Understanding the EU Data Act
The European Union Data Act regulates the sharing, access and use of non-personal data generated by connected products.
It aims to unlock a competitive data market, boost innovation, and ensure fairness.
The EU Data Act represents a significant shift in data governance globally.
Impacted entities include manufacturers of connected products, providers of related services and data holders.
These businesses must be at the forefront of navigating this new terrain: both for compliance with mandatory access and for sharing requirements.
of European industrial data is unused
The EU Data Act aims to foster a competitive data market, stimulate innovation, and enhance data accessibility, particularly focusing on industrial and wider IoT data.
As the digital landscape evolves, the Act is a cornerstone regulation that transforms how data is accessed, shared, and utilised across industries.
additional GDP projected generation by 2028
Businesses seeking to innovate in data-driven services must be proactive: adaptation is key to leveraging the vast opportunities presented by the Act for tapping into newly accessible sources of data.
Entities implicated by this regulation must develop a data strategy that is compliant, efficient, and competitive.
The EU Data Act applies across sectors and technologies related to the Internet of Things, covering users and data recipients based in the EU, as well as companies, manufacturers, and data holders located outside the EU if they offer services or share data within the Single Market.
The EU Data Act introduces a new data access flow with impacting all stakeholders in a connected data ecosystem.
While the User is the central player who may control the use of data generated by their connected products and related services, it is the Data Holder (often the Manufacturer of these products and services) that is subject to the requirements of the EU Data Act.
The Connected Product or Related Service (for example, industrial machinery, vehicles or home devices) generates data by use, which typically flows to the Data Holder.
Direct access rights (Art. 3) ensure the User (an individual or entity that owns, rents, or leases the product) can access this data and permit its use.
Users are granted both B2B and B2C access rights, enabling agreements (data licenses) with the Data Holder to share data.
Data Recipients or Third Parties, such as aftermarket service providers or spare parts manufacturers, can request data sharing upon the User's agreement.
The Public Sector Body may demand access to data in cases of exceptional need.
Data: What's in scope?
"Data" means any digital representation of acts, facts, or information, as well as any compilation of such acts, facts, or information, including in the form of sound, visual, or audio-visual recordings.
The scope includes data recorded intentionally or generated indirectly from user actions, including data about the product’s environment, user interactions, or related services. It covers data from sensors, embedded applications (such as hardware status or malfunctions), periods of user inaction (e.g., stand-by mode), as well as both raw and pre-processed data.
Intentionally recorded data
Data indirectly generated by user activity
Data generated automatically (sensors)
Data recorded by embedded apps
Data created during times of user inaction
Raw data and pre-processed data
Data: What isn't in scope?
Derived data refers to information inferred or extracted from raw data through additional investments, often using proprietary and complex algorithms.
For example, data generated by sensor fusion with proprietary software. Data unrelated to the product includes any data a connected product generates when a user records, transmits, displays, or plays content, as well as the content itself; this encompasses data within proprietary software and content that is not collected by embedded sensors.
Non-retrievable data is data produced during product use that the manufacturer has intentionally designed to be inaccessible, meaning it cannot be retrieved through electronic communications services, physical connections, or on-device access.
Most rights and obligations within the EU Data Act will apply by 12 September 2025, with data access by design applicable from 12 September 2026, and the unfair contractual terms regime applicable from 12 September 2027.
Extraterritorial Effect
This Regulation has extraterritorial effect, meaning it applies beyond the borders of the Union.
It extends to manufacturers of connected products that are placed on the Union market and to providers of related services, regardless of where those manufacturers or service providers are established. It also applies to data holders, irrespective of their place of establishment, if they make data available to recipients in the Union.
Similarly, providers of data processing services fall within the scope of the Regulation if they offer such services to customers in the Union, regardless of their location.
However, the Regulation does not have extraterritorial effect in relation to users located in the Union who use connected products or related services, nor does it extend to data recipients in the Union to whom data is made available.
Manufacturers of connected products placed on the Union market and providers of related services, regardless of their place of establishment
Data holders, irrespective of their place of establishment, that make data available to data recipients in the Union
