If you’re following EU regulations in tech, you’ve probably heard about the EU Data Act, which came into effect on 12 September 2025. Its stated purpose is to make data sharing across Europe fair, safe, and competitive. What makes it especially noteworthy is that it’s the first law in Europe that explicitly regulates smart contracts. But what does it actually mean from a security perspective, especially for blockchain technologies and smart contracts?

Our Managing Director Jan joined the recent EUCI live to discuss this with Marina Markezic & Anja Blaj. You can catch the full live session here.

Backdoors Disguised as Security Features

One of the hot topics we touched on was backdoors. When you hear the word, you think of regulators or authorities demanding hidden access into a system. And the problem is always the same: once there’s a way in, it won’t just stay with the “good guys”. Hackers, insiders, or even hostile governments can abuse it. There’s no ethical filter built into a backdoor.

Article 36 doesn’t literally say “add a backdoor”, but it does require smart contracts for data sharing to have both a kill switch and upgradability. That means the contract can be paused mid-execution and then changed afterwards by whoever controls it.

In practice, that is a backdoor. Imagine a contract that says: everyone who sends funds to this address will automatically receive data in return. If the controller can pause it, upgrade it, and then resume, they could easily change the rules. Say, keep the funds but don’t stop delivering the data.

So while the law frames this as “safety and governance”, from a security standpoint it introduces the exact same systematic risks we warn about: once that control exists, it’s exploitable.

As Jan put it during the live session: “If the police can get in, hackers can get in, other governments can get in, and others who want to harm can get in as well. This has been proven for decades. ”

On paper, a backdoor looks like a neat regulatory solution. In reality, it’s a huge security risk.

Systemic vs. Individual Risks

We also talked about risk on two levels:

• Micro risks – problems that affect one contract or one company.

• Macro risks – problems that can take down an entire network or ecosystem.

A backdoor doesn’t just create a micro problem; it’s a macro-level vulnerability. One misused access point could compromise a lot more than you think.

Think of it like financial regulation: in banks, regulators balance microprudential risks (individual bank failures) with macroprudential risks (system-wide crises). Blockchain works the same way, we need to weigh individual contract risks against network-wide systemic risks.

Insider Threats Are Real

Even if no hackers exist, backdoors make systems vulnerable to insiders. Smart contracts are strong because they follow logic and code, and don’t rely on trust. But if a company introduces a backdoor, even a single malicious or poorly trained employee can cause huge damage.

Jan emphasized that with more companies hiring globally, even nation-state hackers could exploit insider access if the system allows it. That’s why smart contract immutability and minimal trust assumptions are key to security.

What Blockchain Developers Can Do

Even with the Data Act now in force, there are steps teams can take:

1. Talk to compliance early, don’t wait for enforcement.

2. Audit smart contracts for potential weak points or access mechanisms.

3. Document who can make changes and under what circumstances.

4. Stay up to date on guidance from regulators like the European Data Protection Board.

The EU Data Act isn’t just about legal compliance, it has real security implications. Regulations that require backdoors or overly broad access create systemic vulnerabilities, and once a vulnerability exists, it can be exploited.

The safest approach? Balance compliance with core security principles: immutability, decentralization, and logic that doesn’t rely on trust in people or organizations.

Follow us on Twitter, book a slot, or request an audit on our website.