The construction industry is an exception when it comes to digitalization. While many other industries have long utilized data and artificial intelligence in production control, logistics and customer service, the construction industry still operates largely with decentralized systems and manual processes. However, change is inevitable and its pace is not determined by internal developments in the industry but by the legislative timetable in Brussels.
In recent years, the EU has enacted a whole new regulatory framework for data sharing, the use of artificial intelligence and the management of digital platforms. The most important of these for the construction sector are: Data Act, AI Act and those currently under preparation cyber securitystandards for building automation systems. (1)
Until now, regulation has been far from practical everyday life for many construction industry players. Now it is coming closer and influencing how planning is done, how construction sites are managed, and how properties are managed.
Data Act: who owns the data generated by a building?
The Data Act entered into force in spring 2024 and its application has begun gradually from September 2025. At its core is a simple but radical idea: data generated by the use of devices and systems should not remain exclusively in the possession of the device manufacturer or service provider, but must also be available to the end user and authorized third parties.
In the construction sector, this applies to building automation systems, smart energy meters, ventilation units and various sensors, for example. Until now, data ownership has often remained unclear: equipment manufacturers or service providers have been able to keep the information to themselves, meaning that the property owner or developer has not been able to obtain all the usage information. The Data Act forces this situation to change.
In practice, this means that data generated during a building's lifecycle, from energy consumption to indoor air conditions and system maintenance history, will be more widely available in the future. It can create new business models for, for example, maintenance, optimizing the energy efficiency of properties or analyzing building usage. At the same time, it forces the construction industry to think about data management in a completely new way: who has access to which information, in what format and with what rights?
The Commission emphasizes that the regulation specifically applies to “connected products”, and the field of building automation is one of the largest such applications. This means that many Finnish building automation systems and building management software will also fall under the scope of the Data Act, even when the system was originally designed for national needs.
Artificial intelligence regulation is changing design and construction sites
The EU's AI Act was adopted in spring 2024 and its application will begin in stages in 2025–2026. (2) The legislation does not only target high-tech or generative AI, but also defines a risk-based framework for all uses of AI in the EU. In the construction sector, this applies in particular to design software, site and project management, and safety.
Artificial intelligence is increasingly being used in design software, for example to optimize structures, make cost estimates and model architectural alternatives. Such applications may fall into the “high-risk” category of the AI Act, which means strict transparency and documentation requirements. In practice, software manufacturers, and to some extent also users, must be able to demonstrate on what basis the AI makes suggestions and what kind of data it uses.
On construction sites, artificial intelligence is increasingly being used for, for example, construction phase scheduling, quality management, work phase management, logistics control and safety risk detection. The AI Act requires that such systems meet both data protection and security requirements. For example, artificial intelligence systems in construction site surveillance cameras that detect dangerous situations or track the movements of workers may fall into the high-risk category. This means new obligations for both system providers and construction companies.
Cybersecurity and building automation – a new focus
A third area of rapid regulatory development here in Brussels concerns cybersecurity in building automation. The Commission and the EU cybersecurity agency ENISA are currently preparing new certification and security standards, particularly for critical infrastructure and large buildings. This is due to concerns that cyberattacks via connected building equipment could paralyse hospitals, office buildings or data centres, for example.
In the future, certain building automation systems may require EU-level certification or must comply with uniform safety standards. This may directly affect the design and procurement of building services in Finland, even if the systems are domestic.
At the same time, it creates opportunities for companies that are able to offer certified, secure solutions and challenges for those whose systems do not meet EU-level requirements.
It is essential to understand that EU data regulation and AI policy are not isolated reforms but part of a broader strategy. The EU aims to create a “digital single market” where data flows securely and the use of AI is regulated but permitted. The Commission does not want to be overshadowed by the US and China in technology policy, but sets its own rules of the game.
The construction sector is special in this picture because it is a large, emissions-intensive and still partly non-digital sector. Therefore, it is considered one of the biggest potential beneficiaries, but also one of the slowest to adapt.
It's time for the construction industry to wake up.
In Finland, the discussion about digitalization in the construction industry has often focused on individual applications or sub-areas, such as information modeling or electronic permit systems. In Brussels, the discussion is much further along: rules are now being written here that will define the operating environment of the entire industry for the coming years.
For companies and organizations in the industry, this means two things. First, we need to understand what regulation means in practice and what obligations and opportunities the Data Act, AI Act, and cybersecurity standards bring. Second, we need to consider our own position: are we involved in development or are we reactively adapting to the rules of the game defined by others?
Those who understand the situation early and start preparing for the change by updating their systems, developing their skills, and participating in the regulatory debate can benefit significantly. Those who wait until the last minute may face strict requirements and intensifying competition.
The debate in Brussels is no longer about whether digitalization of the construction sector will happen, but rather how it will happen and who will write the rules. Regulation is advancing rapidly, and its effects will reach every construction project, design software and building automation system.
About the author
Mika Horelli is a freelance journalist who has lived in Brussels for eight years and closely follows the political processes of the European Union and their impact on Finland. He also writes for RT on EU topics that are central to the construction industry. Horelli has previously worked as a freelance journalist in Denmark and the United States.
Write a comment