ARTICLE
7 August 2025

The EU Data Act Applies From September 2025 - Is Your Company Ready For The New Obligations?

P
Plesner

Contributor

Plesner
Explore Firm Details
The Data Act (Regulation (EU) 2023/2854) will apply from 12 September 2025 and it introduces significant obligations for companies that manufacture IoT devices or provide digital services or cloud services.
European Union Privacy
Bodil Maria Hald,David van Boven,Mathias Woetmann Uhre
+1 Authors

The Data Act (Regulation (EU) 2023/2854) will apply from 12 September 2025 and it introduces significant obligations for companies that manufacture IoT devices or provide digital services or cloud services.
The new obligations include sharing data generated by connected products and related services, ensuring transparency and meeting specific requirements for contractual terms.
If your company manufactures IoT devices or provides digital services or cloud services, we have outlined some key points and recommendations below to help you begin preparing for compliance with the Data Act.

Description

On 11 January 2024, the Data Act entered into force as part of the European Commission's broader data strategy to make Europe a global leader in a data-driven society. The Data Act applies from 12 September 2025, with certain exceptions applicable from 12 September 2027, and imposes broad obligations on, inter alia, "connected product" manufacturers and sellers, companies providing "related services", i.e., certain digital services which relate to the product, and cloud service providers. The aim is to enhance access to and portability of data across sectors and foster competition and innovation.

A connected product - often referred to as Internet of Things – is an item that obtains, generates, or collects data concerning its use and can communicate product data via an electronic communications service, physical connection, or on-device access. Connected products are found in a wide range of sectors, including in infrastructure, automotive, health and lifestyle equipment, shipping, aircraft, home equipment and consumer goods, medical and health devices.

Key takeaways for businesses include:

  • Data sharing obligations for data holders: Data holders, including manufacturers and sellers of connected products and providers of related services, must enable, inter alia, users, businesses, and public sector bodies to access and reuse data generated by such products and services. This includes both personal and non-personal data.
  • Expanded user rights: Users (individuals or businesses who own, rent, or lease connected products) are entitled to receive data generated by their use and share it with third parties of their choice. This right is enforceable, and technical and contractual barriers to such access must be removed.
  • Cloud switching and portability: Cloud service providers are required to remove technical and contractual barriers to switching cloud providers or moving services back on-premises. Key provisions include reduced switching fees from 2024 - 2027 and a ban applicable from January 2027.
  • Prohibition of unfair contract terms: The Data Act prohibits unfair contract terms unilaterally imposed on another company that grossly deviate from good commercial practice in data access and use. This includes exclusion of liability for intentional acts, gross negligence, or preventing data access and sharing during the term of a contract.
  • Government access to data: International transfers of non-personal data to non-EU government authorities is only allowed in certain circumstances subject to strict conditions.
  • Enforcement and penalties: Similar to the GDPR, non-compliance can result in administrative fines of up to EUR 20 million or 4% of global annual turnover.

Companies offering connected products or related services as well as those providing or using cloud-based services should assess if they are subject to the Data Act. If so, depending on their role, the company must comply with various obligations mentioned above.

To prepare, companies should:

  • identify whether your company is covered by the Data Act, and if so, what role.
  • map data flows and identify which data are generated and retained, including product data, related service data, and metadata;
  • carry out a gap analysis identifying the obligations set out in the Data Act, e.g., regarding data-sharing, contractual requirements, and transparency obligations.
  • ensure data sharing is technically feasible;
  • review and revise template contractual terms and contracts with suppliers, customers, and users to meet the requirements set out in the Data Act, including in relation to eliminating "unfair terms";
  • depending on your identified role, enable customer switching between data processing services, e.g., by removing technical, commercial, and organisational obstacles, removing switching charges and ensuring functional equivalence; and
  • implement internal policies and procedures for handling user access and sharing requests

Companies can gain meaningful synergies by integrating new measures to ensure compliance with the requirements under the Data Act with existing compliance measures and governance under, e.g., GDPR, NIS2, or Cyber/IT security in general. Leveraging established frameworks will support a more streamlined and coordinated approach to meeting the new requirements.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Bodil Maria Hald
Bodil Maria Hald
Photo of David van Boven
David van Boven
Photo of Rasmus Viktor Refsing Nielsen
Rasmus Viktor Refsing Nielsen
Photo of Mathias Woetmann Uhre
Mathias Woetmann Uhre
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More