Skip to content

AI-generated content: Responses are generated by AI, automatically assembled and may contain errors. Conformi is a research tool and does not replace legal advice or case-by-case legal review. All responses should be verified using the linked original sources.

Conformi/Knowledge Base/Data Act/Data Act
📈Data economy

Data Act — Regulation (EU) 2023/2854 on harmonised rules on fair access to and use of data

Analysis from 17 April 20262 sourcesOriginal version (OJ L, 2023/2854, 22.12.2023)EUR-Lex Original

Our IoT devices generate massive amounts of data — who actually owns it, and what happens if we refuse to share it with customers or third parties after September 2025?

From 12 September 2025, any manufacturer or service provider of connected products in the EU must grant users access to product data on request — penalties are set by Member States and, for personal data infringements under Chapters II, III and V, can reach up to EUR 20 million or 4% of global turnover under the GDPR enforcement channel [Art. 40(4)].

Short Answer

The Data Act creates a horizontal, cross-sector framework that forces data holders to share IoT and related service data with users and, upon user request, with third parties, on fair, reasonable and non-discriminatory (FRAND) terms [Art. 4, Art. 5]. It also prohibits unfair B2B contract terms that lock in data access [Art. 13], obliges cloud and data processing service providers to eliminate switching barriers and phase out switching charges entirely by 12 January 2027 [Art. 29], and introduces a regime for public-sector data requests in emergencies [Art. 14, Art. 15]. Compliance requires product redesign (data-by-design), new contractual frameworks, and interoperability readiness.

Who is affected

Manufacturers of connected products placed on the EU market, providers of related services, data holders making data available to EU data recipients, providers of data processing services (IaaS, PaaS, SaaS) serving EU customers, and public-sector bodies requesting emergency data — regardless of the establishment of the manufacturer or provider [Art. 1(3)]. SMEs receiving data under Art. 5 are shielded from certain compensation obligations [Art. 9(4)].

Deadline

12 September 2025: general application date for most provisions. 12 September 2026: Art. 3(1) design obligation applies to connected products placed on the market after that date. 12 January 2027: switching charges must be reduced to zero [Art. 29(5)]. 12 September 2027: Chapter IV (unfair terms) applies to pre-existing indefinite or long-term contracts [Art. 50].

Risk

Penalties are determined by each Member State and must be effective, proportionate and dissuasive [Art. 40(1)]. For infringements of Chapters II, III and V involving personal data, supervisory authorities may impose administrative fines up to EUR 20 million or 4% of worldwide annual turnover under Art. 83(5) GDPR [Art. 40(4)]. Criteria include the nature, gravity, scale and duration of the infringement, as well as financial benefits gained [Art. 40(3)].

Proof

Legal status

  • In force
  • as of 2026-04-17
  • Original version (OJ L, 2023/2854, 22.12.2023)

Primary sources

What to do now

Legal / DPO

  • Review and amend all B2B data-sharing contracts against the catalogue of unfair terms in [Art. 13(4)–(5)] — clauses that exclude liability for gross negligence or prevent data portability are automatically void.
  • Prepare trade-secret protection protocols for data disclosures to users and third parties: identify trade-secret data, agree on proportionate technical and organisational measures, and document refusal grounds under [Art. 4(6)–(8)].
  • Audit cloud and SaaS contracts for compliance with the switching-rights regime: maximum 2-month notice period, mandatory data export in standard formats, and zero switching charges from 12 January 2027 [Art. 25, Art. 29].

Compliance

  • Map all connected products and related services currently on the EU market and classify the data they generate by type, volume and personal/non-personal nature to determine the scope of obligations under [Art. 3(1)–(2)].
  • Establish a data-access request workflow so that user requests for product data are fulfilled without undue delay, free of charge, in a machine-readable format, and with relevant metadata [Art. 4(1)].
  • Document the rationale for any data-sharing restrictions based on security grounds [Art. 4(2)] and notify the competent authority designated under [Art. 37] whenever data sharing is refused, withheld or suspended.

IT / Security

  • Implement by-design data accessibility in all new connected products: data must be directly, securely and continuously accessible to the user in structured, machine-readable format by 12 September 2026 [Art. 3(1)].
  • Build API interfaces and technical infrastructure to enable third-party data recipients to receive user-authorised data under FRAND terms without compromising product security [Art. 5, Art. 6(2)].
  • Ensure interoperability of data processing services with common European data spaces by complying with essential requirements for data formats, vocabularies and APIs [Art. 33, Art. 34].

Product / Engineering

  • Redesign product information labels and pre-contractual disclosures to include data type, format, volume, real-time capability, storage location and retention duration for every connected product before sale [Art. 3(2)].
  • Verify that product data is not used to derive insights about users' economic situation or production methods, and contractually bind downstream third parties not to further share received data [Art. 4(13)–(14)].
  • Plan cloud-service migration readiness: ensure data export functionality supports functional equivalence with destination services and full portability of exportable data and digital assets [Art. 23, Art. 30].

Key Terms

Connected product
An item that obtains, generates or collects data concerning its performance, use or environment and is able to communicate product data via an electronic communications service, a physical connection or on-device access [Art. 2(5)].
Data holder
A natural or legal person who has the right or obligation, under the Data Act or other Union or national law, to make certain data available — typically the manufacturer or provider of related services [Art. 2(13)].
Readily available data
Product data and related service data that a data holder obtains or can obtain from the connected product or related service without disproportionate effort, going beyond a simple operation [Art. 2(17)].
Data processing service
A digital service provided to a customer that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources of a centralised, distributed or highly distributed nature — covers IaaS, PaaS and SaaS [Art. 2(8)].
Switching
The process involving the extraction, transformation and uploading of data and digital assets from one provider of data processing services to another or to on-premises ICT infrastructure, including the termination of the old contract [Art. 2(30)].
Trade secret
Information that is secret, has commercial value because it is secret, and has been subject to reasonable steps to keep it secret — as defined in Article 2(1) of Directive (EU) 2016/943, referenced throughout the Data Act for data-sharing safeguards.
FRAND terms
Fair, reasonable and non-discriminatory terms and conditions under which data holders must make data available to data recipients [Art. 8(1)]. Compensation must be transparent and non-discriminatory.
Exceptional need
A legally defined circumstance under which a public-sector body may compel a private data holder to provide data — limited in time and scope to emergencies, disaster response or comparable situations [Art. 15].
?

Frequently Asked Questions

Which products are covered by the Data Act?
The Regulation covers all 'connected products' — physical items that obtain, generate or collect data concerning their performance, use or environment and communicate that data via an electronic communications service, physical connection or on-device access, as well as any related services [Art. 2(5)–(6)]. Virtual assistants are included insofar as they interact with a connected product [Art. 1(4)].
Can a manufacturer refuse to share data that contains trade secrets?
Only in exceptional circumstances: if the data holder can demonstrate that disclosure is highly likely to cause serious economic damage despite protective measures, it may refuse access on a case-by-case basis. The refusal must be substantiated in writing, and the competent authority must be notified [Art. 4(8)]. Otherwise, trade secrets must be shared under agreed confidentiality measures [Art. 4(6)].
Does the Data Act override the GDPR?
No. The Regulation explicitly states that in the event of a conflict between the Data Act and EU data protection or privacy law, the data protection or privacy rules prevail [Art. 1(5)]. The Data Act does not constitute a legal basis for the collection or generation of personal data by the data holder [Recital 7].
When must cloud switching charges reach zero?
Switching charges must be gradually reduced and completely withdrawn by 12 January 2027 [Art. 29(5)]. Until then, providers may charge only costs directly related to the switching process and must not exceed an amount reflecting the actual costs of the switch [Art. 29(2)].
Can the user share product data with any third party?
Yes, the user has the right to request the data holder to make readily available data directly accessible to a third party of the user's choice [Art. 5(1)]. However, that third party may not use the data to develop a competing connected product, use it for profiling (unless necessary for the service), or make it available to a gatekeeper designated under Regulation (EU) 2022/1925 [Art. 5(5), Art. 6(2)].
Are SMEs exempt from compensation obligations when receiving data?
Partly. Where the data recipient is a micro, small or medium-sized enterprise, compensation for making data available may not exceed the direct costs of making the data available. Any compensation must be agreed before data is made available [Art. 9(4)].
What are the interoperability requirements under the Data Act?
Operators of data spaces must meet essential requirements regarding data description, technical means of access, interoperable data formats, and machine-readable metadata [Art. 33(1)]. The Commission may adopt implementing acts establishing common specifications or harmonised standards for interoperability of data processing services [Art. 35].
3

Assessment Factors & Checklist

Premium
Start 7-day free trial
4

Questions for Your Lawyer

Premium
Start 7-day free trial
5

Conclusion & Summary

Premium
Start 7-day free trial

Detailed analysis with source links.

Schalten Sie die KI-Analyse frei — mit markierten Fundstellen und direkten Links zu EUR-Lex. 7 Tage kostenlos testen.

Start 7-day free trial

Keine Kreditkarte heute. Kündigung jederzeit.