Data has become a cornerstone of competitiveness and innovation. Recognizing its strategic value, the European Union has adopted the EU Data Act (Regulation (EU) 2023/2854) (the “Data Act”), a landmark regulation designed to unlock the potential of data generated by connected products and related services.
The Data Act entered into force on January 11, 2024, with most provisions applying from September 12, 2025. It aims to create a fair, innovative, and competitive data economy, ensuring that users can access and share the data generated by their devices and that businesses of all sizes—including those outside the EU—can participate on equal terms.
What Is the Data Act?
Working alongside the Data Governance Act (the “DGA”), which establishes mechanisms for cross-sector and cross-border data sharing within the EU, the Data Act defines who can derive value from industrial data and under what conditions. It also seeks to balance the relationship between users and providers of data processing services by ensuring fairer access to data.
Together with the DGA, and forthcoming sector-specific data spaces, the Data Act seeks to unlock the value of data by making it more widely available while ensuring that data is used fairly, securely, and in line with EU values.
Importantly, the Data Act expands beyond the scope of personal data protections under the GDPR, introducing new rules that also apply to non-personal data.
What Is Covered by the Data Act?
The Data Act aims to ensure that data from connected devices and services can be accessed and used fairly.
A connected device is any physical product that collects or generates data about how it is used or the environment it is in—and can share that data through a network, a cable, or directly on the device. Its main purpose is not to store or process data for someone other than the user. Examples include smart cars, fitness trackers, medical devices, or industrial and farming equipment.
A related service is a digital service (including an app or software) that works with a connected device. It might come bundled with the product when you buy, rent, or lease it, and without it, the product will not work properly. Or it might be added later by the manufacturer or a third party to improve or update how the product works.
Who Is in Scope of the Data Act?
The Data Act casts a wide net, recognizing that a modern data economy involves many actors. It applies not just to product manufacturers but also to all those who hold, use, or facilitate access to data generated by connected devices and services. Understanding who these players are is essential to grasping how the Act will change data flows.
- Manufacturers of Connected Products and Providers of Related Services
Manufacturers of connected products placed on the market in the EU and providers of “related services,” irrespective of the place of establishment of those manufacturers and providers. - Users of Connected Products and Services
Users include both individual consumers—such as car owners using navigation or telematics systems—and corporate customers deploying connected equipment as part of their business. - Data Holders
Organizations, irrespective of their place of establishment, that make data available to recipients in the EU. These include, for example, manufacturers of connected devices and providers of related services. - Data Recipients
Data recipients in the EU to whom data is made available, including, for example, independent repairers and service providers. - Providers of Data Processing Services
Providers of data processing services, irrespective of their place of establishment, providing such services to customers in the EU. - Public Sector Bodies and EU Institutions
Public sector bodies, the European Commission, the European Central Bank, and EU bodies that request data holders to make data available where there is an exceptional need for it. - Other stakeholders
Participants in data spaces and vendors of applications using smart contracts, as well as persons whose trade, business, or profession involves the deployment of smart contracts for others in the context of executing an agreement.
Key Provisions and Requirements
Data Sharing
For years, the data generated by connected products—from smart home appliances to industrial machinery—largely stayed in the hands of the manufacturers that produced them. This exclusive control gave these companies a strong competitive edge and often left customers with limited options for repairs, aftermarket services, or other data-driven innovations.
The Data Act seeks to change that dynamic. It gives users—whether consumers or businesses—the right to access the data generated by the products and related services they use, and to share that data with third parties of their choice. The goal is to open up markets, increase competition, and give users the benefit of choice.
Data holders must ensure that users can access the data their products generate, along with any metadata needed to interpret it. This access must be practical and meaningful: the data must be provided in a way that is easy to use, secure, comprehensive, and structured. Importantly, it must be provided free of charge and in a commonly used machine-readable format so that users can easily transfer it to other service providers. The law also explicitly prohibits so-called “dark patterns”—user interface designs or choice architectures that manipulate, subvert or unduly hinder a user’s decision to exercise their data access and sharing rights.
The Data Act sets out clear obligations for third parties that receive product data at a user’s request, including:
- Using the data they receive only for the purposes agreed with the user and deleting the data once those purposes have been fulfilled.
- Not to use the data in ways which would compromise the security of the connected product or its related services.
- Not to prevent users who are consumers from making the data available to other parties.
- Not to share, or make the data available, to companies which are designated as “gatekeepers” under the Digital Markets Act.
To reduce burdens on emerging businesses, the Data Act exempts micro and small enterprises from these data-sharing obligations. It also provides a temporary exemption for medium-sized enterprises: they are not required to share data during their first year as a medium-sized entity, and products they place on the market benefit from a one-year grace period from the time they are launched.
Although data sharing is a central feature of the Data Act, the law recognizes that there are limited situations where access to or sharing of data can be restricted. Both users and data holders may limit or prohibit access where the sharing would undermine the security requirements of the connected product and could result in serious adverse effects on the health, safety, or security of individuals.
Obligations for Data Holders Making Data Available
Where a data holder is required to make data available, the arrangements for doing so must be set out in a way that is fair, reasonable, and non-discriminatory. They must also be provided transparently, enabling recipients to understand the terms under which they may use the data.
If a data recipient believes the conditions under which the data has been made available are discriminatory, the data holder must be able to demonstrate that no discrimination has taken place. On request, the data holder is required to supply the recipient with information sufficient to show that the terms applied are justified and non-discriminatory.
In business-to-business relations, data holders are entitled to receive reasonable compensation for making data available, reflecting the costs incurred and a reasonable margin.
Unfair Contract Terms related to Data Access
The Data Act introduces specific protections against unfair contractual terms in agreements concerning access to and use of data. These protections are particularly aimed at micro, small, and medium-sized enterprises (SMEs), which often have limited bargaining power when negotiating with larger companies.
Under the Act, any contractual term relating to the access to and use of data, or to liability and remedies for breaches or termination of data-related obligations, will not be binding if that term was unilaterally imposed by one party on the other and is considered to be unfair.
The legislation goes further by identifying certain types of terms that will be considered automatically unfair. Article 13 of the Data Act provides examples of clauses that are deemed unfair where their purpose or effect is to tilt the contractual balance unjustifiably.
By curbing the use of such provisions, the Data Act aims to encourage fairer and more balanced contractual relationships in the data economy. This approach is intended to give SMEs the confidence to participate in data-driven markets without being forced to accept disadvantageous terms simply because they lack negotiating power.
Making Data Available to Public Sector Bodies
The Data Act establishes a framework under which data holders can be required to make data available, free of charge1 to public sector bodies, the European Commission, the European Central Bank, or other EU institutions and agencies. This obligation arises only in situations of exceptional need, ensuring that the measure is targeted and does not become a routine data-sharing requirement. Article 15 of the Act defines the circumstances in which an exceptional need exists.
Switching Between Data Processing Services
The Data Act introduces new rules to make switching between data processing service providers practical2 and reliable. Customers must be able to terminate their contract with their current provider after a maximum notice period, conclude a new contract for similar services with another provider, and port their exportable data and digital assets either to a different service provider or to their own on-premises IT infrastructure. The Act also requires that customers be able to achieve functional equivalence in the new environment so that services continue to work as expected after the switch. Furthermore, where technically feasible, customers must have the option to unbundle data processing services from other services offered by the same provider, ensuring they are not tied to unwanted packages. Providers are required to give customers full support during the transition to ensure service continuity and minimize disruption.
In addition, providers must supply customers with clear information on how switching can be carried out. It also sets up a framework to gradually phase out charges for switching, ensuring that by January 12, 2027, the so-called exit service (the assistance needed to port data and digital assets to another provider) must be provided free of charge.
International Government Access and Transfers of Non-Personal Data
The Data Act introduces new requirements for international transfers of non-personal data, reflecting growing concerns about the protection of sensitive industrial and business information held by data processing service providers. While the GDPR governs the international transfer of personal data, the Data Act extends similar principles to non-personal data, such as machine-generated or industrial data, which is increasingly vital to business operations and innovation.
Under the Data Act, providers of data processing services, including cloud and edge service providers, must ensure that such data is not transferred to, or accessed by, authorities in a third country in ways that would conflict with EU or Member State law. In practice, service providers will be expected to adopt appropriate technical, contractual, and organizational safeguards to prevent unlawful or incompatible transfers or access.
By extending transfer safeguards to non-personal data, the Data Act seeks to maintain trust in the European data economy, safeguard industrial competitiveness, and ensure that data-driven innovation can thrive without exposing sensitive information to jurisdictions where equivalent legal protections may not exist.
Interoperability in the EU Data Act
The Data Act places a strong emphasis on interoperability as a cornerstone for a competitive and open data economy. Acknowledging that the value of data often lies in its ability to be combined and reused across sectors, the Act provides for the development of interoperability standards that make it easier for businesses and public bodies to share and integrate industrial data.
To achieve this, the Data Act sets out essential requirements for interoperability. These include rules to enable the smooth exchange and reuse of industrial data across different sectors, guidance on the design of data-sharing mechanisms and services, and specific provisions for smart contracts used in data-sharing arrangements.
The Act also introduces a framework for open interoperability specifications. These specifications address not only the technical aspects of interoperability, like formats and interfaces, but also the rules and arrangements between parties, including how consent or permissions for data use are expressed, translated, and enforced in a consistent way across different systems.
In addition, the Data Act promotes the development of European standards for the interoperability of cloud and edge service providers, with the aim of enabling a more seamless multivendor cloud environment. By doing so, the legislation supports the creation of a data ecosystem in which organizations can more easily mix and match cloud services from different providers without being hindered by incompatible technologies or contractual lock-in.
Conclusion
The EU Data Act is a milestone in Europe’s effort to create a fair, open, and secure data economy. By shifting control of data closer to users, imposing fair-access obligations on data holders, protecting SMEs, addressing vendor lock-in, and extending safeguards to non-personal data, it lays the foundation for a more competitive and innovative digital market.
In combination with the Data Governance Act, it creates both the rules and the trust mechanisms needed to unlock the value of data across sectors while maintaining strong protections for security, privacy, and industrial competitiveness.
Together, these laws reflect the EU’s vision of a data economy that benefits businesses, public authorities, and society at large, enabling innovation while keeping data flows secure and accountable. VeraSafe can help your organization comply with the EU Data Act. Book a free consultation to get started.
You may also like:
An Introduction to the EU AI Act
Session Replay Software and Privacy
Picture Perfect: Photographs and the GDPR’s Special Categories of Personal Data
Related Topics: Compliance Tools and Advice, EU Privacy Laws
- The need to provide the data free of charge does not extend to SMEs. ↩︎
- The definition of a data processing service is laid down in Article 2(8) and mirrors common definitions of cloud computing services. The concept is designed to cover the popular delivery models – Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS) – while also remaining open to technological innovation. ↩︎
