EU Data ACT

applies

as of today.

12. September 2025

from

Clemens Pfitzer

From September 12, 2025, the EU Data Regulation (“Data Act”) will come into force. The aim is to facilitate access to data, create fair competitive conditions and strengthen the European data economy. For companies, this means new opportunities, but also new obligations.

The Data Act

In recent years, the European Union has introduced a large number of laws to regulate the digital single market – from the Digital Services Act to the AI Regulation. A central element of this strategy is the Data Act (Regulation (EU) 2023/2854), which aims to facilitate access to data, ensure fair competition and promote innovation in the European economy.

The central question is: who owns the data generated by the use of networked products and services and who is allowed to use it? Until now, manufacturers and providers have often been in control. The Data Act strengthens the laws of users and reorganizes the obligations of companies.

Who is affected by the Data Act?

The regulation applies to a wide range of players:

• Manufacturers of networked products (e.g. smart home devices, networked vehicles, medical technology),
• Provider of connected services (cloud, apps, platforms),
• Data owners who provide data to others,
• Data recipients who use this data,
• and providers of data processing services (e.g. cloud services).

Obligations as of September 12, 2025

Many obligations arising from the Data Act will apply from 12.09.2025. Affected companies must observe and implement the resulting obligations and adapt their own business processes accordingly. These include the following obligations:

Transparency towards users

Companies must inform users of networked products clearly and comprehensibly about what data is generated, how it can be used and for what purposes the manufacturer or provider may use it.

Example: A manufacturer of medical technology (e.g. pacemakers or diagnostic systems) must inform patients and doctors which measurement data is generated, in which format it is available and how long it is stored.

Data access for users

Users have a lawful right to access the data generated by their device or service. Manufacturers must create technical interfaces through which this data can be made available.

Example: In future, a car owner must be able to read out the diagnostic data collected from their vehicle directly in order to make it available to an independent garage, for example.

Disclosure of data to third parties

At the user’s request, data must also be passed on to third parties (e.g. workshops, service providers). However, the recipients may only use this data for agreed purposes – such as repair or maintenance – and not to develop competing products.

Example: A farmer can pass on the sensor data of his networked harvester to an independent agricultural service without the manufacturer being allowed to block this transfer.

Protection of trade secrets

Data owners can take technical and organizational measures to protect business secrets. However, they must still ensure access to data if this is possible without disclosing business secrets.

Example: A manufacturer of smart home devices can anonymize data before it is passed on to a third-party provider (e.g. an energy optimization service).

Fair contractual conditions in the B2B sector

Unfair contractual clauses for data access or data use that a company unilaterally imposes will be invalid in future. This protects small and medium-sized enterprises in particular.

Example: A start-up that develops an app for analyzing fitness data must not be prevented from accessing user data by unilateral contractual conditions of the device manufacturer.

Obligations for cloud providers

Cloud and data processing services must make it easier to switch to other providers and must not hold customers back through technical or contractual hurdles.

Example: A hospital that stores patient data in a cloud must be able to migrate it more easily to another cloud service in future – without excessive fees or months of waiting.

Sanctions

Member states must define effective, proportionate and dissuasive sanctions for infringements. This puts companies at risk of severe fines, similar to the GDPR.

Regulations with a later start date

Not all provisions of the Data Act will apply from 12.09.2026. Some provisions will not come into force until later, e.g:

• Obligation to provide data from connected products: Applies only to products and services placed on the market after September 12, 2026.

• Chapter IV (unfair contract terms): Applies immediately to newly concluded contracts. For existing, open-ended or very long-term contracts, the regulation will not apply until September 12, 2027.
• Chapter III (Obligations to provide data to authorities): Only applies to new legislation that comes into force after September 12, 2025.

What should affected companies do?

Companies affected by the Data Act should – if they have not already done so – take the following steps:

• Take stock: Check which products, services and data flows are covered by the new regulations.
• Plan technical interfaces: Manufacturers of networked products should start developing APIs or other interfaces at an early stage so that users can access their data.
• Review contracts: Existing contracts with customers and business partners should be examined for possible unfair clauses. Legally compliant, transparent regulations should be created for new contracts.
• Secure data protection and trade secrets: Develop processes to anonymize personal data and technically protect trade secrets – without infringing users’ access rights.
• Rethink cloud strategy: Cloud and IT managers should examine how a change of provider can be implemented in the future and prepare exit strategies.
• Train employees: Make specialist departments, IT and legal departments aware of the new obligations in order to avoid implementation errors and sanctions.

Conclusion

We are happy to

advise you about

Data Act!

Contact form

Call now!