Data Act: New rules for accessing and sharing data in the EU

What is the aim of the Data Act?

It is a piece of legislation that aims to strengthen the EU’s data economy and promote a competitive data market by making data (especially industrial data) more accessible and usable, promoting data-driven innovation, and increasing data availability. To achieve this goal, the Data Act ensures fairness in the distribution of data value among data economy actors. It clarifies who can use what data and under what conditions.

Why is the Data Act important?

Data plays an increasingly important role in every sector, from industrial production and agriculture to consumer technologies and services. The purpose of the Data Act is to:

1. Strengthen the EU data economy

• Data, especially industrial and IoT (Internet of Things) data, is becoming a valuable resource. The Data Act ensures that it will be used more fairly and efficiently.
• It helps to create a single European data market where data will be available across sectors and countries.

1. Enable fair distribution of data value

• It introduces clear rules on who can use what data and under what conditions.
• It protects users (both companies and individuals) so that they have control over the data they co-create, while maintaining incentives for producers and investors.

1. Support innovation and competitiveness

• Enables the emergence of new services and business models (e.g., services for connected devices, data-based insurance, predictive maintenance).
• Small and medium-sized enterprises in particular gain access to data that was previously controlled only by large companies.

1. Increase fairness in data relationships

• Protects SMEs (small and medium-sized enterprises) from unfair “take it or leave it” contractual terms.
• Ensures that mandatory data sharing between businesses is fair, proportionate, and non-discriminatory.

1. Improve the functioning of the public sector

• Enables public authorities to access certain data in emergency situations (e.g., natural disasters, pandemics, cyberattacks).
• This supports evidence-based decision-making without placing an unnecessary burden on businesses.

1. Facilitate switching between cloud services

• Reduces dependence on a single provider by introducing the right for customers to switch to another provider easily and free of charge.
• Promotes interoperability between services.

1. Preventing data abuse by foreign governments

• Introduces safeguards against illegal access by third-country governments to non-personal data stored in the EU.
• Ensures that European data protection standards also apply when data is transferred outside the EU.

1. Promote interoperability and common data spaces

• Facilitates the smooth flow of data between sectors and Member States.
• It lays the foundation for European data spaces in areas such as healthcare, energy, transport, and industry.
  • Examples of connected products: consumer products (e.g., connected cars, health monitoring devices, smart home devices), other products (e.g., aircraft, robots, industrial machinery).
  • Example of an associated service: a user buys a washing machine and installs an app that allows them to measure the environmental impact of the washing cycle based on data from various sensors inside the washing machine and adjusts the cycle accordingly. This app would be considered an associated service.

Extraterritorial application of the Data Act

Similar to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as “GDPR”), the Data Act also has extraterritorial effect – it also applies to companies outside the EU if they offer products or services in the EU.

Where to start? How to find out if the Data Act applies to you?

The first step is to determine what products and services your company manufactures, offers, or uses, and what types of data they generate or store. The Data Act applies to anyone who:

• hold, license, or make data available to third parties;
• manufacture connected products (objects that serve to obtain, create, or collect data relating to their use or environment, which are capable of transmitting data from the product via an electronic communications service, physical connection or access from devices and whose main function is not to store, process, or transmit data on behalf of a party other than the user) or provide services related to them; or
• operate data processing services (e.g., cloud, edge computing).

It is very likely that the Data Act also affects your company – regardless of sector or size.

Classification of entities under the Data Act

The Regulation distinguishes between several roles that companies may play, often simultaneously:

• data holder – an entity that controls access to data;
• user of connected products or services – an entity that uses a device or service and generates data;
• data recipient – a third party to whom data may be made available;
• manufacturer of a connected product/provider of a related service – must ensure direct user access to data or provide it on request; and
• data processing service provider – e.g., cloud or edge solutions that must enable data transfer between services.

Main obligations of data holders under the Data Act

Under the Data Act, data holders have the following main obligations:

• Product design and manufacturing – products and services must be designed in such a way that users have direct access to data. If this is not possible, they must be able to obtain the data upon request. This obligation will apply to new products placed on the market from September 12, 2026.
• Transparency before concluding a contract – before concluding a contract, sellers, lessors, or service providers must clearly inform users what data the product generates, how it is stored, how long it is retained, how it can be obtained or deleted, and what options exist for sharing it with third parties.
• Data sharing – the Data Act introduces an obligation to share data in the context of B2C, B2B, and B2G (business-to-government). In crisis situations, public authorities will be able to request data from the private sector with minimal burden on businesses.
• Transition between service providers – Cloud providers must remove technical, contractual, or organizational barriers to migrating data to another provider or to their own infrastructure. The elimination of transition fees is planned to take place gradually.
• Contractual restrictions – from September 12, 2025, a ban on unilaterally imposed unfair contractual terms will apply. From September 12, 2027, this ban will also extend to existing long-term contracts or those ending after January 11, 2034.

Rights and protection of data subjects

The Data Act also protects those who make data available. Data holders have the right to require users or third parties to protect trade secrets and confidential information through contractual and technical measures. Users and recipients may not misuse the data to create competing products or obtain sensitive information about the economic situation of the data holder.

Relationship to the GDPR

If the Data Act affects data containing personal information, the GDPR takes precedence in the event of a conflict. It is therefore important to distinguish whether the data falls under personal data protection rules and whether there is a legal basis for its processing.

Timeline

• from 12.09.2025 – the Data Act begins to apply in the scope of the prohibition of unfair contractual terms for new contracts;
• From September 12, 2026 – Obligations relating to product design and manufacturing; and
• From September 12, 2027 – Extension of the prohibition of unfair contracts to existing contracts with a longer duration.

Penalties

Violations of the Data Act may result in sanctions ranging from warnings to fines based on the company’s annual turnover. In some Member States, fines may even be higher than those under the GDPR (up to 4% of global turnover). The amounts of the fines are determined by the national supervisory authorities.

Why start now?

Although not all obligations apply and take effect immediately, preparation for compliance is essential now. Companies should:

1. identify their role in the data ecosystem;
2. map the flow of data in products and services;
3. adjust contractual documentation, information materials, and processes; and
4. prepare mechanisms for data access and transfer between services.

Conclusion

The Data Act is a milestone in European digital policy. It strengthens user rights, introduces new obligations for companies, and paves the way for a fair and innovative data economy. For companies, this is both a challenge and an opportunity to turn their data into a new competitive advantage.

References

1. European Commission. “Data Act Explained.” Available at: https://digital-strategy.ec.europa.eu/sk/factpages/data-act-explained. 12.09.2025.