EU Data Act

Data Act · European Parliament and Council of the European Union

The EU Data Act establishes harmonised rules on access to and use of data generated by connected products and related services across the EU, addressing both personal and non-personal data. It creates new obligations for data holders to share data with users and third parties, and sets conditions for public sector bodies to access privately held data in exceptional circumstances.

Overview

Regulation (EU) 2023/2854, commonly known as the EU Data Act, entered into force on 11 January 2024 and becomes fully applicable from 12 September 2025. It forms a central pillar of the European Data Strategy alongside the Data Governance Act. The regulation applies to manufacturers of connected products placed on the EU market, providers of related services, data holders that make data available, and data recipients in the EU. The Data Act aims to unlock the significant economic value of industrial and IoT-generated data by ensuring that users of connected products and services can access data generated through their use, and can share that data with third parties of their choosing. The regulation also introduces safeguards against unlawful international data transfers, sets limits on contractual terms in B2B data sharing arrangements, establishes rules for cloud and edge service switching, and creates a mechanism for public sector bodies to request access to privately held data during emergencies. For AI-related compliance, the Data Act is particularly relevant because large-scale AI training pipelines often rely on data generated by connected devices. Obligations around data portability, interoperability, and third-party sharing directly affect how enterprises structure data lakes and training datasets.

Key Requirements

•Data holders must make data generated by connected products or related services available to users upon request, without undue delay and free of charge.
•Data holders must share data with third parties designated by the user, subject to agreed terms, under FRAND-equivalent conditions.
•Contracts between data holders and data recipients must not contain terms that are grossly unfair, and default rules apply when parties cannot agree.
•Public sector bodies and EU institutions may request access to privately held data in cases of public emergency, subject to strict conditions and proportionality requirements.
•Cloud service providers must enable customers to switch to alternative providers within contractual switching periods, with switching charges capped and eventually eliminated.
•Technical protection measures must not prevent lawful data access or sharing obligations imposed by the regulation.
•Data holders must implement technical and organisational measures to prevent unlawful international transfers of non-personal data.
•Interoperability requirements apply to operators of data spaces and data processing services, using harmonised standards to be developed by European standards organisations.
•Providers of smart contracts used for automated data sharing must implement kill-switch and access-control mechanisms meeting specified technical standards.
•Enforcement and penalties are set at member-state level; member states must designate competent national authorities and establish effective, proportionate, and dissuasive penalties.

Who It Affects

Manufacturers of IoT and connected hardware products placed on the EU marketProviders of related digital services tied to connected productsEnterprises holding data generated by connected products (data holders)Cloud and edge computing service providers operating in the EUEnterprises that receive data under B2B sharing arrangements (data recipients)Public sector bodies and EU institutions seeking emergency access to private dataOperators of data spaces and data intermediariesAny enterprise using smart contracts for automated data sharing or licensingAI developers and data scientists who source training data from connected-device pipelines

Effective Date

2024-09-12

Official source →