Data Act Essentials #1: The Data Act starts biting – Benchmark your compliance efforts

The Data Act entered into force on 11 January 2024 and most of its provisions apply from 12 September 2025. This landmark regulation harmonizes rules on fair access to and use of data, creating significant new compliance obligations for businesses in scope.

In this blogpost, we’ll give a breakdown of the key elements of the Data Act: the types of businesses affected, the obligations introduced and practical tips how to achieve Data Act compliance, as well as checkpoints to assess your compliance status against the market level.

What is the EU Data Act?

At its core, the Data Act is an EU Regulation that introduces harmonized rules in relation to data generated by connected products (e.g. connected cars, medical and fitness devices), certain services that control the functions of connected products, and cloud services. The purpose of this new framework is to unlock the value of data generated by so-called Internet of Things (IoT) devices and other connected technologies, and to ensure greater flexibility by enabling the switching of data processing services. By introducing a harmonized set of rules on access and use of data generated by in-scope products and services, the EU aims to foster innovation, while ensuring that users remain in full control over ‘their’ data. The Data Act generally covers both personal and non-personal data.

Who is affected?

The Data Act is designed to capture a variety of players in the digital economy, in particular:

• Manufacturers of Connected Products and Providers of Related Services: Any company that designs connected products or offers related services available in the EU is subject to data access and data sharing obligations, irrespective of their place of establishment. The scope of products and services that fall under the Data Act is a point of debate: While the recitals of the Data Act suggest a broad range of products from smart home devices to industrial machinery, European oversight bodies and consumer organization have voiced concerns over a potential inclusion of personal devices (such as smartphones, tablets and personal computers), pointing to implications of the Data Act on privacy and data protection safeguards. So far, the EU Commission and national regulators have not yet provided additional clarification, leaving open the question of whether the privacy concerns raised by data protection and consumer bodies will influence future interpretation and implementation of the Data Act. The outcome of the discussion around the scope of ‘connected products’ will have downstream effects on the scope of ‘related services’ given the close link between these two concepts. On related services, the EU Commission indicated that the concept is supposed to cover a broad range of services, providing some guidance on some of the aspects that could be considered when determining whether a service amounts to a ‘related service’, including replaceability, user expectations and marketing accompanying the connected product or digital service. However, the EU Commission acknowledged that the key defining criterion, which is a service’s impact on the ‘functions’ of a connected product,  will need further clarification by the courts to help determine which services fall within the scope of the Data Act. 
   
• Providers of Data Processing Services: This can in particular include providers of Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and of certain Software as a Service (SaaS) products, but can also include emerging variations of the said service delivery models. These services are subject to new rules on interoperability, switching, and international transfers of non-personal data.
   
• Data Recipients: The Data Act also sets out restrictions on the use of data by the recipients to whom data is made available under the Data Act, aimed to make sure that the user’s and the data holder’s rights and freedoms are respected by the receiving party. This includes restrictions on the use of received data for profiling purposes (unless required to provide the service requested by the user) or the use of received data to develop a product competing with the connected product from which the accessed data originates. 

Key Elements of the Data Act

The regulation introduces several critical changes to how data is handled and shared in the digital economy:

1. Connected Products and Related Services:
   
   • User Access to Data: Users must be provided with access to the data generated by connected products and related services. The EU Commission has clarified that the Data Act leaves room for discretion by allowing manufacturers to decide whether to facilitate direct access to users (i.e. without requiring interaction with the manufacturer or service provider) or indirect access through a request-based process, acknowledging that in some cases indirect access may be more appropriate or practical. 
      
   • Third-Party Access to Data: To the extent data generated by connected products or related services is readily available, users can request this data to be shared with third parties. This does not apply to data which, as per the design of the product or service, is not meant to be stored or transmitted outside the product (e.g. for privacy, security or device integrity reasons). Compliance with the third-party data access obligation requires that data holders have processes in place that will allow them to verify that the requesting third party is authorized to receive access to user data and to agree with the third party on arrangements for transmitting the data, including any compensation for making data available (where applicable). 
      
   • B2B Fairness: Where data is shared with third parties under the Data Act or under other applicable Union law (or its national implementations), the Data Act introduces a ‘fairness test’ for business-to-business (B2B) data sharing contracts, protecting companies from unfair and unilaterally imposed contractual terms.
      
   • Pre-contractual Information: Before concluding a contract to purchase a connected product or use a related service, users must receive information about the data that will be generated by the relevant connected product or service and how it can be accessed by the user. The Data Act’s transparency obligations apply to the seller, renter or lessor of connected products (which can be the manufacturer) and to providers of related services. 
      
   • Access to Data by Public Sector Bodies: The Data Act also provides a framework for public sector bodies to access data held in the EU in cases of an ‘exceptional need’, such as when responding to a public emergency or for other public interest purposes. The provisions include detailed requirements for the data requests from public sector bodies, but also requirements for data holders regarding the review of and compliance with such requests, including applicable timelines which need be reflected in internal processes. 
      
2. Data Processing Services (in particular cloud services):
   
   • Easy Switching: Providers of data processing services are required to facilitate the switching between services and to improve data portability. Alongside technical requirements in relation to the switching process, the Data Act introduces contractual and transparency requirements that aim to remove potential obstacles to switching.
      
   • Protections Against Unlawful Data Access from non-EU Governments: The Data Act imposes new safeguards against unlawful government access to non-personal data, to a certain extent mirroring the so-called ‘Schrems II’ requirements for personal data.

Risk of non-compliance 

In general, the specific penalties for non-compliance with the EU Data Act are to be determined by each Member State individually. To this effect, Member States are required to lay down rules that are effective, proportionate, and dissuasive. However, in cases involving personal data, the penalties under the GDPR apply, which may include fines of up to €20 million or 4% of an undertaking’s total worldwide annual turnover, whichever is higher. Notably, many Member States, including Germany, have yet to publish their national penalty frameworks under the Data Act, leaving some uncertainty around enforcement at this stage.

How to overcome typical compliance challenges 

While the Data Act is aimed at promoting a more competitive and innovative data market, it also presents challenges for businesses:

• Interplay with GDPR: The Data Act creates compliance challenges where its obligations apply to data sets that include personal data. Conceptually, the Data Act is designed to complement the existing regulatory framework under the GDPR, which continues to apply to personal data, and which shall prevail over the Data Act in the event of a conflict. In practice, it remains to be seen how such conflicts are going to be solved, both in terms of the applicable framework and competencies between the different regulators potentially involved. GDPR implications also arise where a connected product is designed to be used by multiple users: This creates difficulties with regard to the design of data access mechanisms that need to be carefully aligned with data protection compliance in mind. 
   
• Use of Non-Personal Data: Under the current regime, once personal data has been anonymized, it is no longer subject to applicable data protection frameworks, which means that from a data protection law perspective, it can be used without further restrictions. Under the Data Act, however, the use of readily available non-personal data is only permissible if based on a contract with the user and subject to additional restrictions, i.e. such data shall not be shared with third parties other than for the purposes of the fulfilment of the contract with the user. In this respect, the Data Act imposes more stringent requirements for the use of non-personal data than the GDPR for the use of personal data and may require updates to the contractual terms agreed with the user.
   
• Administrative and Operational Burden: Implementing the Data Act’s data access, data sharing and switching obligations can require substantial administrative and technical efforts: Businesses need to make sure that all in-scope data is identified and considered in the data access solutions, existing data access mechanisms are updated and that future data collections consider potential implications under the Data Act. Equally, establishing adequate processes for cloud migration requires cross-functional operational and compliance design efforts. In this respect, businesses may leverage their existing data governance frameworks to mitigate the burden. For example, data mapping and records of processing activities maintained for GDPR compliance can provide a basis to build the data flows required for compliance with the Data Act.
   
• Trade Secret Protection: Companies must strike a balance between granting data access and protecting trade secrets. Although the Data Act acknowledges and allows for measures to be implemented to protect trade secrets, it is often challenging to identify trade secrets at the level of individual data points. Often, a single data point is not sensitive in isolation, but when linked to other data, it can reveal commercially valuable insights. Thus, before sharing data, companies should proactively classify sensitive data clusters, implement robust metadata tagging mechanisms and establish clear contractual and technical safeguards with third parties.
   
• Cloud Service Migration: Ensuring interoperability and easy switching between data processing services can be very complex, both from a technical and from a contractual perspective. A key question concerns the scope of the switching obligations, which will - from a practical perspective - drive the operational effort for providers associated with enabling the transition to new providers. In order to facilitate the implementation of the contractual obligations, the EU Commission has published a set of model clauses that can be used as a basis in order to achieve compliance with the Data Act. However, in practice, the proposed terms rarely reflect the specifics of the service at hand and often need to be heavily adjusted in order to be usable. This applies even more in view of the different types of services that are supposed to be captured by the Data Act’s switching obligations.  

Planning the compliance journey

Given the complexity of the Data Act — both in terms of the wide range of products and services it covers and the variety of obligations it introduces — effective compliance typically requires a well-defined project roadmap and a structured and comprehensive implementation strategy. The following check list can serve as a basis for developing a compliance framework encompassing legal, organizational, and technical aspects: 

1. Connected Products and Related Services:

• Applicability & Role Identification: Determining if your products or services fall under the scope of the Data Act as ‘connected products’ or ‘related services’.
• User Rights & Access Mechanisms: Establishing systems that allow users to access their data and share it with third parties as required by the Data Act.
• Data Preparation: Classifying and identifying the data generated by connected products, distinguishing between raw, pre-processed, and derived data, as well as mapping data with security relevance.
• Trade Secret Protection: Identifying trade secrets both at the data point and cluster level and implement contractual and technical safeguards.
• Technical Infrastructure: Ensuring your technical infrastructure is ready for real-time or continuous data access (where relevant).
• Legal & Contractual Safeguards: Preparing pre-contractual information, updating contracts to reflect Data Act obligations and requirements, and assessing the legal basis for processing personal data and non-personal data.
• Governance & Oversight: Designation of teams responsible for the monitoring of established compliance measures, including forward-looking compliance mechanisms, and establishing internal audit mechanisms.

2. Data Processing Services (including cloud services)

• Applicability & Scope: Determining whether your services fall under the scope of the Data Act as ‘data processing services’, and which data will need to be made ‘exportable’.
• Technical Infrastructure: Setting up or updating existing switching mechanisms to facilitate the portability of exportable data to a third-party service or to the customer’s ICT infrastructure and implementing technical and operational measures for compliance with the Data Act’s restrictions with regard to international governmental access and transfer of non-personal data.
• Legal & Contractual Safeguards: Determining switching terms covering minimum quality parameters for switching, deadlines for data transfers, terms on exportable data and deletion, and on switching costs (where applicable) in line with the requirements of the Data Act.
• Transparency & Access: Providing information for customers on how to export/download their data, on retention, and on safeguards preventing unauthorized governmental access to data.

Conclusion

The Data Act is aimed at introducing a paradigm shift in how data is accessed and shared. At the same time, many aspects of the Data Act remain open to interpretation, and only limited guidance has been issued by the EU Commission so far (see Commission’s FAQs on the Data Act, Version 1.3, as of 12 September 2025). This is expected to evolve as national regulatory authorities are appointed and begin issuing more detailed implementation guidance. In this context, businesses should remain alert to new developments and be prepared to adapt their compliance strategies as further clarity emerges.