Data Act (EU) 2023/2854

The legal act that flew under the radar

The Data Act [1] has been in force since September 12, 2025 - with the exception of Art. 3, para. 1 - but what exactly does the Data Act contain and how does it affect citizens, companies and manufacturers in the EU?

The Data Act creates a legal framework for fair access to and fair use of collected data generated by connected products and related services.

Furthermore, it contains information obligations regarding the type of data generated and is intended, among other things, to make it easier to switch providers, e.g. between cloud providers.

The Data Act is not a regulation requiring CE marking; it mainly contains procedural requirements.

The only indirect product requirement can be found in Article 3, paragraph 1 and only applies from September 12, 2026:

"Connected products shall be designed and manufactured and connected services shall be designed and provided in such a way that product data and connected service data [...] are directly accessible to the user in a simple, secure, free of charge, comprehensive, structured, commonly used and machine-readable format [...] by default."

In addition, Article 4, paragraph 1 requires that "data controllers shall make data readily available to the user [...] without undue delay, in a simple, secure, free-of-charge, commonly used and machine-readable format and [...] in the same quality".

These requirements have been in force since September 12, 2025.

For manufacturers, this primarily results in a software-side obligation to make collected data available to the user. According to the wording of the Data Act, the obligation only includes providing access; collected data does not have to be proactively transmitted to the user. The user is only entitled to access to the data and metadata. Possible implementations could be, for example, an HTTP API (Application Programming Interface) or a download link.

Furthermore, if no data is stored, the Data Act does not introduce a requirement that data must be collected, stored and made accessible all at once, even if it is a networked product such as a Bluetooth headset.

Article 4, paragraph 4 reiterates that data holders must not unreasonably impede the rights of users through "the structure, design, function or operation of a digital user interface".

Article 3, paragraph 2 and paragraph 3 contain various information obligations towards the user. For example, "the nature, format and estimated amount of product data", whether it is real-time data, whether data is stored on the device itself or on servers and how this data can be accessed must be communicated to the user before a purchase contract is concluded.

A similar requirement applies to the use of a connected service such as an app, a cloud service or additional software.

Information must be provided about

  • "the nature, estimated scope and frequency of the collection of the product data"
  • "the nature and estimated scope of the related service data to be generated",
  • whether the data controller uses the data itself
  • "the identity of the potential data controller",
  • the means of contacting the data controller,
  • how the user can make the data available to third parties and
  • the "duration of the contract"

will be made clear.

It also explains new and much-needed definitions for terms such as "connected products", "connected service", "data controller" or "data processing services".

The Data Act also contains an overhaul of how the right to use generated data is thought about in Europe.

Article 4, paragraph 13 states that data holders may only use available data without further ado on the basis of a contract with the user. This is in clear contradiction to the previous handling of collected data, which in many cases - including the use of cloud services by some IoT providers - was often not even available to the user themselves.

The Data Act also does not limit these rights to natural persons, so it indirectly implies that the same applies to industrial data, i.e. data generated by legal entities such as companies.

This means that there is a need for action, which first and foremost requires data owners to rethink how they handle their data. This includes becoming aware of who is a data controller and who is a user.

It should then be clear that the information obligation under Article 4 must be complied with. This information should be communicated clearly and comprehensibly before a product is purchased, e.g. via the manufacturer's or service provider's website. It should not be hidden in another paragraph of the GTC.

Next, an interface should be implemented so that users can access their data. The Data Act does not make any technical specifications as to how such an interface should be implemented. For example, an HTTP(S) API would be sufficient for a limited amount of data to be transmitted. There is also no specific requirement for the data format - it simply has to be structured, common and machine-readable. JSON would be suitable for many data sets, but should only serve as an example of a possible data format here.

It remains to be seen what impact the Data Act will have on the use of industrial data. At the very least, according to criticism, it contains clauses on trade secrets and prohibits users from launching a competing product on the market based on the data collected.

It is foreseeable that the Data Act should at least be suitable for research purposes.

Sanctions are a national matter. So far, no concrete figures from national implementations are known, but it should mainly be fines. The GDPR sanctions - up to € 20,000,000 - are to apply in the event of a breach of data protection law.

At the same time, the Data Act contains exemptions for SMEs and other small to medium-sized enterprises in Article 7. For some data owners, it might be worth taking a look at the exact delimitation.

With 50 articles and 131 pages, the Data Act is a comprehensive piece of legislation, but it remains to be seen how big the waves it makes will be, who will make use of it, and in what form.

If you have any questions about the practical implementation of the Data Act, please send us an email or use our contact form.

 

Author's note

This article has been machine translated into English.
 



DEFINITIONS AND ABBREVIATIONS

The General Data Protection Regulation (GDPR) is an EU regulation that standardizes the processing of personal data for almost all public and private bodies within the European Union. Its aim is to ensure the protection of personal data in the EU and at the same time enable the free movement of data in the European single market.

More Information

Published on 21.10.2025
Category: Focus Industry, Focus Consumer Goods & Retail, Insider-Compliance, Compliance

back to list

Compliance News

The latest developments in all areas of market authorization and product compliance.

Comprehensive expertise in Standards Management
More News
EU CRA standards and the successors to EN 18031

EN 40000-1-X series

Read more

EU: The future of common chargers

Additional products covered, the Ecodesign Regulation published, and wireless chargers now included in the Common Charger framework

Read more

Too Often Ignored: Electromagnetic Fields and Their Impact on Human Health

Which global requirements exist

Read more

Expert-verified information packages for compliant products worldwide

Save resources, reduce liability risk, gain security!

learn more and order now

De En
Login
x

In accordance with the EU ePrivacy (Cookie) Directive (2009/136/EG), we would like to inform you that our website uses cookies. By using our website, you accept and agree to our Privacy policy. Please view our Privacy policy to find out what cookies we use and how to disable them.

OK