What is the EU Data Act?
Regulation (EU) 2023/2854 — known as the EU Data Act — is the EU's attempt to unlock the value of industrial and IoT data that currently sits locked inside products and cloud platforms. It entered into force on 11 January 2024 and applies from 12 September 2025.
The Data Act sits alongside the Data Governance Act (Regulation (EU) 2022/868) and the GDPR. The GDPR governs personal data; the Data Act governs access to data generated by connected products and related services, regardless of whether it is personal or non-personal. In practice much IoT data is both — a smart meter reading is simultaneously energy-consumption data and personal data about a household's behaviour.
The Data Act does not create a new intellectual property right over data. It limits the ability to claim exclusivity over connected-product data and creates mandatory access rights for users. Industry lobbied heavily against it; the final text is a compromise.
Who does the EU Data Act apply to?
The Data Act applies to:
- Manufacturers of connected products placed on the EU market — IoT devices, smart appliances, connected vehicles, industrial equipment, wearables, anything that collects and transmits data
- Providers of related services — the companion apps, cloud backends, and analytics services associated with connected products
- Data holders — anyone who has the right to use data generated by a connected product (Art. 2(13)), including cloud providers storing that data
- Data recipients — third parties that users choose to share their connected-product data with (Art. 2(15))
- Data marketplace operators — intermediaries facilitating B2B or B2G data sharing
- Public sector bodies — in exceptional need situations, they can request access to private sector data (B2G, Art. 14-26)
- Cloud and data processing service providers — with specific obligations on switching and interoperability (Art. 23-31)
Pure SaaS companies with no connected hardware are largely outside Chapters II-III, but cloud infrastructure and platform providers are within scope of the cloud switching provisions (Chapter VI). The European Commission expects to issue guidance on edge cases.
Chapter II — User data access rights (Art. 3-8): what you must provide
This is the core of the Data Act for IoT and connected product companies. Under Art. 3, manufacturers must design connected products so that data generated by the product can be accessed by the user directly from the device or through an online service. The default must be "access by design" — not a post-hoc feature.
Art. 4 — Data access without cost
Data holders must make product data available to users in real-time or near-real-time, in a structured, commonly used, machine-readable format (JSON and CSV at minimum), and without cost. You cannot charge users for accessing data generated by their own use of your product.
Note: the prohibition on cost applies to user access. B2B data sharing may involve reasonable compensation under Art. 9.
Art. 5 — Sharing with third parties
Users can instruct the data holder to share their data with a third party of the user's choice. The data holder must fulfil this request. The third party then has limited rights to use the data for the purpose specified by the user — they cannot commercially exploit it for other purposes (Art. 6).
This is the most commercially disruptive provision for B2C IoT manufacturers: your competitors could become data recipients at your customer's request. You must have a technical pathway to honour this.
Art. 6 — Prohibition on contractual restrictions
Data holders cannot impose contractual terms that restrict users from accessing or sharing their data. Standard platform terms that prohibit data portability are void to the extent they conflict with the Data Act. Review your terms of service and privacy policy before September 2025.
Art. 8 — Switching to competing services
Users must be able to take their data to a competing service provider. This overlaps with the cloud switching provisions in Chapter VI but applies specifically in the context of connected-product related services.
Chapter III — B2B data sharing contracts (Art. 9-13)
When data is shared between businesses, the Data Act imposes mandatory contractual standards:
Art. 9 — Mandatory contract terms
Data-sharing contracts must specify: the type of data shared, its format, purpose of use, data quality standards, security requirements, liability allocation, and compensation mechanisms. Vague or incomplete data-sharing agreements don't satisfy the requirement.
Art. 12 — Prohibition on commercialisation
Data recipients cannot: use shared data to develop competing products, sell the data to third parties, or use it for purposes other than those agreed. Contractual enforcement alone is insufficient — you need access controls and audit rights.
Art. 13 — Unfair contract terms (SME protection)
When a data holder imposes terms on an SME data recipient (or vice versa), unfair terms are automatically void. The regulation includes a blacklist of per se unfair terms and a greylist of potentially unfair terms. If your data-sharing contracts haven't been reviewed against the Art. 13 blacklist, they may contain void clauses.
Key blacklisted terms include: unilateral rights to modify data quality specifications without notice, liability exclusions for data accuracy, and unlimited liability imposed on SME counterparties.
Chapter V — B2G data sharing (Art. 14-26): when the government can ask for your data
Public sector bodies (and certain EU institutions) can request access to privately held data in two situations:
- Exceptional need (Art. 15): public emergency, natural disaster, major public health risk, or similar. The request must specify the data needed, the purpose, and the duration. Data holders must respond promptly.
- Systemic need (Art. 16): for statistics, policy-making, or research where no equivalent data is publicly available.
B2G data use is strictly limited: the data must be used only for the stated purpose (Art. 20), deleted after the purpose is fulfilled (Art. 21), and not commercially exploited. Non-SME data holders can claim reasonable compensation (Art. 9(4)) — the Commission will issue guidelines on what "reasonable" means.
Practically: you need a documented process for assessing and responding to B2G requests. Designating an internal point of contact before September 2025 is sensible.
Chapter VI — Cloud switching (Art. 23-31): the 30-day maximum
This chapter applies to cloud service providers (IaaS, PaaS, SaaS at infrastructure/platform level) and data processing service providers. Key obligations:
Art. 25 — Maximum switching period: 30 days
From September 2025, the maximum time to complete a customer's switch to a competing cloud provider is 30 calendar days from the switch request. During that period, the provider must maintain service continuity. The regulation phases this in:
- September 2025 – September 2026: maximum 6 months
- September 2026 – September 2027: maximum 3 months
- September 2027 onwards: maximum 30 days
Art. 25(3) — Egress fees: zero from September 2027
Providers cannot charge for data egress during a switching period from September 2027 onwards. Before that date, egress fees must be reduced to cost-level. If your pricing model depends on egress fees as a switching deterrent, you have until September 2027 to restructure it — but starting the work now is advisable.
Art. 24 — Data export in standard formats
Providers must enable customers to export all their data in a commonly used, machine-readable format. Proprietary export formats that cannot be imported by competitors are non-compliant. Document your export API capabilities now.
Art. 28 — Interoperability standards
Providers must use open, European, or international interoperability standards where available. ETSI, ISO/IEC, and CENELEC standards apply. The Commission is working with ENISA on a European Cloud Scheme (EUCS) that will intersect with interoperability requirements.
Enforcement and penalties
Member States must designate national competent authorities by September 2025. Penalties are set by Member States but the Data Act specifies minimum maximums:
- Violations of cloud switching obligations: up to 1% of global annual turnover
- Violations of B2G provisions: up to 2% of global annual turnover
- Providing incorrect or misleading information: up to 1% of global turnover
There is no private right of action directly under the Data Act, but contractual violations (e.g. Art. 13 unfair terms in B2B contracts) give rise to civil claims.
Relationship with GDPR
The Data Act expressly does not affect GDPR rights. Where connected-product data includes personal data, both frameworks apply concurrently. Key points of intersection:
- Art. 4 Data Act (user data access) is distinct from GDPR Art. 15 (subject access). Both rights coexist — a user can invoke either or both.
- Data minimisation under GDPR may limit what can be retained and therefore shared under the Data Act.
- B2G data sharing involving personal data requires a GDPR legal basis. The Data Act itself constitutes a legal obligation (Art. 6(1)(c) GDPR) for the data holder.
- The sui generis database right under the Database Directive is largely excluded from the scope of Data Act obligations — data holders cannot use database rights to block Data Act access.
What to do before September 2025
If you're a connected product manufacturer or cloud/data processing service provider, your pre-September 2025 checklist:
- Scope assessment: map all connected products, related services, and data flows to confirm which Data Act chapters apply
- Access-by-design review: audit whether your products provide user data access in real-time/near-real-time, in machine-readable format, without cost
- Third-party sharing capability: build or document the technical mechanism for users to direct data to third parties
- Contract review: update all data-sharing contracts to include Art. 9 mandatory terms; audit for Art. 13 blacklisted clauses
- B2G process: designate a contact and draft an internal process for responding to B2G data requests
- Cloud switching (if applicable): document your switching process, export capabilities, and egress fee schedule
- GDPR intersection: update DPIAs where Data Act access/sharing affects personal data
Assess your compliance now
ComplyKit's free EU Data Act Compliance Checklist walks you through 40 items across six categories: scope and applicability, user access rights (Art. 3-8), data sharing contracts (Art. 9-13), cloud switching (Art. 23-31), B2G obligations (Art. 14-26), and technical safeguards. The generated report includes prioritised gap cards, a three-phase remediation roadmap, and deep dives on user access and cloud switching obligations.
→ Use the EU Data Act Compliance Checklist free
Also useful: GDPR Data Processing Agreement for the GDPR side of data sharing, or Privacy Policy Generator to update user-facing disclosures.