The EU Data Act, being a key pillar of the European Data Strategy, came into force on 11 January 2024. It aims at creating a horizontal framework for the access to and sharing of data generated through smart products and digital services, as well as to foster a competitive cloud services market. It applies to a wide range of businesses across all sectors, such as tech, health, automotive, energy or agriculture – EU and non-EU businesses alike.
While the majority of its provisions will apply from 12 September 2025, businesses will likely need the intervening period to assess and strategize for the impact that the Data Act will exert on their smart products and digital services. The changes required to adhere to Data Act requirements will deeply impact both, the design and manufacture of smart products as well as the provision of additional services in this area.
Marking an important step in the EU's Digital Strategy, the Data Act addresses the exponential growth in data volumes fueled by the continuous integration of digital technology into day-to-day activities. The EU legislator aims at breaking down data silos and tapping into vast reservoirs of (industrial) data, fostering opportunities for innovation and growth.
Promoting access to data
The Data Act establishes unprecedented access for users of connected devices and related services (and, under certain conditions, third parties as well) to the data they generate – irrespective of whether these users are individuals or corporate entities. It encompasses both personal and non-personal data produced through the operation of connected products and related services.
The Data Act defines “connected products” as items capable of obtaining, generating, or collecting data and communicating data via electronic communications services, physical connections, or on-device access. This definition is very broad and connected products can range from industrial machinery, smart meters, fridges or vehicles to smart watches, phones or implantable medical devices.
For the purposes of the Data Act, “related services” encompass all digital services, including software, which are connected with the product at the time of the purchase, rent or lease in such a way that their absence would prevent the connected product from performing one or more of its functions, or which are subsequently connected to the product by the manufacturer or a third party to add to, update or adapt the functions of the connected product.
Related services are integral, either by enabling the core functionalities of a smart product or by augmenting its capabilities. Besides operating systems, this could also apply to many other digital services and software connected with the product (e.g. an automatic refill order functionality of a smart fridge, or smart home automation services where users can control various smart devices in their home, or an astronomy functionality on a smart telescope). In earlier versions of the Data Act, the definition was more specific and required that such digital service be “incorporated or interconnected with a product” (see here for more information), but a physical connection between the connected product and the related service is not the decisive element any more under the final legislation.
In general, the Data Act mandates that, where technically feasible, users should have access to their data – stored locally on the device itself or on a remote server. Furthermore, the Data Act imposes stringent transparency requirements on businesses, obliging them to provide the users with exhaustive details concerning the generated data. This includes its nature, volume, how it will be utilized, how data may be accessed and retrieved, as well as the technical means to do so, and provisions for lodging complaints with the relevant authorities.
Data access by (product) design
Manufacturers of connected products are to ensure that the data they design to be retrievable (so-called “product data”), including metadata, is accessible to users (defined as either natural or legal persons who own connected products or related services or possess temporary usage rights thereto through contractual agreements) in a manner that is easy, secure, and free of charge, and provided in a comprehensive, structured, commonly used, and machine-readable format, and, where relevant and technically feasible, also directly accessible to users.
Albeit manufacturers are required to prioritize data accessibility and transparency throughout product design and manufacturing processes, this “data access by design” obligation has its limits. For instance, if a product's design does not anticipate the storage or transmission of data outside of its internal components, manufacturers do not have to retrieve such data solely for the purpose of sharing it with users. Moreover, prototypes as well as products primarily dedicated to storing, processing, or transmitting data on behalf of entities other than the user – such as servers or cloud infrastructure – are excluded from the data access obligations. Further, products having been placed on the market in the EU before 12 September 2026 are not covered by this obligation.
Notably, the Data Act does not require manufacturers of digital services to make “related service data” (i.e. data representing the digitization of user actions or of events related to the connected product, recorded intentionally by the user or generated as a by-product of the user’s action during the provision of a related service by the provider) accessible by design. Businesses are, however, not prevented from designing data to be easily accessed by the users of such related services.
Data access by request
Whereas manufacturers are required to design and manufacture their connected products to enable direct access to data from the product itself, the Data Act foresees that this might not be feasible or sensible for all connected products. Where product data (and related services data, for that matter) is not directly accessible to users, businesses that have lawfully obtained such data or can lawfully obtain such data without disproportionate effort (such businesses being called “data holders” in the Data Act) must make data readily available to users on their request without undue delay and of the same quality as it is available to the data holders themselves. Manufacturers can simultaneously also be data holders, but many data holders will not have manufactured the connected product.
Users shall not use the data obtained to develop a connected product that competes with the connected product from which the data originate, nor share the data with a third party with that intent and shall not use such data to derive insights about the economic situation, assets and production methods of the manufacturer or, where applicable, the data holder.
Data sharing by request
The Data Act extends its reach beyond mere user access, mandating businesses to share data with third parties, including potential competitors, upon a user’s request. This stipulation underlines the EU legislator’s commitment to fostering an open, competitive digital ecosystem. If the user, or a party acting on behalf of the user, makes a request, the data holder will generally have to make the data (including necessary metadata) available to the specified third party. This shall be done without undue delay and the data will have to be of the same quality as it is available to the data holders themselves.
If both, the data holder and the third party, are considered businesses, they have to conclude a contractual agreement governing the arrangements for making the data available and under fair, reasonable and non-discriminatory terms and conditions and in a transparent manner. The European Commission may issue model contractual terms for such data sharing arrangements.
The data holder might charge the data recipient, that is not a consumer, a fee for making available data. Such compensation shall be non-discriminatory and reasonable, may depend on the volume, format and nature of the data, and may include a margin. When agreeing on any compensation, the data holder and the data recipient shall take into account in particular costs incurred in making the data available, including the costs necessary for the formatting of data, dissemination via electronic means and storage, and investments in the collection and production of data, where applicable, taking into account whether other parties contributed to obtaining, generating or collecting the data in question. The Data Act mandates the European Commission to adopt guidelines on the calculation of reasonable compensation.
Data sharing to public sector bodies
In cases of exceptional need, data holders that are legal persons will be required to make the data available to a public sector body, the European Commission, the European Central Bank, or another EU body. For example, if the data requested is essential for a public crisis and the relevant public sector body has no other way of getting it, this will be a case of “exceptional need”. In principle, the data will have to be made available free of charge, but under certain conditions data holders are entitled to fair compensation.
Protection of trade secrets
The data in question – data generated by connected devices and related services – might also contain or represent valuable proprietary and confidential information, i.e., trade secrets. Not surprisingly, one of the key and most contentious issues during the Data Act’s legislative process was how to reconcile the data holders’ interest in protecting trade secrets with the Data Act’s express goal to promote broader data sharing and access (see here for more details).
In general, trade secrets shall be preserved and shall be disclosed only where the data holder and the user take all necessary measures prior to the disclosure to preserve their confidentiality in particular regarding third parties. The relevant parties shall agree on proportionate technical and organizational measures necessary to preserve the confidentiality of the shared data, in particular in relation to third parties, such as model contractual terms, confidentiality agreements, strict access protocols, technical standards and the application of codes of conduct.
The rules set out in the Data Act seek to strike a balance between the aim of making data accessible and, on the other hand, the need to safeguard the protection of intellectual property and trade secrets. Nonetheless, invoking trade secret safeguards as a defense against overly broad data access requests appear only to be an exception to the rule of having to provide such data under the Data Act (see here for what companies should consider in this regard).
Addressing the challenge of unfair terms
The Data Act places a strong emphasis on fairness and transparency in contractual terms. It goes even one step further than only mandating the development of model contractual terms by the European Commission, aimed at standardizing fair data sharing practices when users exercise their right to request their product data or related services data to be shared with a third party.
It also stipulates that any contractual term concerning access to and the use of data or liability and remedies for the breach or the termination of data related obligations, which has been unilaterally imposed by a business on another business, shall not be binding on the latter business if it is unfair. A general clause sets out what shall be considered to be “unfair” in this respect, i.e. if the contractual term is of such a nature that its use grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing. Further, the Data Act contains both, a black-list (i.e. clauses that are in any case considered being “unfair”, like exclusion or limitation of liability for intentional acts or gross negligence) as well as grey-list (i.e. clauses that are presumed to be unfair, like preventing the other party from using the data provided or generated by that party during the period of the contract, or limiting the use of such data to the extent that that party is not entitled to use, capture, access or control such data or exploit the value of such data in an adequate manner).
These requirements have to be followed not only for contracts that deal with data access and data sharing duties as mentioned above, but also for all contracts that define data related responsibilities, especially on data use or (voluntary) data access.
Further, this applies not only to contracts concluded after 12 September 2025, but also to contracts concluded before such date, provided that they are of indefinite duration or due to expire at least after 11 January 2034.
Facilitating cloud switching
The Data Act aims to facilitate the switching of customers (both business and consumers) from one provider of a so-called “data processing service” to another. Providers will be required to remove any commercial, technical and contractual obstacles for the customer.
Notably, “data processing services” do not encompass any service that processes data to some extent. A “data processing service” is defined as a digital service that is provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralized, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction. In other words: cloud services.
Providers are required under the Data Act to make significant new contractual commitments to facilitate switching, such as supporting the customer’s exit strategy relevant to the contracted service, a maximum notice period for initiation of the switching process (not exceeding two months), an exhaustive specification of all categories of data and digital assets that can be ported during the switching process, including, at a minimum, all exportable data, or a minimum period for data retrieval of at least 30 calendar days, starting after the termination of the transitional period that was agreed between the customer and the provider.
Cloud service providers also have to inform their customers about available procedures for switching and porting to the data processing service, as well as a reference to an up-to-date online register hosted by the provider, with details of all the data structures and data formats as well as the relevant standards and open interoperability specifications, in which the exportable data are available.
Further, the Data Act mandates for a gradual withdrawal of switching charges. Until 12 January 2027, providers of data processing services may impose reduced switching charges on the customer for the switching charges (not exceeding the costs incurred by the provider that are directly linked to the switching process concerned). From 12 January 2027, providers of data processing services are prohibited from imposing any switching charges on the customer for the switching process.
Before entering into a contract with a customer, providers of data processing services shall provide the prospective customer with clear information on the standard service fees and early termination penalties that might be imposed, as well as on the reduced switching charges that might be imposed until 12 January 2027.
European data spaces
In supporting the establishment and development of common European data spaces in strategic domains (e.g. health data), the Data Act lays out the essential requirements that participants in data spaces must comply with to facilitate the interoperability of data, data sharing mechanisms and services, such as describing the data structures, data formats, vocabularies, classification schemes, taxonomies and code lists, where available, in a publicly available and consistent manner, or providing the means to enable the interoperability of tools for automating the execution of data sharing agreements. The European Commission is empowered to adopt delegated acts to specify the essential requirements and to request European standardisation organisations to draft harmonised standards that satisfy those requirements.
Interplay with GDPR
While the Data Act introduces comprehensive rules for non-personal data, it avoids reaching upon the territory governed by the GDPR. The legislation reaffirms the supremacy of data protection laws, ensuring that the rights and obligations under the GDPR remain unaltered. This coexistence underscores the EU’s holistic approach to data regulation, where personal and non-personal data are governed by complementary frameworks, ensuring a robust and coherent protection regime for individuals and businesses alike.
Enforcement and authorities
The European Data Innovation Board, an expert group that has been established under the Data Governance Act, is tasked to support the European Commission in ensuring consistent application of the Data Act throughout the European Union by advising and assisting the European Commission on developing consistent practice of competent authorities in the enforcement of the Data Act, by facilitating cooperation between competent authorities through capacity-building and the exchange of information, and by advising and assisting the Commission on e.g. the preparation of implementing acts and delegated acts.
The Data Act adopts a dual strategy for enforcement. Insofar as the protection of personal data is concerned, the data protection authorities established under the GDPR are tasked to enforce the respective Data Act provisions, following the procedural rules set out in the GDPR. Whenever personal data is not concerned, enforcement of the Data Act will be carried out by national authorities, with each member state designating the appropriate authority for this purpose, with the procedural rules being very similar to the GDPR regime.
Non-EU businesses that make connected products available or offer related services or data processing services in the EU shall designate a legal representative in one of the EU member states – a concept well known under the GDPR.
Under the Data Act, any person has the right to lodge a complaint (individually or, where relevant, collectively) with the competent authority if they consider that their rights under the Data Act have been infringed, including a right to appeal decisions by competent authorities.
Member States shall lay down the rules on penalties applicable to infringements of the Data Act and shall take all measures necessary to ensure that they are implemented. The Data Act requires such penalties to be effective, proportionate and dissuasive. Whenever personal data is concerned, the GDPR fine regime applies (i.e. potential fines up to EUR 20 million or 4% of global annual group turnover, whichever threshold is higher).
The road ahead
The Data Act represents an extensive legislative framework with significant implications spanning multiple industries. One thing is certain as businesses get ready for its launch: they need to prepare well. To effectively navigate the complexities of the Data Act and mitigate associated risks, businesses are recommended to proactively reassess their strategies and establish robust data governance processes. This entails evaluating existing product designs and contractual frameworks to ensure alignment with the Data Act's provisions.
Moreover, identifying key datasets affected by the legislation and developing a comprehensive data strategy are critical steps towards compliance. By doing so, businesses can explore possible avenues for opening access to data and adapt manufacturing and design processes accordingly.
In addition to risk mitigation, businesses could also explore the potential opportunities presented by the Data Act. By strategically leveraging the Data Act's provisions, businesses may uncover new possibilities for growth and innovation.
For more on the Data Act and other EU digital regulations, visit our EU Digital Strategy Hub.
