On September 14, 2025, the major provisions of the EU Data Act went into effect, affecting companies producing connected products, offering related services, and third parties that may receive data from a connected device (even if the company is not located in the EU). The Act provides new rights to access data, implements new product design requirements, makes it easier for consumers to switch between providers, imposes new contract requirements, and more. In this article, we will discuss the major aspects of the EU Data Act, so that you can determine the compliance requirements that your business may be subject to.
Who does the EU Data Act apply to?
First, the EU Data Act applies to Internet of Things devices, which the Act defines as “connected products that obtain, generate or collect, by means of their components or operating systems, data concerning their performance, use or environment and that are able to communicate those data via an electronic communications service, a physical connection, or on-device access.” Examples of IoT devices may include smart watches, vehicles, televisions, aircraft and agricultural machinery. The Act applies to companies that create these connected products.
Second, the Act can also apply to companies that provide a service that is related to the connected product such as monitoring services or cloud services that are tied to a connected device. Third, the Act can apply to third parties that receive data from a connected device from the user of that connected device such as repair companies or app developers. Lastly, the Act applies to public sector and government bodies that may request data from a connected device in cases of exceptional need such as public emergencies.
What are the data sharing obligations for the EU Data Act?
The EU Data Act enables users of connected products and related services to obtain all raw and pre-processed data generated by the product or related service that is readily available to the manufacturer of the product or provider of the related service. The user of the product or related service will then be able to provide this data to another provider or ask the manufacturer or provider to give this data to another provider. Users should be able to request this data through a simple process and this data must be provided free of charge. This particular portion of the EU Data Act aims to make it easier for consumers to switch between different connected products and providers by essentially further solidifying the data portability right of the General Data Protection Regulation.
The EU Data Act also introduces rules for when a business has a legal obligation under EU law to make the IoT data available to another business. In this case, the data holder has the ability to request reasonable compensation for making this data available whereas making the data available to consumers must be offered for free.
What are the unfair contractual terms prohibited by the EU Data Act?
The EU Data Act establishes a list of contractual terms that are always considered to be unfair and terms that are presumed to be unfair when it comes to contracts for connected devices or related services. If a contract includes these terms, they are considered to be invalid and thus are simply severed from the contract. The list of unfair contract terms can be found in Article 13 of the Act, with examples of terms including terms that exclude or limit the liability of one party for intentional acts or gross negligence or terms that exclude the remedies available to a party.
Access of data by governments
The EU Data Act provides that data held by private companies from connected devices or related services may be accessed by a public sector body to undertake a public interest. It is important to note that the Act allows public sector entities to access this data only when there is an exceptional need to do so, such as public emergencies (including major natural or human-induced disasters, pandemics and cybersecurity incidents) and non-emergency situations such as optimizing traffic flows).
Enforcement
To enforce the EU Data Act, EU Member States must designate one or more competent authorities to ensure the effective implementation of the Act. Whenever there are multiple authorities, Member States must designate one of them as the “data coordinator”, who will act as a one stop shop for all issues related to the Data Act. Member States may also set up certified dispute settlement bodies to assist parties who cannot agree on fair terms to make the data available.
Businesses should evaluate whether they are manufacturing connected devices, providing related products or receiving data from connected products. If your business is doing any of the above, you should prepare to provide access and share access to the data associated with such devices, as well as to meet the other obligations of the Act discussed above.
