The EU Data Act (Regulation (EU) 2023/2854) entered into force on 11 January 2024. Most of its obligations become enforceable on 12 September 2025. For IoT manufacturers, connected product developers, cloud service providers, and data-driven businesses operating in the EU, the Data Act introduces significant new requirements that cannot be retrofitted at the last minute.
What problem does the Data Act solve?
The EU identified a systemic problem: enormous amounts of valuable data are generated by connected products and related services — but that data remains locked with manufacturers and service providers. The users who generate the data cannot access it. Third parties who could create value from it cannot reach it. The Data Act is designed to change this, by establishing enforceable rights to data access and sharing.
The Act operates alongside GDPR (which governs personal data protection) and the Data Governance Act (which creates governance frameworks for data intermediaries). It covers both personal and non-personal data generated through the use of connected products and services.
Who is in scope?
The Data Act's obligations target several categories of businesses:
- Manufacturers of connected products: Any business placing IoT devices, connected industrial equipment, consumer electronics, smart home products, connected vehicles, medical devices, or agricultural machinery on the EU market.
- Related service providers: Companies providing services linked to connected products — apps, cloud backends, analytics platforms, management software — that process data generated by those products.
- Data holders: Any business that legally controls data generated by connected products or services and can make it technically accessible.
- Cloud and data processing service providers: Subject to the switching and interoperability provisions in Chapter VI.
Micro-enterprises (fewer than 10 employees, annual turnover under €2M) are largely exempt from the user data-sharing obligations — but not from all Data Act requirements.
User data access rights
The central obligation in the Data Act: users of connected products and services must have easy, real-time access to data generated by their use.
Concretely, this means:
- Data must be accessible by default — not locked behind support tickets or paid subscriptions
- Where technically feasible, access must be in real-time, directly on the device or via a simple interface
- Data must be provided in a structured, commonly used, machine-readable format
- The access mechanism must be clearly explained before the product is purchased
Manufacturers cannot use technical design choices as a pretext to prevent access. If the data exists and is technically accessible to the manufacturer, users have a right to it.
Third-party data sharing
Users can instruct manufacturers or service providers to share their data with third parties of the user's choosing — at the same quality and format as provided to the manufacturer itself.
Data holders must share requested data without undue delay. They cannot:
- Use data shared through third-party access for their own commercial purposes
- Discriminate against third parties relative to their own data-using activities
- Charge excessive or discriminatory fees for providing data access (cost-based compensation is permitted where justified)
There are exceptions for protecting trade secrets and for cases where disclosure would cause disproportionate harm — but these must be specifically justified and cannot be used as blanket refusals.
B2B data sharing: fairness requirements
When data is shared between businesses under contracts, the Data Act requires that terms be fair, reasonable, and non-discriminatory. Unfair contract terms in B2B data-sharing agreements are declared null and void.
The European Commission will publish model contractual clauses to help businesses structure compliant agreements. In the meantime, businesses should review existing data licensing and data supply agreements for terms that impose one-sided obligations, restrict downstream use disproportionately, or effectively lock the data recipient into the data holder's commercial ecosystem.
Cloud switching and interoperability
Chapter VI of the Data Act addresses switching between cloud service providers:
- Cloud providers must ensure customers can switch providers and port their data — at no cost after a transitional period (free from January 2027)
- Data export must be in standardised, interoperable formats — cloud providers cannot use proprietary formats to create lock-in
- Providers must cooperate with the customer's new provider to ensure functional equivalence during transition
- The Commission and ENISA are developing harmonised data processing standards that cloud providers must implement
For multi-cloud and hybrid cloud architectures, the Data Act should materially simplify migration — and creates legal recourse if providers obstruct switching.
What you should do before September 2025
- Map your data: Identify all data generated by your connected products and services. Classify it by type, processing location, and who currently has access.
- Assess your products: For each connected product, determine how users will access their data and whether your interface and terms comply with the Act.
- Review B2B contracts: Audit existing data-sharing and licensing agreements for terms that would be considered unfair under the Data Act.
- Update product documentation: Pre-sale information must clearly explain what data is collected, how users can access it, and what third-party sharing rights they have.
- Prepare the technical infrastructure: If you don't have a data access portal or API today, you need to build one.
The Data Act is not primarily a data protection regulation — it is a data economy regulation. It assumes data has value and that the value should flow to the people who generate it, not only to the companies that collect it. For IoT manufacturers and service providers built on proprietary data advantages, the Act fundamentally changes the competitive landscape. The September 2025 deadline is not a soft launch — it is an enforcement date.