EU Data Act And Potential Implications Beyond The EU

I. Introduction

EU Data Act¹ began to apply on 12 September 2025, granting users the right to access, use and share data generated by connected products² and related services³. Notably, pursuant to Article 7(1) of the EU Data Act, the obligations under Chapters II and III (covering business-to-consumer and business-to-business user access to product and related service data, as well as business-to-business data sharing obligations) do not apply to connected products manufactured or designed, or related services provided, by microenterprises or small enterprises, provided that such enterprises do not have partner or linked enterprises that do not qualify as microenterprises or small enterprises and are not subcontracted to manufacture or design a connected product or to provide a related service. In contrast to Regulation (EU) 2016/679 (GDPR), which focuses on the protection of personal data, the EU Data Act primarily addresses industrial and non-personal data, without prejudice to the GDPR where personal data is involved. Although the EU Data Act formally applies within the European Union, its practical reach extends beyond the EU. Any company that places connected products on the EU market may be subject to its requirements. For exporters to the EU, particularly in the automotive, electronics and machinery sectors, the EU Data Act introduces new compliance dimensions affecting product design, data accessibility and contractual arrangements.

II. Key Provisions of the EU Data Act

a. Access to Data by Design and by Default

Article 3 of the EU Data Act requires that connected products be designed and manufactured, and related services be provided, in such a manner that the data generated by the product or related service is accessible to the user. While most obligations under the EU Data Act will apply in September 2025, design-related requirements under Article 3(1) for newly placed connected products will take effect from September 2026. From that date, new connected products placed on the EU market will need to be designed so that users can access the information generated by the product directly, including via on-device interfaces or accompanying applications. By way of illustration, the design obligation under Article 3(1) may require that connected products enable users to directly access relevant data, for example by allowing an operator to view temperature data generated by a factory sensor, a driver to access vehicle data via the dashboard, or a user to monitor energy consumption through a smart appliance interface.⁴ This principle of access by design is conceptually aligned with the GDPR's notion of data protection by design and by default, without prejudice to the application of Regulation (EU) 2016/679 where personal data is involved, as reflected in the EU Data Act's recitals.⁵ It should be noted that these design obligations under Chapter II do not apply to microenterprises and small enterprises, unless they have partner or linked enterprises that do not qualify as such, or act as subcontractors in the manufacture or design of connected products or the provision of related services, pursuant to Article 7 of the EU Data Act.

b. Fair Data-Sharing, Transparency, Cloud Switching and Contract Fairness

Data Act sets out framework for how data can be shared among companies and with public authorities. The key provisions include:

• Free and structured access to data: Pursuant to Article 4 of the EU Data Act, users are entitled to access readily available product and related service data free of charge, in a structured, commonly used and machine-readable format. Users must be informed in advance, in accordance with Article 3, of the types of data generated, whether such data are available continuously and in real time, and how such data may be accessed.
• Transparency obligations: Data holders are subject to pre-contractual information obligations under Articles 3(2) and 3(3), requiring them, prior to the conclusion of a purchase, lease or service contract, to inform users about the types and characteristics of the data generated, whether such data are generated continuously and in real time, and the means by which they may be accessed. In addition, pursuant to Article 4(1), users have the right to access readily available data during the use of the product or related service, free of charge and in a structured, commonly used and machine-readable format.
• Protection of trade secrets: Under Recital 31, the EU Data Act emphasizes the need to strike a balance between fair data access and the protection of trade secrets. While trade secrets may be disclosed subject to appropriate technical and organizational safeguards, Articles 4(8) and 5(11) provide that, in exceptional circumstances, where a data holder can demonstrate that disclosure would be highly likely to cause serious economic damage despite such safeguards, access to specific data may be refused on a case-by-case basis.
• Prohibition of unfair contractual terms: Article 13 provides that contractual terms concerning access to and use of data, or liability, which have been unilaterally imposed in a business-to-business context and are unfair, shall not be binding on the other party. The Regulation further specifies certain terms that are deemed unfair, including clauses that exclude or limit liability for intentional acts or gross negligence, or that exclude remedies available to the other party in the event of non-performance. In addition, a number of terms are presumed to be unfair unless proven otherwise, such as clauses that allow one party to unilaterally determine whether the data supplied are in conformity with the contract or to unilaterally terminate the contract without reasonable notice.
• Cloud switching and interoperability: Articles 23 to 31 introduce a regime aimed at reducing commercial and technical barriers to switching providers of data processing services. Pursuant to Article 29, from 12 January 2027, providers of such services may no longer impose switching charges on customers. During the transitional period, only reduced switching charges not exceeding the costs directly linked to the switching process may be imposed.
• Gatekeeper restrictions: Pursuant to Article 5(3) of the EU Data Act, undertakings designated as gatekeepers under Article 3 of Regulation (EU) 2022/1925 (Digital Markets Act) shall not be eligible third parties under the EU Data Act. The European Commission has designated several undertakings as gatekeepers under the DMA, including Alphabet, Amazon, Apple, Meta, Microsoft, and ByteDance.⁶ Accordingly, such gatekeepers are prohibited from soliciting or commercially incentivizing users to make data generated by connected products or related services available to them, and third parties receiving data under the EU Data Act may not make such data available to gatekeepers.

c. International Access and Data Sovereignty

Articles 32(1) and (2) of the EU Data Act establish safeguards governing compliance with requests from third-country authorities seeking access to or transfer of non-personal data processed in the context of data processing services under the Regulation. A decision or judgment of a third-country court or tribunal, or of a third-country administrative authority, requiring such access or transfer shall be recognised or enforceable only if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State.

In the absence of such an international agreement, a transfer or access may take place only where the conditions set out in Article 32(3) are met, including that the request is reasoned and proportionate, subject to review by a court or tribunal in the third country and that the relevant legal interests protected under Union or national law are taken into account.

Although the EU Data Act formally applies within the Union, its practical effects extend beyond EU borders. Entities falling within the scope of the Regulation, including non-EU providers of data processing services offering their services in the Union, must comply with these safeguards. Furthermore, pursuant to Articles 37(11) and (12), entities that are not established in the Union are required to designate a legal representative in one of the Member States.

III. Implications for Türkiye

Turkish businesses engaging with EU partners may soon need to align their contractual infrastructure accordingly. KVKK regulates the processing of personal data but remains silent on non-personal or industrial data. Consequently, sensor data from industrial operations such as temperature readings or equipment status logs falls outside its scope, provided that such data cannot be directly or indirectly linked to an identifiable individual, as such information does not relate to an identifiable individual. Although EU Data Act does not have direct legal force in Türkiye, its effects are expected to extend across sectors that are closely integrated with the EU. Accordingly, Turkish businesses engaging with EU partners may soon need to align their contractual and technical infrastructures to meet EU Data Act's principles. Critically, Turkish companies that place connected products on the EU market or provide related services to EU customers must designate a legal representative within the EU, as required by Articles 37(11) and 37(12) of the EU Data Act.

IV. What This Means for Business

Manufacturers and service providers will need to review product design and update contractual frameworks to ensure transparent and secure data flows between users and data recipients. This may require the establishment of internal governance mechanisms, including standard templates for data-sharing agreements and systems to monitor data access and usage.

A practical example of how data-sharing ecosystems may function in a manner consistent with the objectives of the EU Data Act can be observed in the Catena-X Automotive Network, a data-sharing initiative launched by European manufacturers⁷. Catena-X enables participants across the supply chain to exchange operational and product-usage data through standardised digital interfaces. While not mandated by the Regulation, such architectures may facilitate access to data in a structured, commonly used and machine-readable format, as required under the EU Data Act.

V. Conclusion

The EU Data Act marks a significant development in the governance of industrial data. It requires manufacturers and service providers to design products and related services in a manner that enables users to access data in a structured, commonly used and machine-readable format. Early legal and technical adaptation will assist businesses in aligning with the emerging European data governance framework.

Footnotes

1. Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023.

2. Under Article 2(5) of the EU Data Act, connected products are physical items whose primary function is not the storage or processing of data on behalf of third parties, but which generate, obtain or collect data concerning their use or environment and are capable of communicating such data electronically (e.g. vehicles, industrial machinery, smart home devices and other IoT-enabled equipment).

3. Under Article 2(6) of the EU Data Act, a related service is a digital service, other than an electronic communications service, including software, which is connected with a connected product at the time of its purchase, rent or lease in such a way that its absence would prevent the product from performing one or more of its functions, or which is subsequently connected to the product by the manufacturer or a third party to add to, update or adapt the product's functions.

4. Data Act, Article 3(1), which requires data to be provided free of charge in a comprehensive, structured, commonly used and machine-readable format.

5. Data Act Recital (8) confirms that the Regulation applies without prejudice to existing EU data protection law, including the GDPR and related instruments.

6. https://ec.europa.eu/commission/presscorner/detail/en/ip_23_4328 (last accessed 6 January 2026).

7. https://catena-x.net/about-us/ (last accessed 6 January 2026).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.