The Data Act goes live: what now?

On September 12th 2025, the EU Data Act (Regulation (EU) 2023/2854) officially goes live. After entering into force in January 2024, the regulation now becomes operational. It creates new rules on who can access and use industrial data generated by connected products in the EU across all economic sectors.

Read today’s statement from the European Commission on this topic

The Data Act is a cornerstone of the European Data Strategy and the Digital Decade 2030. Its central aim is to unlock the value of industrial and IoT data, ensuring it is accessible, reusable, and portable by eliminationg all barriers to the free flow of data with the Union.

"A key objective of the Data Act is to create fairness in the data economy and empower users to reap value from the data they generate using the connected products that they own, rent or lease" (Data Act explained, European Commission).

Scope of application: who and what falls under the Data Act?

Category	Coverage under the Data Act	Comments/Examples
Items	Connected products: physical items that generate, collect or obtain data concerning its use or environment & can communicate it via a connection (WiFi, Bluetooth, USB, etc.), on-device access, or via an electronic communications service (Article 2.5) A related service is installed on the product, and can be connected with the product at the time of the purchase, rent or lease or by the manufacturer (Article 2.6)	Examples of connected products include smart vehicles, wearable health trackers, MRI scanners, industrial robots, household appliances like smart refrigerators or washing machines, and connected energy meters. Related services are those that allow the product to operate in a specific way or enhance its functionality — for instance, a mobile app to control home lighting, software that adjusts irrigation levels in smart farming equipment, or a platform that monitors and optimizes the performance of wind turbines.
Operators involved	Manufacturers of connected product, provider of a related service and every operator of a cloud infrastructure in Europe. Providers of data processing providers globally, excluding conventional hosting services. A data holder is typically the company that makes the connected product or that provides a related service.	Example of providers of data processing: Cloud IaaS, PaaS, Saas, Storage, Data, Edge
Users & Recipients	Users and data recipients must be in the EU. Public bodies when relevant.	A user can be both a natural person or a legal person.
Sectors	Across all sectors. Includes public sector bodies.	Industrial IoT, automotive, fintech, healthcare devices, energy, logistics, gaming platforms, insurance services relying on telematics, and cloud computing.
Data in scope	All raw and pre-processed data generated from the use of a connected product or a related service that is readily available to the data holder. Readily available data means that the data holder actually has, or can obtain without disproportionate effort. Personal and non-personal data (e.g machine readings) including relevant meta data. this includes: Data resulting from the use of a connected product Data that must be shared legally Data that can be shared under contractual obligation Data via data processing services	The Data Act’s definition of data is broad: data is any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recordings. Everything generated by connected products is included, like simple status indicators, user interactions data and malfunction reports.

Category	Coverage under the Data Act	Comments/examples
Data portability & access to data	The principle is simple: if a connected product or related services generates data, the user (natural or legal person) must be able to access it. That means: Full product and service data must be made available, not curated extracts. Access must be timely, free of charge, in a structured, machine-readable format, and real time where feasible. Users may share data with third parties of their choice directly or can ask the data holder to do so. With only limited compensation allowed for substantial investments in a B2B setting.	A car owner gains access to all maintenance logs, not only summaries. A tenant can request detailed smart home data.
Limits and safeguards	Not all data must be shared. The Act applies only to readily accessible data, that doesn't invovle disproportionnate effort. Inferred or derived data and content (e.g. highly enriched data, audiovisual material) are out of scope. Access may be withheld when disclosure would compromise trade secrets or safety, but such refusals must be justified in writing and are subject to oversight and dispute resolution. Platforms designated as gatekeepers under the meaning of the Digital Markets Act, do not benefit from the rights. Micro and SMEs are not subject to the same duties imposed on larger companies, in particular regarding mandatory data sharing. The data obtained cannot be used to develop a competing connected product.	Blanket refusals invoking intellectual property rights or trade secrets will no longer suffice. The data holder may only refuse to share data where it can demonstrate that it is highly likely to suffer serious economic damage from the disclosure of trade secrets.
Precontractual duties	The Act also reshapes the sales process. Before selling or leasing a connected product or service, businesses must inform users about: What data will be generated; Where and how it will be stored; How and when it can be accessed; Whether access is continuous or periodic.	This requires businesses to set up clear protocols and train sales teams who will have to communicate this information before contracts are signed.

Fairness in contracts: no more unbalanced terms

A data holder is required to enter into a contract with the user — for example, a sales, rental, or related service agreement — which must define the user’s rights concerning the access, use, and sharing of data generated by the connected product or related service.

Where the Data Act governs the relationship between the manufacturer of a connected product (or provider of a related service) and the end-user, it introduces specific contractual obligations. In this context, EU consumer protection law continues to apply, in particular Directive 93/13/EEC on unfair terms in consumer contracts and Directive 2005/29/EC on unfair commercial practices, ensuring that users are protected against unfair contractual provisions.

No more vendor lock-in: switching between data processing providers made easy

To promote a competitive digital market within the EU, customers of data processing services, including cloud and edge computing, must be able to switch providers seamlessly. At present, such switching is often hindered by significant obstacles, such as excessive egress fees, lengthy and complex procedures, and insufficient interoperability between providers, which can lead to the loss of data or applications.

The Data Act addresses these issues.

Scope	Providers of IaaS, PaaS, SaaS, and other models. E.g: Google Cloud, OVH Cloud, Azure... Assess whether your services fall within the scope of Chapter VI of the Data Act.
Objective	In Commission words: "Promote competition and choice on the market while preventing vendor lock-in." By requiring that switching be free of charge, efficient, and technically smooth, the framework strengthens customer choice by enabling them to select the services that best meet their needs, while also fostering competition by expanding the potential customer base available to providers.
Concrete obligations	Must remove obstacles to switching to another provider or to an on-premise infrastructure, including technical and contractual barriers. Contracts must include switching rights, short notice periods (max. two months), data portability conditions & data transfer methods. Set up technical infrastructure for data transfer and ensure compatibility with interoperability standards. Support migration, maintain businesss continuity, functional equivalence and secure data transfers within 30 days. Data retrieval under 30 days. Phase out exit fees by January 2027, after which only cost-based charges remain. Implement transparency measures such as making available information on the switching procedure.

Chapter V of the Data Act establishes a framework for business-to-government (B2G) data sharing in situations of exceptional need, where data held by private entities is necessary for public authorities to carry out tasks in the public interest.

Exceptional need covers both public emergencies — such as natural disasters, pandemics, or cybersecurity incidents — and non-emergency situations, such as improving traffic management through aggregated, anonymised GPS data.

In emergency scenarios, public authorities may request access to data, which must be provided swiftly, securely and free of charge, unless justified costs are involved. While the default focus is on non-personal data, personal data may also be requested if strictly necessary, with anonymisation applied wherever possible.
For non-emergency public interest purposes, authorities may only request non-personal data, and data holders are entitled to fair compensation for the costs of preparing and transmitting it.

Requests must always be specific, proportionate and transparent, and must not impose an undue administrative burden on companies.

Entities entitled to request data include national public sector bodies, EU institutions, agencies and certain research organisations. Data holders are typically private companies, but may also include public undertakings.

How companies must handle international requests

The Data Act introduces specific safeguards to prevent unlawful access or transfer of non-personal data held in the EU by governments of third countries (i.e., non-EU states).

These provisions respond to the growing concern that foreign authorities may issue decisions or judgments compelling companies to disclose or transfer data stored in the EU, even when such requests conflict with EU law, the protection of fundamental rights, national security interests, or the confidentiality of sensitive commercial information.

Building on the approach of the Data Governance Act, the Data Act reinforces transparency and legal certainty by clearly setting out the conditions under which non-personal data may be accessed by foreign authorities.

For businesses — including cloud providers, data intermediaries and companies offering digital products and services — the rules impose new obligations. They must carefully assess whether a foreign government’s request complies with EU law and, where necessary, challenge unlawful demands. Any transfer of non-personal data to a third country must meet strict safeguards, which may include judicial authorization and respect for EU fundamental rights standards.

Challenges & enforcement risks

From 12 September, Member States must adopt their own national enforcement regimes by 12 September 2025, ensuring penalties are effective, proportionate, and dissuasive. These may include financial fines, orders to comply, warnings, or even suspension of processing activities.

Companies must comply simulatneously with the GDPR since many data sets include personal data. Failure to properly distinguish between personal and non-personal data could trigger parallel investigations by both data protection authorities and sectoral regulators.

All obligations under the GDPR (legal basis, minimization, anonymization, data subject rights) remain in force. Failures to provide data that includes personal information may trigger combined Data Act and GDPR claims, with damages sought under Article 82 GDPR.

Businesses and users harmed by a refusal to share data, or by anti-competitive conditions, can bring disputes before courts or dispute settlement bodies. Expect collective actions (consumer or SME associations) in Member States where this is allowed.

Incomplete or misleading pre-contractual disclosures on data usage and access rights will expose companies to consumer law claims under Directives 93/13/EEC and 2005/29/EC.

What businesses should do now

According to the Commission's statement released today, it will support Data Act implementation by launching a Legal Helpdesk to assist companies, issuing guidance on trade secrets protection, and publishing model terms for data sharing as well as standard clauses for cloud contracts to ease compliance.

But until then, here are some necessary practical steps:

Map your data flows and use cases: identify all data generated by connected products and related services, classify it as personal/non-personal, identify their origin, and document lawful bases. Identifiy whether it is protected by sector-specific rules or not.
Adapt your systems for interoperability: Ensure technical readiness to deliver data in structured, standardized, and machine-readable formats. Upgrade or implement APIs and sharing mechanisms that support accessibility, portability, and interoperability in line with the Act’s requirements.
Document exceptions: establish a process for refusing access based on trade secrets or safety, with justification.
Strengthen governance: Analyze who controls the access to data. Review existing data-sharing arrangements, particularly in B2B contexts.
Update contracts: include mandatory transparency clauses and prepare for cloud switching obligations.
Establish internal policies: Develop and document clear internal data-sharing policies aligned with transparency and fairness obligations. Specify what data can be shared, on what terms, with whom, and for which purposes, and ensure this is communicated consistently to users and partners.
Ensure GDPR alignment: Map and reconcile overlaps between the Data Act and the GDPR. Document the legal basis for processing personal data, and ensure compliance is reflected in privacy notices, consent mechanisms, and records of processing activities.
Manage international transfers: Implement protocols to assess and, where necessary, restrict transfers of non-personal data to non-EU authorities. Establish internal processes for evaluating legality, notifying users, and complying with EU restrictions.