On September 12, 2025 will the EU Data Act (Regulation (EU) 2023/2854) is directly applicable in all EU Member States after a twenty-month transposition period. The regulation already entered into force on 11 January 2024 and forms a key component of the European data strategy. Its aim is to make the use of data in the EU fairer, safer, and more user-friendly – both in business-to-business (B2B) and business-to-consumer (B2C) transactions, as well as in dealings with public authorities (B2G).
The Data Act regulates in particular the Access to and sharing of usage data from networked products and related services – such as IoT devices, smart home technologies, or industrial plants. This affects numerous companies that generate, store, or process data – regardless of whether they are manufacturers, service providers, or platform providers.
Key Provisions and Obligations for Companies:
- Access rights to usage data: Users—both individuals and companies—are granted comprehensive rights to access the data they generate. This data must be provided in a structured, commonly used, and machine-readable format.
- Data Usage Rights:: Companies should put in place contractual provisions to safeguard their continued right to use data generated through product use and to protect trade secrets.
- Data Disclosure Obligations:Companies may be required to disclose certain data to third parties or public authorities upon request, while safeguarding trade secrets and implementing appropriate protective measures.
- Contract drafting:The Data Act contains guidelines for fair contract drafting regarding data sharing between companies. Unfair contract terms are invalid.
- Cloud portability: Cloud service providers must make it easier for their customers to transfer their data between different services (data portability). This is designed to prevent vendor lock-in.
What Companies Should Do Now:
The Data Act affects a wide range of economic sectors—from manufacturing to healthcare to e-commerce. Companies should therefore assess at an early stage whether and to what extent they are affected by the new regulations, especially if they:
- offer connected products or digital services,
- store customer data or device data,
- provide or use cloud or edge computing services,
- exchanging or analyzing data in B2B partnerships.
We recommend reviewing existing data usage processes, contracts, and technical interfaces now to ensure compliance with the Data Act. The effort required to achieve compliance may be considerable, particularly with regard to IT systems, interfaces, and the design of user rights.
Starting September 12, 2026 , connected products newly placed on the market under the EU Data Act must be designed from the outset in such a way that access to the data they generate is technically possible for the user ("Access by Design")—applicable to all products newly placed on the market on or after this date.
Conclusion:
The EU Data Act marks a paradigm shift in European data law. Companies are well advised to address the new requirements at an early stage in order to operate in compliance with the law by the effective date of September 12, 2025.
If you have any questions regarding the implementation of the Data Act or the design of your data strategies in accordance with data protection and IT law, we would be pleased to assist you.