EU Data Act

EU rules on fair access to and use of data generated by connected products and related services.

Entering into force in January 2024 with application from 12 September 2025, the EU Data Act establishes horizontal rules on fair access to and use of data, particularly data generated by connected products and related services. The regulation addresses the growing recognition that most industrial and consumer data remains untapped or locked within proprietary ecosystems, limiting innovation, competition, and consumer choice. By creating clear rights and obligations around data access and sharing, the Data Act seeks to unlock the economic potential of the data economy while protecting trade secrets and personal data.

The Data Act affects manufacturers of connected products (IoT devices, smart appliances, industrial machinery), providers of related digital services, data holders, data recipients, cloud and edge computing service providers, and public sector bodies. In practice, any business that produces or uses connected products generating data, or that provides cloud services, will need to assess its obligations under the regulation. Users of connected products, both consumers and businesses, gain new rights to access the data their products generate.

Core obligations require manufacturers to design connected products so that data is accessible to the user by default and to make data available to the user or a third party designated by the user upon request, free of charge. Data holders must share data on fair, reasonable, and non-discriminatory terms. The Act also introduces provisions to prevent unfair contractual terms in data sharing agreements between businesses of different bargaining power, and establishes rules for cloud service switching, requiring providers to eliminate switching charges by 2027 and ensure portability and interoperability.

The Data Act also empowers public sector bodies to request data from the private sector in cases of public emergencies, such as pandemics or natural disasters, and establishes safeguards for international data transfers of non-personal data, complementing GDPR's framework for personal data transfers.

The Data Act interacts closely with GDPR, which takes precedence where personal data is involved, and with the Data Governance Act, which establishes frameworks for data intermediaries and data altruism organisations. Together, these regulations form a comprehensive EU data strategy. For businesses, the Data Act requires rethinking data access policies, contractual arrangements with partners, and product design to ensure that data generated by connected products can be accessed and shared in compliance with the new framework.

Select your company type for tailored compliance guidance.