For some time, the EU’s Data Act remained under the radar by many in the business community. This is about to change – are you and your company ready?
The core obligations of the Data Act are set to take effect in September 2025. Companies in the Internet of Things (IoT) sector are beginning to realize how significant and transformative this regulation will be.
Whether you manufacture connected products, rely on data for business services, or build applications around smart devices, this regulation will change the way you collect, share, protect, and commercialize data.
And yes — you will probably need to update your contracts, data routines, and IP strategy in a big way.
What Is the Data Act Really About?
Officially known as Regulation (EU) 2023/2854, the Data Act is part of the EU’s broader digital strategy. The objective of the regulation is to make data easier to use and share by removing barriers and giving fair access to everyone in the data economy.
Critically, it empowers users of connected products and related services — both consumers and businesses — to access the data generated by their use of IoT devices. This includes everything from smart thermostats and connected vehicles to agricultural machines and industrial robotics.
According to the regulation, this data must be made available to users in a structured, commonly used, machine-readable format — either directly through digital interfaces (like APIs) or, if that’s not possible, indirectly upon request.
Contracting Under the Data Act: New Rules for B2B Deals
A key feature of the regulation is its move to directly regulate private B2B contracts — a rare step by the EU aimed at preventing unfair terms in commercial agreements.
In accordance with the regulation, parties to a contract may no longer impose non-negotiable ‘take-it-or-leave-it’ clauses when data sharing is required by law. These include clauses that, for instance, unjustifiably exclude liability, shift costs unfairly, or limit users’ rights to access or share data. Such terms will be considered unfair and non-binding.
Instead, all mandated data sharing, i.e. between manufacturers and service providers or users and service providers, must be governed by FRAND terms (Fair, Reasonable, and Non-Discriminatory).
For businesses, this means a careful audit of data-sharing agreements is needed, particularly when you act as a data holder under the regulation, i.e. the IoT manufacturer, service provider or any other entity that holds the right to use and make data available to the user.Failure to adapt contracts could expose you to compliance risks and commercial disputes.
- Read also: Acapo and Onsagers merge to create the leading IP advisory firm in Norway
- Read also: Copyright in the Nordics: Understanding the recent interpretive shift
Data Accessibility: Not All Data Is Equal
The Data Act mandates access to what it calls “readily available data” — typically raw or pre-processed data and metadata that a connected product or related service naturally collects during use.
Think: sensor outputs like temperature, motion, liquid levels, or GPS data. This information must be made accessible to the user, along with sufficient context (metadata) to interpret it.
However, the regulation does not require businesses to disclose e.g:
- Data that results from significant enrichment (e.g. AI-driven insights)
- Information protected by intellectual property rights (e.g. proprietary algorithms or copyrighted content such as databases or source code)
- Content stored or processed on behalf of third parties, such as through cloud services.
This division is key for businesses that rely on proprietary analytics, algorithms, or enriched datasets. While you must be transparent about the raw data collected, your intellectual property remains protected, provided you clearly separate it from the shared data.
Third-Party Access and Competition
Another key rule allows users to give third parties — like repair shops, aftermarket developers, or software providers — access to their data from the data holder.
But there are limits.
Companies designated as gatekeepers under the EU Digital Markets Act — like Amazon, Google, or Meta — are explicitly excluded from leveraging this access, in an effort to prevent further market concentration.
Further, the regulation prohibits:
- Using accessed data to build competing products
- Extracting insights into the economic performance or business operations of the data holder.
So, while users are free to use their data for innovation, including through third-party services, they cannot do so to undermine the competitive position of the data holder. This offers much-needed commercial protection for IoT manufacturers and service providers.
Privacy and Data Protection: Complementing the GDPR
The Data Act walks a fine line with privacy — complementing the General Data Protection Regulation (GDPR) rather than overriding it.
Here is what businesses need to know:
- Where personal data is involved, businesses must still comply with privacy obligations, such as GDPR requirements, including having a valid legal basis for processing data.
- If the user requesting data is not the data subject, consent, or another legal basis is required.
- Data holders may need to anonymize or restrict personal data access to comply with privacy obligations.
- Third parties receiving data must use it solely for the agreed purpose and may not profile individuals unless strictly necessary.
- Users must be able to revoke consent and/or access as easily as they grant it, and businesses cannot use dark patterns or coercion to influence these choices.
Importantly, the Data Act introduces new obligations without reducing individuals’ rights under the GDPR. Businesses must now handle both personal and non-personal data more carefully, making sure privacy is built into their data-sharing systems from the start.
Moreover, companies must adhere to principles such as data minimization, both in what they collect and how long they retain it. This may affect logging practices, access interfaces, and user verification systems.
Protecting Trade Secrets Under the Data Act
The regulation acknowledges that some shared data may qualify as trade secrets. In such cases, data holders are allowed to:
- Request confidentiality agreements;
- Apply access restrictions or technical safeguards;
- Refuse access if they can demonstrate that disclosure would cause serious economic harm — but only in exceptional circumstances and subject to oversight.
The balance here is clear: Trade secrets are protected but cannot be used as a blanket excuse to deny access where the regulation applies.
This makes contractual arrangements and protective measures critical to risk management. While demonstrating serious economic harm may be imperative, trade secrets are often treated as an afterthought.
Trade secrets should be routinely identified and documented to successfully leverage their value.
Switching Cloud- and Data Service Providers
The Data Act also targets vendor lock-in. It requires service providers (like cloud platforms or edge computing services) to make switching between providers easier, without loss of data, functionality, or uptime.
Providers must:
- Allow contract termination without penalty;
- Transfer user data and digital assets upon request;
- Ensure technical interoperability between platforms;
- Cooperate in good faith with the receiving service provider.
Companies in IoT, cloud, edge computing, and SaaS must invest in data portability tools and standard formats. They also need clear switching policies and solid contractual terms. For users, this means more choice and better bargaining power.
Preparing Your Business for the Data ActWith enforcement just around the corner, now is the time for IoT and data-intensive companies to act. Here’s how to prepare:
- Review and revise your contracts — especially those involving B2B data access or cloud services.
- Map your data flows — distinguish between raw data, personal data, and IP-protected content.
- Update your user interfaces and APIs — to support data access, sharing, and switching.
- Reinforce your IP and confidentiality strategies — particularly where proprietary systems are involved.
- Ensure GDPR compliance — especially in cases of third-party data access and cross-border processing.
Final Thoughts
The Data Act is not just another compliance obligation. It’s a structural shift in how Europe treats data — as a shared, regulated asset rather than a private commodity. For businesses in the IoT and data economy, this means risk and opportunity in equal measure.
If you embrace the change and align your contracts, systems, and governance with the regulation, you’ll not only stay compliant — you’ll position your business at the forefront of Europe’s next digital revolution.