EU Data Act

Applies To

Overview

Regulation (EU) 2023/2854, commonly known as the EU Data Act, entered into force on 11 January 2024 and becomes fully applicable from 12 September 2025. It forms a central pillar of the European Data Strategy alongside the Data Governance Act. The regulation applies to manufacturers of connected products placed on the EU market, providers of related services, data holders that make data available, and data recipients in the EU. The Data Act aims to unlock the significant economic value of industrial and IoT-generated data by ensuring that users of connected products and services can access data generated through their use, and can share that data with third parties of their choosing. The regulation also introduces safeguards against unlawful international data transfers, sets limits on contractual terms in B2B data sharing arrangements, establishes rules for cloud and edge service switching, and creates a mechanism for public sector bodies to request access to privately held data during emergencies. For AI-related compliance, the Data Act is particularly relevant because large-scale AI training pipelines often rely on data generated by connected devices. Obligations around data portability, interoperability, and third-party sharing directly affect how enterprises structure data lakes and training datasets.

Key Requirements

• •Data holders must make data generated by connected products or related services available to users upon request, without undue delay and free of charge.
• •Data holders must share data with third parties designated by the user, subject to agreed terms, under FRAND-equivalent conditions.
• •Contracts between data holders and data recipients must not contain terms that are grossly unfair, and default rules apply when parties cannot agree.
• •Public sector bodies and EU institutions may request access to privately held data in cases of public emergency, subject to strict conditions and proportionality requirements.
• •Cloud service providers must enable customers to switch to alternative providers within contractual switching periods, with switching charges capped and eventually eliminated.
• •Technical protection measures must not prevent lawful data access or sharing obligations imposed by the regulation.
• •Data holders must implement technical and organisational measures to prevent unlawful international transfers of non-personal data.
• •Interoperability requirements apply to operators of data spaces and data processing services, using harmonised standards to be developed by European standards organisations.
• •Providers of smart contracts used for automated data sharing must implement kill-switch and access-control mechanisms meeting specified technical standards.
• •Enforcement and penalties are set at member-state level; member states must designate competent national authorities and establish effective, proportionate, and dissuasive penalties.

What Your Organization Must Do

• →Audit all connected products and related digital services placed on the EU market before 12 September 2025 to identify data flows subject to Data Act obligations, assigning a named data steward for each product line.
• →Build and deploy technical interfaces allowing users to request and receive their generated data without undue delay and at no charge, ensuring these mechanisms are production-ready before the 12 September 2025 applicability date.
• →Review and renegotiate all B2B data sharing contracts to remove grossly unfair terms and align with FRAND-equivalent conditions, prioritising agreements with third-party recipients who may be designated by users to receive shared data.
• →Implement technical and organisational controls to block unlawful international transfers of non-personal data, including geofencing, access-control policies, and transfer-risk assessments covering non-personal data flows equivalent to those applied under GDPR for personal data.
• →Map all cloud and edge service agreements to identify switching obligations, confirm that contractual switching periods and fee caps are reflected in vendor contracts, and verify that customer migration tooling meets the regulation's interoperability and timeline requirements ahead of the phased fee-elimination schedule.
• →Designate a cross-functional Data Act working group, led by the Chief Compliance Officer, to liaise with the competent national authority once designated by each relevant member state, monitor enforcement guidance, and set internal penalty-exposure thresholds that trigger escalation to legal counsel.

Playbook Guidance

Step-by-step implementation guidance for compliance teams.

Frequently Asked Questions

When does the EU Data Act become enforceable for businesses?

The Data Act entered into force on 11 January 2024 but becomes fully applicable on 12 September 2025. Companies have until that date to achieve compliance with all obligations, including data access interfaces, contract revisions, and cloud switching requirements.

Does the EU Data Act apply to non-EU companies selling connected products in the EU?

Yes. The regulation applies to manufacturers of connected products placed on the EU market regardless of where the manufacturer is headquartered. Non-EU companies selling IoT hardware or related digital services to EU customers are in scope and must meet the same obligations as EU-based manufacturers.

What are the penalties for non-compliance with the EU Data Act?

Penalty levels are set by individual member states, not fixed at the EU level. Each member state must designate a competent authority and establish penalties that are effective, proportionate, and dissuasive. Companies should monitor national implementing measures in each jurisdiction where they operate to assess their specific penalty exposure.

How does the EU Data Act differ from the Data Governance Act?

The Data Governance Act creates a framework for voluntary data sharing intermediaries and governs reuse of public sector data. The Data Act imposes direct mandatory obligations on private data holders to share data generated by connected products with users and third parties. The two regulations are complementary pillars of the EU Data Strategy but address distinct scenarios.

Does the EU Data Act affect AI model training using IoT-generated data?

Yes. AI pipelines that ingest data from connected devices are directly affected. Data holders supplying training data to AI developers must comply with user access rights, third-party sharing conditions, and restrictions on unlawful international transfers of non-personal data, which may require restructuring data lake architectures and vendor agreements.

What obligations does the Data Act impose on cloud service providers regarding customer switching?

Cloud providers must allow customers to switch to alternative providers within contractual switching periods, with switching charges capped and phased out entirely over time. Providers must also ensure their services meet interoperability requirements to facilitate migration, and must not use technical or contractual barriers to obstruct lawful switching.