Skip to main content

EU Data Act

The EU Data Act governs access to and sharing of data from connected products and related services, and mandates easier cloud switching and interoperability. Most provisions apply from September 2025, with penalties set by member states.

Jurisdiction
European Union

Overview

The EU Data Act, Regulation (EU) 2023/2854, is a major piece of EU legislation governing fair access to and use of data generated by connected products and related services. Adopted in 2023, its main provisions became applicable in September 2025. It complements the GDPR, which focuses on personal data, by addressing both personal and non-personal data generated by devices such as smart appliances, industrial machines, and vehicles.

The Data Act aims to unlock the value of industrial and IoT data, rebalance bargaining power between businesses, and reduce lock-in to cloud providers. It is part of the EU's broader data strategy alongside the Data Governance Act.

Who It Applies To

The regulation applies to manufacturers of connected products and providers of related services placed on the EU market, data holders that control such data, recipients who receive data, public-sector bodies in defined circumstances, and providers of data-processing (cloud and edge) services. It reaches businesses globally to the extent they place connected products or services on the EU market.

Key Requirements

Connected products must be designed so users can easily access the data they generate. Data holders must make that data available to users and, at the user's request, to third parties on fair, reasonable, and non-discriminatory terms. Unfair contractual terms imposed on smaller businesses are prohibited. Cloud and edge providers must facilitate switching between services, remove obstacles and certain egress charges over time, and support interoperability. The Act also sets rules for public-sector access to data in exceptional need and includes safeguards against unlawful international data transfers.

Penalties for Non-Compliance

Member states designate competent authorities and set penalties, which must be effective, proportionate, and dissuasive. For breaches involving personal data, GDPR-level fines can apply. Authorities can order compliance and impose financial penalties that vary by country.

How to Comply

Manufacturers should build data-access capabilities into connected products and document available data. Data holders should prepare fair, transparent data-sharing terms and request-handling processes. Cloud providers should implement switching support, interoperability, and revised egress practices. Review contracts for prohibited unfair terms and coordinate with GDPR obligations.