).

General Terms and Conditions

The KM General Terms and Conditions for Data Processing Services apply for all KM Data Processing Services, with further specification provided in the relevant quotation/offer.

Processing location and measures to prevent international governmental access

To deliver our Data Processing Services, we process your data using appropriate ICT infrastructure, and where feasible we use servers located in the EU/EEA. 
To safeguard your data, we have implemented a range of technical and organisational measures designed to prevent any international governmental access to, or transfer of, non-personal data that could conflict with EU law or the laws of Norway. Please refer to the list of technical and organisational measures below.
KM will inform you as a customer about the existence of a request of a third-country authority to access your data before complying with that request, except where the request serves law enforcement purposes and for as long as this is necessary to preserve the effectiveness of the law enforcement activity.
List of technical and organisational measures:
•    Data residency and segregation: EU/EEA data hosting options, logical tenant isolation, dedicated environments on request.
•    Government access request policy: We scrutinise any request and require a valid, binding legal basis recognised in the EU/EEA, challenge improper or extraterritorial requests, disclose only the minimum necessary, and notify you unless legally prohibited.
•    Contractual safeguards: Include contractual commitments not to transfer or disclose non personal data in conflict with EU/EEA or Norwegian law, and transparency reporting where permitted.
•    Sub-processor governance: Due diligence, contractual flow down of EU Data Act obligations, data residency and security requirements, and continuous oversight.
•    Encryption: Data encrypted in transit and at rest (when in KM systems), optional customer managed keys with key management service (storing and processing in EU), strict key access controls and segregation of duties.
•    Access control: Role based access control, least privilege enforcement, multi-factor authentication for all administrative access, privileged access management, regular entitlement reviews.
•    Monitoring and logging: Centralised audit logs for access, changes, and data transfers, tamper resistant storage, continuous monitoring and event alerting.
•    Secure development and change management: Secure software development life cycle, code review, vulnerability scanning, penetration testing, and controlled release processes.
•    Incident response: 24/7 incident handling, containment and eradication procedures, customer notification without undue delay where required, and post incident review.
•    Business continuity and resilience: Regular backups, geo redundancy within the EU/EEA where applicable, and recovery plans.
•    Certifications and audits: ISO/IEC 27001 and, where applicable, D-INF(G) End to End solution, Cyber Security (SP1) and IACS UR E27 for relevant services; third party audits and customer audit rights as agreed.
•    Staff security and training: Background checks where lawful, confidentiality obligations, and regular security and data protection training.