The EU Data Act: A Plain-English Guide

The EU Data Act (Regulation (EU) 2023/2854) is a broad regulation governing data access, sharing, and portability across the EU. It entered into force in January 2024 and most provisions apply from September 12, 2025. It is one of the cornerstones of the EU's broader data strategy — alongside the Data Governance Act and GDPR.

The Act is built around the principle that data generated by connected devices and services should be more accessible — to the users who generate it, to third parties with legitimate interests, and to governments in exceptional public interest situations.

Unlike GDPR, which focuses primarily on personal data, the Data Act covers both personal and non-personal data generated through the use of products and services.

The Data Act's obligations fall on several categories of entities:

• Manufacturers of connected products: Any business that places IoT devices, industrial machinery, connected consumer goods, or smart equipment on the EU market — from washing machines to factory robots.
• Related service providers: Companies whose services are connected to IoT products (apps that control the device, cloud backends, data analytics services).
• Data holders: Any entity that legally controls or has access to data generated by connected products or services.
• Data recipients: Third parties that receive data under Data Act access rights.
• Cloud service providers: Subject to switching facilitation and interoperability requirements.

Micro-enterprises (fewer than 10 employees, annual turnover under €2M) are largely exempt from user data-sharing obligations.

• Data access for users: Users of connected products must have easy, free access to the data generated by their use. This data must be available in real-time where technically feasible.
• Third-party data sharing: Users can instruct manufacturers to share their data with third parties of their choice. Data holders cannot restrict this right unfairly.
• Fair contract terms: B2B data sharing contracts must not impose unfair terms. The Commission will define model contractual clauses. Data holders cannot charge excessive fees for data access.
• Cloud switching: Cloud service providers must make it easy and cost-free for customers to switch providers — with standardised data exports and a maximum 3-year transition for egress fees.
• Public sector access: In exceptional public interest situations (natural disasters, public health emergencies), public bodies can request access to private sector data.
• Interoperability: Data processing services must meet interoperability standards defined by the European Commission and ENISA.

EU member states are responsible for designating national competent authorities to enforce the Data Act. Penalties are set by national law but must be effective, proportionate, and dissuasive.

The Act requires that contracts violating its provisions are null and void. Authorities can require data holders to make data accessible and can impose administrative sanctions. Cross-border cases are handled through cooperation between national authorities.

Kortave's Data Act module covers the documentation and workflow layer:

• Scope assessment — determining which of your products and services are in scope
• Data access interface documentation and user-facing disclosure templates
• Third-party data sharing request workflow and audit log
• B2B data sharing contract review checklist aligned to the Act's fairness requirements
• Cloud switching compliance assessment for SaaS and cloud providers
• Regulatory alert: updates when Commission implementing acts and model clauses are published