Data Protection Academy » Data Protection News » EU Data Act

EU Data Act 2025

EU Data Act: Obligations, scope of application and your roadmap for implementation

The EU Data Act (Regulation (EU) 2023/2854) is one of the central EU regulatory packages of the digital strategy. The aim is to regulate access to and use of data in a fairer and more competition-friendly way: Users should have easier access to the product and service data they generate, companies should experience less „vendor lock-in“ with cloud service providers and public bodies should be given access to non-personal data in exceptional cases (e.g. emergencies). All under the premise that data protection (GDPR) and business secrets are protected. Since 12 September 2025 it is applicable and entails specific obligations for numerous organisations.

Many organisations still underestimate how much this law will affect their business. While the General Data Protection Regulation (GDPR) reorganised the handling of personal data a few years ago, the Data Act is now targeting the entire world of non-personal data, especially that which is generated when using networked products and digital services. This means that every machine, every vehicle and every IoT device that generates data falls within its scope. Cloud service providers, digital platform operators and even organisations that only want to reuse such data are also directly affected.

Key information on the Data Act

  • The EU Data Act (Regulation (EU) 2023/2854) is intended to ensure fair access to data, Promoting innovation and barriers to competition reduce. In future, users of networked products and digital services should be able to access the data they generate more easily.
  • The Data Act concerns Manufacturer of connected products„ (e.g. machines, vehicles, IoT devices), Provider of cloud and data processing services and organisations that use or provide such data. SMEs benefit from exemptions to avoid excessive burdens.
  • Manufacturers must provide users Access to product and service data enable, cloud providers must Facilitate switching between services, and unfair contractual clauses in the B2B sector are declared invalid. Public authorities may request data in exceptional cases („exceptional need“).
  • The Data Act does not interfere with the GDPR Personal data remains subject to data protection law. Business secrets and sensitive company information are also protected in that data disclosure may be restricted in certain cases.
  • The regulation came into force at the beginning of 2024 and most of the obligations will apply from 12 September 2025. Longer transition periods until 2026 or 2027 apply for certain regulations, such as when switching to the cloud or for new products coming onto the market.

The EU Data Act is officially entitled Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules for fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Regulation) (Text with EEA relevance). The legal text can be accessed via the following external link be viewed.

Content on the Data Act:

What is the Data Act?

The Data Act is an EU regulation with the official title Regulation (EU) 2023/2854 on harmonised rules on fair access to and use of data (Data Act). The regulation was adopted in December 2023 and was formally published in the EU Official Journal. It entered into force after publication and will apply in a staggered manner. The Commission describes the Data Act as a law that „makes more data available for use and lays down rules on who can use what data and under what conditions“.

Objectives and motivation of the Data Act

The Data Act is part of the EU's comprehensive data strategy, which aims to make Europe a leading location for a fair, innovative and sustainable data economy. When presenting the Act, the EU Commission made it clear that data has become one of the most valuable resources in recent years, but at the same time a large part of its potential remains unutilised. The reasons for this are often closed systems, monopoly-like structures of large providers or simply unclear legal bases for the exchange.

The EU wants to change this situation with the Data Act. In future, it should be clearly regulated who is authorised to access which data, under what conditions this access is possible and what protection mechanisms exist. This not only creates a legal framework, but also aims to boost innovation: Data should be shared more easily, business models developed more easily and dependencies on large cloud or platform providers reduced.

  • More competition and less lock-in with platform and cloud providers;
  • Facilitating data-driven business models (e.g. predictive maintenance);
  • Protection of user rights and clear rules for contractual relationships in the B2B sector.

Differentiation from other regulations

The Data Act supplements (and is not superior to) the GDPR; it also supplements the Data Governance Act (DGA), which tends to address governance/infrastructure issues. In the event of conflicts with data protection law, the GDPR takes precedence.

Our recommendations for further information

Data Act scope: who and what is affected?

The crucial question for every organisation is: Does my business even fall within the scope of the Data Act? In many cases, the answer is yes.

Definition: „Product data or service data“ and networked products

Affected above all are Manufacturer of networked products, i.e. machines, vehicles, household appliances and industrial IoT sensors. A connected product is more than just a device with internet access, according to the Data Act. The decisive factor is that the product is connected to a digital service and exchanges data in the process. Imagine you buy a connected car. What counts is not that the car is online, but that it is connected to a service (e.g. a navigation app or a maintenance service) and sends data to or receives data from this service. The connection can already exist at the time of purchase or be established later. Virtual assistants such as Alexa or Google Home also fall under this regulation as long as they interact with such a networked device and exchange data. However, service providers who supplement such products with software or additional digital services must also comply with the regulations.

The regulation is also aimed at Cloud providers and providers of data processing services, who will have to offer their customers more transparency and switching options in future. Organisations that want to use data from others, such as suppliers, maintenance companies or analysis service providers, will benefit from new rights, but at the same time have obligations to handle the data they receive fairly and in compliance with the law.

The Data Act defines precisely which types of data are meant:

  • Product dataThis is the data that is generated directly through the use of a networked device. Examples include usage data from a smart refrigerator or the speed and battery level of an e-bike. This is data that is generated, collected or recorded directly by the product itself.
  • Data from related services (related service data)This is the data that is generated when a digital service works together with the product. A good example is a fitness tracker app that counts and analyses your steps. The data generated through the use of this app, such as the graphical representation of your daily activity, falls under this category.

Actors involved

The regulation is aimed at a number of stakeholders, including:

  • Manufacturers of connected products (mechanical engineering, automotive industry, IoT device manufacturers),
  • Provider of related services (incl. app provider),
  • Data holders (who controls the data),
  • Data recipients (companies that receive data),
  • Providers of data processing services (cloud/hosting providers).

Special regulations for SMEs

There are simplifications for micro and small enterprises: certain chapters (e.g. obligations for access to connected products) do not apply or are restricted so as not to place an excessive burden on SMEs.

Relief for micro and small enterprises
The special regulations for SMEs primarily concern the obligation to grant users access to the data they generate. For micro and small enterprises, these obligations are greatly reduced or do not apply at all.

  • No obligation to pass on data: Under certain circumstances, SMEs do not have to pass on data from their networked products and associated services to users or third parties.
  • No obligation to pay compensation: There is also no obligation to pay compensation for the transfer of data to third parties.

Who is considered a micro or small enterprise?
The exact criteria are set out in the EU Commission's threshold values for SMEs:

  • Micro-enterprises: Less than 10 employees and an annual turnover or annual balance sheet of no more than 2 million euros.
  • Small companies: Less than 50 employees and an annual turnover or annual balance sheet of no more than 10 million euros.

This regulation is intended to ensure that the innovative strength and competitiveness of smaller companies are not impaired by the new requirements of the Data Act, while at the same time achieving the main objectives of the regulation (data control for users and promotion of the data economy).

The central contents and obligations of the Data Act

The EU Data Act brings far-reaching changes for the handling of data in Europe. The aim is to make access to data fairer, strengthen users' rights and promote innovation. To give you a quick overview, you will find the most important content summarised here in an easy-to-understand format.

User rights to data access (Chapter II)

The Data Act centres on the right of users to the data that their devices generate. Anyone who buys or uses a networked product such as a machine, a vehicle or a smart home device will in future be entitled to the data generated in the process. This data may not only be used by users themselves, but may also be passed on to third parties - such as repair services or software providers who provide additional functions.

Manufacturers may not restrict or deny access, not even through hidden clauses in contracts. At the same time, a distinction is made between readily available data and data that is difficult to collect: the latter does not have to be provided to the same extent. One important restriction concerns large digital platforms that fall under the Digital Markets Act (DMA). These so-called „gatekeepers“ may not automatically act as third parties in order not to further expand their market power.

Exemptions for public authorities (Chapter III)

The Data Act provides for government agencies to be granted access to company data in exceptional cases. This „exceptional need“ regulation only applies if it is really necessary - for example in the event of natural disasters, pandemics or other crises in which data is crucial for the common good. Authorities such as health authorities or statistical offices can then request non-personal data.

The following applies: the protection of business secrets takes priority and every request must be strictly justified. Micro and small companies are often exempt from this obligation so that they are not unduly burdened.

Protection against unfair contractual clauses (Chapter IV)

Another key point is the protection of companies from unfair contractual conditions. In practice, it is often the case that large market players impose clauses on smaller partners that restrict their rights - for example by restricting access to data or only granting one-sided usage rights.

The Data Act declares such clauses invalid in future. It also contains a list of contractual terms that are considered unfair in general or in certain cases. This is primarily intended to strengthen the negotiating position of small and medium-sized companies.

Cloud services: Change and transparency (Chapter VI & VII)

The regulations for cloud services are particularly relevant in practice. Many companies today complain that they are practically „stuck“ when switching providers - be it due to unclear contractual conditions, technical hurdles or high switching fees. The Data Act aims to break through these lock-in effects.

Cloud providers will be obliged to make it easier and more transparent to switch to other services. This includes open interfaces, clear information on data processing and security measures as well as the gradual abolition of switching and transfer fees. Such costs are to be completely banned by 2027 at the latest. For companies, this means more flexibility, the ability to implement multi-cloud strategies and less dependence on individual providers.

Access for public bodies (summarised outlook)

Finally, the Data Act also opens up new opportunities for authorities to access data. However, this is strictly regulated and limited to truly exceptional situations. It is important that both the interests of the general public and the protection rights of companies are safeguarded.

Important individual questions & exceptions

Data protection & GDPR

The Data Act supplements the General Data Protection Regulation (GDPR), but does not replace it. If the data in question is personal (i.e. can be directly or indirectly attributed to an identifiable person), the GDPR continues to take precedence. The Data Act does not create a new basis for processing personal data. Rather, it recommends anonymising or pseudonymising personal data in order to protect privacy before it is passed on.

Trade secrets

The protection of trade secrets remains intact under the Data Act. Organisations do not have to disclose critical information, such as manufacturing processes or algorithms, if it can be proven that their disclosure would lead to significant economic damage. In the event of disagreements, the Data Act provides mechanisms to resolve such disputes before the competent authorities and find a fair solution.

Data requests from authorities

When government agencies request data from organisations, they must do so under strict conditions. They must carefully justify the exceptional need. The requests are also limited in time and subject to certain conditions. A data request is only permitted if the authority cannot obtain the required data in a timely manner by other means. To ensure transparency, the EU has established a procedure that provides for the examination and publication of such requests.

Your path to implementing the EU Data Act

Prepare your organisation for the requirements of the EU Data Act. With our advice, you can develop a customised strategy to efficiently implement data access rights, contract reviews and technical requirements. This will help you create transparency, avoid legal risks and open up new business opportunities in the data-driven market.

Further Information

Deadlines, entry into force & transitional rules

  • 2023

    Publication

    The Data Act was adopted as Regulation (EU) 2023/2854 on 22 December 2023 published in the Official Journal of the European Union.

  • 2024

    Entry into force

    The ordinance came into force 20 days after its publication, i.e. on 11 January 2024.

  • 2025

    General applicability

    Most of the provisions of the Data Act are applicable from 12 September 2025 applicable. This means that organisations must implement the requirements of the regulation from this date.

  • 2026

    Specific duties

    There are longer transitional periods for some regulations. For example, the obligation to provide users with access to data from connected products (Article 3(1)) only applies to products that are after 12 September 2026 be brought onto the market. This should give manufacturers enough time to adapt their products and systems.

  • 2027

    Transition phase with reduced fees

    Transition phase with reduced fees (switching/egress charges schedule) until 12 January 2027. Switching charges generally prohibited be. Information and transparency obligations apply earlier. This staggering gives companies time to make technical adjustments.

Practical guide: Roadmap for implementation

1. stocktaking and data inventory
Start with a comprehensive inventory. Identify all networked products and related services that your organisation offers. Clarify which types of data (product data and related service data) are generated. Document where this data is stored (cloud, local servers) and who is responsible for it within the organisation. This step requires close collaboration between the legal, IT and specialist departments. An accurate inventory is the basis for all further compliance measures.

2. contract review and adjustment
Analyse your general terms and conditions (GTC), service level agreements (SLAs) and B2B contracts to determine whether they contain potentially unfair clauses. Prepare new, Data Act-compliant model clauses. The recommendations expected from the Commission can help here. The aim is to eliminate unilateral clauses that restrict the user's access to data.

1. technical implementation and interoperability
Once the legal basis has been created, the focus is on the technology. Develop interfaces (APIs) to provide users with easy access to their data. Ensure that the data is provided in machine-readable formats and create the necessary documentation. Promote the use of open and standardised formats to facilitate interoperability.

2. data protection and governance
Ensuring that the processing of personal data complies with the GDPR is a top priority. Review your data processing procedures to ensure compliance with basic principles such as data minimisation. Consider the use of pseudonymisation or anonymisation to protect user privacy before data is shared.

3. responsibilities and contact with authorities
Designate clear responsibilities. A compliance officer or data protection officer should be in charge of compliance with the Data Act. Organisations outside the EU may need to appoint a legal representative. Ensure that your contact details are on file with the relevant national authorities.

1. review of the business model
Use the Data Act as an opportunity to rethink your business model. Review how you monetise data and set fair prices. Check whether new services based on data are possible, for example the establishment of data marketplaces or the development of value-added services.

2. utilisation of opportunities
The Data Act can be a competitive advantage for your organisation. By improving data control, you can build trust with customers and take a leading role in the data-driven economy. Think about how you can use data not just as a product, but as a foundation for better customer service or new, innovative offerings.

Consequences for organisations: Opportunities & risks

Opportunities

The Data Act opens up a wide range of opportunities for organisations, especially for smaller players and start-ups:

  • New competition: Simplified access to product data enables small and medium-sized enterprises (SMEs) to develop innovative, data-driven products and services. For example, a small company can develop an app to monitor the energy consumption of smart household appliances or offer an independent maintenance service for e-bikes. This creates new markets and promotes competition.
  • Promotion of innovation: Open interfaces and the obligation to exchange data promote the emergence of platform ecosystems. Organisations can build new business models based on data from different devices and services. This accelerates the development of smart home solutions, smart cities and industrial applications.
  • Increased customer satisfaction: When customers have control over their data and can share it more easily with third-party providers, their satisfaction and trust in the products increases. This can strengthen customer loyalty and appeal to new target groups.

Risks & challenges

However, the implementation of the Data Act also poses challenges that companies must carefully manage:

  • High compliance costs: Organisations must introduce comprehensive internal processes. These include the creation of a precise Data inventory, the development of safe Data exchange interfaces, the review and adjustment of all contracts (Contract reviews) and the realisation of Data protection impact assessments (if personal data is involved). This effort can be considerable, especially for companies without specialised legal or IT departments.
  • Liability and competition risks: An incorrect interpretation of the legal requirements can have serious legal consequences. Companies need to know exactly under what conditions they may refuse access to data (e.g. to protect business secrets). Violations of the Data Act can be penalised with severe sanctions, which are determined by the member states. Similar to the GDPR, these penalties can be very high.
  • Complexity in data management and security: Handling data from different devices and service providers requires robust technical systems. Companies must ensure that data is transferred securely and in a compatible format to avoid data leaks and security risks.
  • Loss of competitive advantages: Some companies fear that sharing data with third parties could reduce their lead in the market, as competitors could gain access to valuable usage patterns or insights. However, the law aims to view this data not as an exclusive commodity, but as the basis for a broader, more open market.

FAQs Data Act

The Data Act is the EU regulation (Regulation (EU) 2023/2854) that sets out rules for fair access to product and company data, cloud switching and exemptions for public bodies.

The regulation came into force after publication. The majority of the obligations will apply from 12 September 2025, certain obligations for new products will apply from 12 September 2026 (e.g. Art. 3(1)).

It applies in principle to personal and non-personal data, but is subordinate to the GDPR. The GDPR remains authoritative for personal data.

Cloud providers must create transparency, fees for switching charges will be gradually reduced and are to be abolished from 12 January 2027.

The Data Act permits the refusal of access to data in narrow, proven cases if there is otherwise a risk of serious economic damage; disputes are decided by the competent national authorities.

Member States lay down rules on sanctions; supervisory authorities may impose fines under Art. 83 GDPR for certain chapters. The sanctions should be effective, proportionate and dissuasive.

SMEs have exceptions/exemption periods in certain areas, but an early inventory, contract review and prioritisation of technical measures is still recommended.

Newsletter registration

Conclusion: EU Data Act

The EU Data Act is a fundamental piece of legislation that will permanently change the data ecosystem in Europe. For organisations, this means preparing in good time (data inventory, contract templates, technical exportability), ensuring GDPR compliance and examining business models that benefit from better access to data. The opportunities (new services, fairer competition) outweigh the disadvantages if organisations act proactively.

Caroline Schwabe
Latest posts by Caroline Schwabe (see all)

This might interest you too:

DSMS according to GDPR: Structure & practical implementation

Learn all about templates, structure and implementation of a GDPR-compliant data protection management system (DMS).
Read more
artificial intelligence

AI and data protection in practice

Find out how artificial intelligence can be used in compliance with the GDPR. A practical guide.
Read more
artificial intelligence

AI REGULATION: Regulation of artificial intelligence

Find out all about the EU and German AI regulation: current status, legal requirements and effects.
Read more