For some time, the EU’s Data Act remained under the radar by many in the business community. This is about to change – are you and your company ready?
The core obligations of the Data Act are set to take effect in September 2025. Companies in the Internet of Things (IoT) sector are beginning to realize how significant and transformative this regulation will be.
Whether you manufacture connected products, rely on data for business services, or build applications around smart devices, this regulation will change the way you collect, share, protect, and commercialize data.
And yes — you will probably need to update your contracts, data routines, and IP strategy in a big way.
Officially known as Regulation (EU) 2023/2854, the Data Act is part of the EU’s broader digital strategy. The objective of the regulation is to make data easier to use and share by removing barriers and giving fair access to everyone in the data economy.
Critically, it empowers users of connected products and related services — both consumers and businesses — to access the data generated by their use of IoT devices. This includes everything from smart thermostats and connected vehicles to agricultural machines and industrial robotics.
According to the regulation, this data must be made available to users in a structured, commonly used, machine-readable format — either directly through digital interfaces (like APIs) or, if that’s not possible, indirectly upon request.
A key feature of the regulation is its move to directly regulate private B2B contracts — a rare step by the EU aimed at preventing unfair terms in commercial agreements.
In accordance with the regulation, parties to a contract may no longer impose non-negotiable ‘take-it-or-leave-it’ clauses when data sharing is required by law. These include clauses that, for instance, unjustifiably exclude liability, shift costs unfairly, or limit users’ rights to access or share data. Such terms will be considered unfair and non-binding.
Instead, all mandated data sharing, i.e. between manufacturers and service providers or users and service providers, must be governed by FRAND terms (Fair, Reasonable, and Non-Discriminatory).
For businesses, this means a careful audit of data-sharing agreements is needed, particularly when you act as a data holder under the regulation, i.e. the IoT manufacturer, service provider or any other entity that holds the right to use and make data available to the user.Failure to adapt contracts could expose you to compliance risks and commercial disputes.
The Data Act mandates access to what it calls “readily available data” — typically raw or pre-processed data and metadata that a connected product or related service naturally collects during use.
Think: sensor outputs like temperature, motion, liquid levels, or GPS data. This information must be made accessible to the user, along with sufficient context (metadata) to interpret it.
However, the regulation does not require businesses to disclose e.g:
This division is key for businesses that rely on proprietary analytics, algorithms, or enriched datasets. While you must be transparent about the raw data collected, your intellectual property remains protected, provided you clearly separate it from the shared data.
Another key rule allows users to give third parties — like repair shops, aftermarket developers, or software providers — access to their data from the data holder.
But there are limits.
Companies designated as gatekeepers under the EU Digital Markets Act — like Amazon, Google, or Meta — are explicitly excluded from leveraging this access, in an effort to prevent further market concentration.
Further, the regulation prohibits:
So, while users are free to use their data for innovation, including through third-party services, they cannot do so to undermine the competitive position of the data holder. This offers much-needed commercial protection for IoT manufacturers and service providers.
The Data Act walks a fine line with privacy — complementing the General Data Protection Regulation (GDPR) rather than overriding it.
Here is what businesses need to know:
Importantly, the Data Act introduces new obligations without reducing individuals’ rights under the GDPR. Businesses must now handle both personal and non-personal data more carefully, making sure privacy is built into their data-sharing systems from the start.
Moreover, companies must adhere to principles such as data minimization, both in what they collect and how long they retain it. This may affect logging practices, access interfaces, and user verification systems.
The regulation acknowledges that some shared data may qualify as trade secrets. In such cases, data holders are allowed to:
The balance here is clear: Trade secrets are protected but cannot be used as a blanket excuse to deny access where the regulation applies.
This makes contractual arrangements and protective measures critical to risk management. While demonstrating serious economic harm may be imperative, trade secrets are often treated as an afterthought.
Trade secrets should be routinely identified and documented to successfully leverage their value.
The Data Act also targets vendor lock-in. It requires service providers (like cloud platforms or edge computing services) to make switching between providers easier, without loss of data, functionality, or uptime.
Providers must:
Companies in IoT, cloud, edge computing, and SaaS must invest in data portability tools and standard formats. They also need clear switching policies and solid contractual terms. For users, this means more choice and better bargaining power.
The Data Act is not just another compliance obligation. It’s a structural shift in how Europe treats data — as a shared, regulated asset rather than a private commodity. For businesses in the IoT and data economy, this means risk and opportunity in equal measure.
If you embrace the change and align your contracts, systems, and governance with the regulation, you’ll not only stay compliant — you’ll position your business at the forefront of Europe’s next digital revolution.