Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 – commonly referred to as the EU Data Act – is one of the cornerstone instruments of the European digital strategy. The Regulation has been applicable since 12 September 2025 and fundamentally reshapes the rules governing access to data generated by connected devices, the obligations of platforms regarding data portability, and the framework for data sharing between the public and private sectors. This article examines the scope of the Data Act, its principal regulatory requirements, the implications for data governance within organisations, and the key compliance obligations that organisations operating in the EU market should address.
1. Background and Objectives
The Data Act forms part of a broader EU regulatory package on the European data economy, which also includes the Data Governance Act (DGA) and the General Data Protection Regulation (GDPR). While the GDPR focuses on the protection of personal data and the DGA establishes institutional frameworks for voluntary data sharing, the Data Act primarily addresses access to data generated by network-connected devices – including IoT devices – and the right to data portability.
The central objective of the Regulation is to ensure that data generated through the use of connected products and digital services does not remain exclusively in the hands of manufacturers and service providers, but can instead be accessed, transferred and used by users – including for the purpose of obtaining services from third parties of their choice.
In this way, the Data Act advances the broader ambition of EU digital policy: to increase data flows across the economy and reduce data silos in which valuable information remains locked within the closed ecosystems of individual market players.
2. Scope of Application
2.1 Entities Subject to the Regulation
The Data Act applies to a wide range of entities:
- manufacturers of connected products placed on the EU market – including IoT devices, smart home appliances, vehicles and industrial equipment;
- providers of related services, including companion applications, cloud platforms and after-sales services;
- providers of data processing services, including cloud service providers;
- public sector bodies, which may seek access to data held by private entities in exceptional circumstances.
The Regulation applies whenever a product or service is offered on the EU market, regardless of where the manufacturer or provider is established.
2.2 Categories of Data Covered
The Data Act primarily covers non-personal data, or mixed datasets containing both personal and non-personal data, generated through the use of connected products. It does not, however, exclude personal data from its scope – where data processing involves personal data, the GDPR applies concurrently.
The Regulation also covers data that constitutes trade secrets. In such cases, it provides specific safeguards, allowing data holders to refuse or restrict disclosure where this is justified and proportionate.
3. Key Regulatory Requirements
3.1 User Access to Data (Articles 4–6)
One of the foundational principles of the Data Act is the right of users to access data generated by the connected products they use. This right applies both to consumers and to businesses using connected devices in the course of their commercial activities.
Manufacturers and providers of related services are required to ensure that data is accessible by default – without users having to take any additional steps to obtain it. Data must be made available in a manner that is easy, secure and in a machine-readable format.
3.2 Data Sharing with Third Parties (Article 5)
At the request of the user, the manufacturer or provider of a related service is required to make data available to a third party designated by that user. The third party may use the data solely for the purposes specified by the user and may not use it for purposes that go beyond the scope defined by the user – including, in particular, the development of competing services or models, unless this is necessary for the provision of the requested service.
3.3 Prohibition of Unfair Contractual Terms (Article 13)
The Data Act introduces rules designed to protect small and medium-sized enterprises against the unilateral imposition of unfair contractual terms relating to data sharing. Contractual provisions that are manifestly unfair or create a significant imbalance in the rights and obligations of the parties are deemed non-binding.
The European Commission is empowered to develop model contractual terms that parties may use as a starting point for negotiation.
3.4 Switching Between Cloud Service Providers (Articles 23–31)
One of the most significant areas of the Regulation concerns the obligations of cloud service providers with respect to data portability. Cloud providers are required to enable their customers to:
- transfer data and applications to another provider – without unjustified technical or commercial barriers;
- maintain continuity of service throughout the switching process;
- access standard interfaces that ensure interoperability.
These provisions are intended to address the problem of vendor lock-in, whereby customers become dependent on a single cloud provider. Providers are also required to progressively eliminate charges for outbound data transfers within the timeframe set out in the Regulation.
3.5 Public Sector Access to Data (Articles 14–22)
The Data Act establishes a mechanism through which public sector bodies may, in exceptional circumstances, request access to data held by private entities. Such access may be granted in emergency situations – such as natural disasters, public health crises or threats to public security – or in other exceptional cases where data is essential to the performance of a public task and cannot be obtained through other means.
This mechanism is subject to strict conditions of proportionality and subsidiarity: public bodies may only request data to the extent strictly necessary and only where they are unable to obtain it from other sources.
4. Key Obligations by Category of Actor
The table below sets out the principal obligations arising under the Data Act, organised by category of actor.
| Actor | Principal Obligations | Date of Application |
| Manufacturer / provider of related services | Ensuring data access; making data available to third parties at the user’s request | 12 September 2025 |
| Cloud service provider | Enabling data portability, interoperability, and elimination of outbound data transfer charges | Progressively – 2025 to 2027 |
| Third party (data recipient) | Using data solely for purposes specified by the user; prohibition on competitive profiling | 12 September 2025 |
| Public sector body | Requesting access only in exceptional circumstances and only to the extent strictly necessary | 12 September 2025 |
5. Relationship with Other EU Regulations
5.1 Data Act and GDPR
The Data Act does not replace or limit the application of the GDPR. Where data processing involves personal data, both frameworks apply concurrently. Organisations are required to ensure that the mechanisms they implement to comply with the Data Act do not conflict with the data protection principles set out in the GDPR – in particular the principles of data minimisation, purpose limitation, and the requirement for a lawful basis for processing.
5.2 Data Act and the Data Governance Act
The Data Governance Act (DGA) establishes the institutional framework for data sharing in the EU – including rules on data intermediaries and data altruism mechanisms. The Data Act complements this framework by setting out the specific rights and obligations of individual actors – manufacturers, service providers and users – with respect to data access. The two regulations should be read and applied together as components of a single EU data governance system.
5.3 Data Act and the AI Act
The AI Act imposes obligations on providers of AI models – in particular general-purpose AI models (GPAI) – relating to training data governance and transparency. The Data Act affects the data sources available to organisations developing AI systems: it broadens the potential for obtaining data from IoT devices and digital platforms, while simultaneously introducing restrictions on the purposes for which that data may be further processed.
6. Implications for Organisational Data Governance
6.1 Review of the Product and Service Portfolio
The first step in implementing the Data Act should be a review of the organisation’s product and service portfolio to assess the scope of the Regulation’s application. Organisations should identify which of their products meet the definition of a “connected product” and determine what categories of data those products generate.
6.2 Technical Architecture for Data Access
The Data Act requires organisations to design or adapt their technical architecture so that data can be made available to users or third parties in real-time or on request. This necessitates the implementation of appropriate interfaces (APIs), authentication mechanisms, and audit logs that document data flows.
6.3 Contract Review and Data-Related Clauses
Organisations should conduct a review of their existing agreements with technology providers, business partners and customers to assess compliance with the Data Act’s requirements. In particular, they should evaluate whether existing data-related contractual provisions meet the fairness standard under Article 13 and properly address the rules on data sharing and portability.
6.4 Procedures for Handling Data Access Requests
Organisations that manufacture connected products or provide related services should implement procedures for handling data access requests from users and third parties. Those procedures should define how to verify the requester’s entitlement, the scope of data to be disclosed, applicable response timelines, and the measures in place to protect trade secret data.
6.5 Compliance Readiness for Cloud Providers
Cloud service providers should ensure that they are prepared to meet the data portability requirements in accordance with the phased timeline set out in the Data Act. This encompasses both technical aspects – interoperability, standard interfaces – and commercial aspects, including the elimination of outbound data transfer charges.
7. Timeline: Entry into Force and Application
| Date / Milestone | Regulatory Event |
| 11 January 2024 | Data Act enters into force |
| 12 September 2025 | General application of the Regulation |
| 12 September 2027 | Elimination of outbound data transfer charges – cloud providers |
| 12 September 2027 | Unfair contractual terms rules (Chapter IV) extended to long-term B2B contracts concluded before 12 September 2025 |
8. Enforcement and Sanctions
The Data Act does not itself prescribe the level of financial penalties – that responsibility rests with the Member States. Each Member State is required to designate competent supervisory authorities responsible for enforcing the Regulation and to establish sanctions that are effective, proportionate and dissuasive.
Drawing on experience with the implementation of the GDPR, it is reasonable to expect that Member States will introduce significant financial penalties for infringements of the Data Act’s core obligations. Organisations should factor this risk into the design of their compliance programmes.
Frequently Asked Questions (FAQ)
The EU Data Act is an EU regulation governing access to data generated by connected products and related digital services. It applies to manufacturers of IoT and other connected devices, providers of related services, cloud service providers, and third parties receiving access to data. It applies to any entity offering products or services on the EU market, regardless of where that entity is established.
The majority of the Data Act’s provisions have applied since 12 September 2025. Certain obligations for cloud providers – in particular the elimination of outbound data transfer charges – are being phased in progressively through to 2027.
The Data Act and the GDPR apply in parallel. Where data generated by connected devices constitutes personal data, both legal frameworks apply simultaneously. The Data Act does not override or repeal any provision of the GDPR. Organisations must ensure compliance with both regulations.
The Data Act does not provide a general opt-out for manufacturers or service providers – they are, as a rule, required to make data accessible. However, disclosure may be refused or restricted where the data constitutes a trade secret, provided that the refusal can be demonstrated to be justified and proportionate.
Yes. The Data Act also governs business-to-business (B2B) relationships. It provides protection for small and medium-sized enterprises against the imposition of unfair contractual terms and grants business users the right to have data shared with third parties of their choosing.
The Data Act does not itself set out specific penalty amounts – this is a matter for each Member State. Member States are required to establish effective and dissuasive sanctions for infringements of the Regulation. Based on the approach taken under the GDPR, financial penalties are the most likely instrument in the majority of EU jurisdictions.
Conclusion
The EU Data Act represents a significant shift in the regulatory framework governing the European data economy. By expanding user rights over data generated by connected devices and digital platforms, it directly affects the business models of manufacturers, cloud service providers and organisations that work with data at scale.
Implementing the Data Act requires a systemic approach – one that integrates legal analysis and contract review with changes to technical architecture and operational processes. Organisations that embed Data Act compliance within a broader data governance framework will be better positioned to meet their regulatory obligations and manage associated legal risks. The Data Act should be read alongside the other pillars of EU data law – the GDPR, the Data Governance Act and the AI Act – as part of a coherent regulatory system shaping the data economy across the European Union.