The EU Data Act entered into force on 11 January 2024 and began to apply from 12 September 2025 in all EU Member States.
What is Data Act?
The EU Data Act is a comprehensive European Union law that regulates access, use, and sharing of data, especially that generated through connected devices (IoT) and digital services.
It is part of a broader European strategy for data with the aim of creating a single market for data.
Purpose of Data Act
- Fair distribution of data value among all actors in the data economy.
- Increasing the availability of data, especially that generated through connected devices (IoT).
- Protecting small and medium-sized enterprises from unfair contract terms.
- Enabling switching between data processing service providers (e.g. cloud services).
- Protecting data from unlawful access by third countries.
It is part of the European strategy for data together with laws such as:
- Data Governance Act
- Digital Services Act
- Digital Markets Act
- AI Act
- NIS2 Directive
Why the Data Act?
The Data Act is designed to improve the EU data economy and foster a competitive data market by increasing the availability and usability of data (industrial data), fostering data-driven innovation and increasing the availability of data.
To achieve this, the Data Act ensures a fair distribution of data value among actors in the data economy. It clarifies who can use which data and under what conditions.
Data law gives users of connected products (businesses or individuals who own, rent, or lease such a product) more control over the data they generate, while maintaining incentives for those who invest in data technologies. It also sets out the general conditions for situations where a company has a legal obligation to share data with another company.
The Data Act also includes measures to increase fairness and competition in the European cloud market and to protect companies from unfair contract terms related to data sharing imposed by more powerful actors. It also establishes a mechanism through which public sector bodies can request data from companies if there is an exceptional need, for example in emergency situations, and sets out clear rules on how such requests should be made.
Safeguards are also put in place to prevent non-personal data from being accessed by third-country authorities if this would be contrary to EU or national law. Finally, the Data Act sets out key interoperability requirements to ensure the smooth flow of data between sectors and Member States, which is facilitated by common European data spaces, as well as between data processing service providers.
Chapters of the Data Act
In line with the general provisions defining the scope of the Regulation and defining key terms, the Data Act is structured in 9 chapters.
1. General Provisions
- Defines the scope and key terms
2. Business-to-consumer data sharing in the context of IoT
Goal: Allow users (individuals and businesses) to access data generated by related products and services.
- Users (individuals and businesses) have the right to access data generated by their connected devices (e.g. smartwatches, cars, industrial machinery)
- They may share this data with third parties (e.g. services, insurers)
- the right to free access in a machine-readable format
Example:
A washing machine user can install an app that measures the environmental impact of wash cycles using sensors in the machine. This application is a connected service, and the user has the right to the data it generates.
If someone buys a smart refrigerator and uses a temperature control app, the data from the refrigerator and the app belongs to the user, who can share it with a third party (e.g. a service center).
3. Mandatory exchange of data between companies
Goal: To regulate situations where the law requires that one company must share data with another.
- Data owners must make it available to other companies.
- They may claim reasonable remuneration, except from SMEs and non-profit organisations, which are charged only technical costs.
Example:
The manufacturer of an industrial machine must share data with the company using that machine if required by law but may seek compensation for the technical costs of the transmission.
4. Protection against unfair contract terms
Goal: To protect weaker parties (SMEs) from unilaterally imposed conditions in data access contracts.
- Small and medium-sized enterprises (SMEs) are protected from unfavourable conditions in data sharing agreements.
Example:
Unilaterally imposed ‘take it or leave it’ clauses may, if they relate to making data available, be subjected to an unfairness test.
5. Sharing data between businesses and the public sector
Goal: To provide public authorities with access to data in emergency situations or when it is necessary for the public interest.
- In emergency situations (floods, pandemics), public institutions can request access to data from the private sector
Example:
During a flood, the public administration can request water level data from private sensors.
In non-urgent cases, aggregated GPS data may be requested to optimize traffic.
6. Switching between data processing service providers (cloud switching)
Goal: To enable a competitive market on the one hand and the smooth and easy transition of service users from one service provider to another. Change should be fast, free and fluid.
Example:
The company wants to transfer data from one cloud service to another without losing data or applications.
The new regulations prohibit high data egress fees.
7. Unlawful access to data by third countries
Goal: To prevent foreign governments from gaining access to non-personal data stored in the EU, if this is not in line with EU law.
Example:
The US agency requests data from EU cloud services – the request is rejected if it does not comply with EU legislation.
8. Interoperability
Goal: To ensure technical compatibility between systems and service providers so that data can flow freely within and between sectors.
- The law prescribes technical requirements for interoperability to enable easier data transfer between different systems and service providers (e.g. cloud services), thus stimulating competition and reducing dependence on a single provider.
Examples:
Standardization of data formats in healthcare so that hospitals can exchange data.
The EU will set up a repository of technical standards for interoperability.
9. Implementation and supervision
Goal: Each Member State must designate one or more competent authorities to enforce the Act. If there will be more than one competent authority, the Member State must appoint one as a “Data Coordinator” who will also act as a single point of contact for all matters related to the implementation of the Data Act at national level.
Conclusion
The Data Act is a key step towards creating a single market for data in the EU. Combined with the previous Data Governance Act, it enables a more transparent, secure and fair use of data for the benefit of citizens, businesses and public institutions.
EU Data Act and GDPR
The Data Act is fully compliant with data protection rules, particularly the General Data Protection Regulation. If the user is not the data subject whose data is requested, the personal data may only be made available if there is a valid legal basis (e.g. consent). This is important to consider because co-generated data often contains both personal and non-personal data, which can be difficult to separate.
The Data Act and the GDPR are complementary – the Data Act encourages the sharing and use of data, but always while respecting the personal data protection rules of the GDPR.
In case of any conflict, the GDPR takes precedence and protects the rights of individuals.
Companies must at all times carefully distinguish between personal and non-personal data and ensure that any processing of personal data complies with the GDPR.
*Source: Data Act explained | Shaping Europe’s digital future
