On 5 May 2026, the European Commission adopted Commission Implementing Decision (EU) 2026/923, mandating that all Building Digital Twin systems delivered to EU public sector entities and critical infrastructure operators—including smart campuses, airports, and hospitals—must integrate a certified GDPR Data Sovereignty Module from 1 October 2026. This development directly affects vendors, system integrators, and infrastructure operators engaged in digital twin deployments across the EU.

Event Overview

The European Commission published Commission Implementing Decision (EU) 2026/923 on 5 May 2026. The decision stipulates that, effective 1 October 2026, all Building Digital Twin systems supplied to EU public authorities and operators of critical infrastructure must embed a ‘GDPR Data Sovereignty Module’ certified to EN 301 549 v3.2.1. The module must deliver three mandatory capabilities: localised storage of personal data within the EU, zero-caching of personal data during cross-border transfers, and one-click export functionality supporting the data portability right under GDPR.

Which Subsectors Are Affected

Building Digital Twin System Vendors

Vendors developing or selling turnkey Building Digital Twin platforms are directly subject to the requirement. Non-compliant systems will not be eligible for procurement contracts with EU public bodies or critical infrastructure operators after the deadline. Impact includes mandatory architectural redesign, third-party certification processes, and potential delays in product release cycles.

System Integrators & Implementation Partners

Integrators responsible for deploying, customising, or maintaining Building Digital Twin solutions must verify module inclusion, configuration, and runtime compliance before handover. Failure to validate sovereignty module operation may result in contractual non-acceptance or liability exposure under EU public procurement rules.

Smart Infrastructure Operators (e.g., Airport Authorities, Hospital Trusts, Campus Managers)

Organisations operating critical infrastructure face new due diligence obligations when procuring or upgrading digital twin systems. They must confirm vendor compliance documentation—including EN 301 549 v3.2.1 certification—and ensure operational validation of the three mandated capabilities prior to go-live.

What Enterprises and Practitioners Should Monitor and Do Now

Track official technical specifications and certification guidance

The European Telecommunications Standards Institute (ETSI) and national notified bodies have not yet published detailed test protocols for the GDPR Data Sovereignty Module against EN 301 549 v3.2.1. Enterprises should monitor updates from ETSI and the EU Commission’s Joint Research Centre, particularly regarding conformance criteria for ‘zero-caching’ and localisation boundary definitions.

Review active and upcoming procurement pipelines for EU public and critical infrastructure clients

Projects scheduled for delivery between October 2026 and March 2027 require immediate compliance assessment. Vendors and integrators should identify which contracts fall under the scope—especially those referencing Directive (EU) 2016/2102 (Web Accessibility) or Regulation (EU) No 1025/2012—and prioritise retrofitting or re-certification efforts accordingly.

Distinguish policy adoption from implementation readiness

While the legal obligation takes effect on 1 October 2026, EN 301 549 v3.2.1 certification capacity remains limited among testing labs. Analysis shows lead times for full module certification may exceed 12 weeks. Early engagement with accredited conformity assessment bodies is advisable—not as a compliance guarantee, but to secure evaluation slots ahead of demand peaks.

Update technical documentation, data flow diagrams, and vendor SLAs

Organisations must revise internal architecture documentation to explicitly map personal data flows through the sovereignty module. Contracts with subcontractors and cloud service providers should be reviewed to ensure alignment with the ‘zero-caching’ and localisation requirements—particularly where third-party APIs or edge analytics components are involved.

Editorial Observation / Industry Perspective

Observably, this measure signals a hardening of digital infrastructure sovereignty requirements—not merely as a privacy safeguard, but as a structural condition for market access in regulated EU sectors. It is less an isolated update to CE marking and more a precedent for embedding regulatory-by-design principles into physical-digital convergence systems. From an industry perspective, the requirement reflects growing institutional emphasis on enforceable data residency over declarative commitments. Current attention should focus less on whether the rule applies, and more on how its operational thresholds—especially ‘zero-caching’ in distributed edge environments—are interpreted and verified in practice.

Analysis shows that while the legal trigger is clear, real-world enforcement hinges on certification scalability and procurement-level verification rigor—both of which remain untested at scale. This makes the period between now and Q3 2026 especially consequential for technical preparation, rather than strategic reassessment.

Conclusion: This decision establishes a binding technical threshold for Building Digital Twin deployments in high-regulation EU contexts. It is not a general data governance recommendation, but a specific, enforceable product compliance requirement. Enterprises should treat it as a fixed technical dependency—not a flexible guideline—and align engineering, procurement, and compliance functions accordingly.

Source: European Commission, Commission Implementing Decision (EU) 2026/923, published 5 May 2026. Official Journal of the European Union L 138/1, 6 May 2026.
Further clarification on certification procedures and scope interpretation is pending from ETSI and national market surveillance authorities—this remains a point for ongoing observation.