The Data Act entered into force – what you need to know

On 12 September 2025, the Data Act (Regulation (EU) 2023/2854) became applicable in the EU member states.  The Data Act creates a framework for fair access to and use of data across the EU and it is aimed at giving users more control over product-generated data and foster the principles of transparency, fairness, and GDPR safeguards. This European regulation applies directly in the EU, which means that organizations shall be compliant starting on 12 September 2025.  The Data Act converges with the GDPR in certain important matters, but the main focus is on data that are exchanged by connected products that are affecting the daily lives of people, but also the business activities of companies. It is important to flag that the Data Act targets companies and individuals as actors and beneficiaries of the rights set within. In fact, one of the goals of the European Commission in promoting a safe and fair use of the data, is to ensure a well-functioning internal market, where very often micro, small and medium enterprises operate. Providing a clear framework for the use and exchange of data will also improve the development of the digital economy.

What does the Data Act regulate?

The Data Act sets important rules on the exchange of data (not only personal data) generated and shared by ‘connected products’. Connected products generate or collect data about their use or the environments around them, and transmit those data electronically, physically, or via an integrated access point. The most immediate examples of such products are: connected vehicles, virtual assistants, wearable devices. However, data that are under the scope of the Data Act also include machine or software derived data that are exchanged between devices. For example, any device that communicates information about its use, disruptions, health and status of it, will be in scope for the Data Act.

Which organizations are impacted?

Companies that fall under the scope of the Data Act are listed by the law in different categories – sometimes fitting more than one. The most important categories are:

• Manufacturers of connected products (IoT devices, smart machines, wearables, connected cars, etc.) that are placed on the EU market.
• Providers of related digital services (apps, platforms, software integrated with such products).
• Data holders (any natural or legal person, including public bodies, who have the right or obligation to use the data in the context of a specific product or service and make certain data available).
• Data recipients (businesses or individuals to whom the data is made available).
• Providers of cloud and edge services (including IaaS, PaaS, SaaS).

Key obligations of the Data Act

As we have already mentioned, the Data Act aims to give transparency, information and data portability rights to the users, but also to support in creating a productive framework for the development of competitiveness and interoperability in the market. Below we are listing the main obligations for the organizations that are affected by the Data Act:

• Obligation to provide access to data: The Data Act stipulates that technical data regarding the use of the connected products shall be accessible to external parties (right of disclosure for external parties). The access should be granted in an easy, free of charge, quick and comprehensive manner.
• Transparency obligations: The Data Act requires manufacturers and dealers (sellers, rental companies, lessors) to disclose to the user information regarding the data which is generated and passed on by the product before the contract is concluded.
• Cloud switching: Customers must be able to easily switch to another cloud services provider.
• Licence agreement: The provision of technical data must be regulated in a separate agreement. In fact, the use of the data shall be governed by contracts that are clarifying the specific purposes and are setting more protection means to the users.
• Interoperability: creating the conditions for a meaningful use of the data by the recipient, when those are is being shared or moved across different systems (devices, cloud services, connected products, etc.).

How does the Data Act interact with the GDPR?

Art. 1 para. 5 of the Data Act clarifies that the GDPR is applicable when personal data are involved, therefore the two Regulations “work” in parallel.  When implementing the obligations of the Data Act, the GDPR shall be considered. Some relevant points on the intersection between the regulations are:

• Right of the users to access data and Cloud switching: expanding the access and data portability principles under the GDPR; under the Data Act, similarly to GDPR´s principle of data portability, companies shall facilitate the change of provider avoiding practices that restrict the choices of the users, including for example, charges applied to the change.
• Transparency obligations: similar to the GDPR, the Data Act requires that transparency on the use of the data is key within the information provided for the service. According to the Act, sellers, lessors, or prospective providers of related services, shall provide users with information on the data that their connected product or related service generates.
• International transfers: the Data Act does not prevent companies to store data outside of the EU, however, imposes obligations on the exporter organizations to grant EU data protection from unlawful access by non-EU governments of countries where data are transferred. This reflects the principles of Chapter V GDPR and the obligations under the current Standard Contractual Clauses.

Compliance with the Data Act

Compliance from companies falling under the scope of the Data Act is expected from 12 September 2025. The EU member states have the responsibility to oversee the implementation of the rules and have enforcement powers. Member states are therefore required to designate at least one competent authority to deal with the enforcement of the Data Act.

Companies are encouraged to prepare a “Data Act compliance strategy” and be ready to address the requirements of the Act, such as:

• Technically update and adjust the concerned systems to make sure that data are accessible;
• Provide clear information to the users;
• Establish a process to handle data access and portability requests;
• Adapt the contractual arrangements with third parties.

In the framework of the EU digital strategy, it is relevant to remind the recent adoption by the European Data Protection Board (EDPB) of the guidelines on the interplay between the Digital Services Act (DSA) and the General Data Protection Regulation (GDPR). Those regulatory steps underline the aim of the European Commission (EC) to create a safe environment for the protection of EU citizens fundamental rights in the new digital environment.

Organizations and service providers should align their compliance practices with the European Commission’s vision of creating safe conditions for both enterprises and consumers, ensuring the secure circulation of data on a broad scale. This means looking beyond the protection of personal data alone and embracing a wider perspective on data safety, particularly in the context of data exchange. Establishing a clear and robust data governance framework is essential to foster compliance not only with the Data Act but also with personal data legislation such as the GDPR.