Data
The Data Act
What is the purpose of the Data Act?
The Data Act is an EU Regulation (No.2023/2854), which means it takes direct effect across all EU Member States without the need for national legislative action. It determines who can profit and create value from data by giving individuals and businesses the right to access the data produced through their use of smart objects, machines and devices.
The Data Act aligns with the EU's broader digital strategy which aims to create a single European data space. It also complements the EU Data Governance Act which establishes clear rules and standards for data governance and interoperability across key sectors.
Key provisions
The Data Act creates rules around the permissible use of personal and non-personal data, particularly in the context of the growth of the Internet of Things (connected devices). The new rules seek a seamless transfer of valuable data between data holders (typically the company that makes the connected product or that provides a related service) and users (any legal or natural person who owns a connected product) while upholding its confidentiality.
The rights created by the Data Act will apply to all raw and preprocessed data generated from the use of a connected product or a related service that is readily available to the data holder.
The Data Act contains provisions on B2B and B2C data sharing as well as data sharing between businesses and government, creating obligations under law to share data in some contexts, including rights for public bodies to request access to data in emergency situations. It also contains protections against unfair contract terms, and rights in relation to interoperability standards for switching between digital service providers (eg cloud services).
The European Commission will develop model contract clauses to help market participants draft and negotiate fair data sharing contracts.
Where will the Data Act apply?
It applies to businesses including non-EU established entities that make connected products or relevant services available in the EU. Non-EU entities falling within scope will be required to appoint an EU representative.
Who will have obligations under the Data Act?
Companies operating within the EU and offering connected products or relevant services must meet the requirements of the Data Act. Small and microenterprises have fewer, less onerous obligations to meet. Public sector bodies must also adhere to the Act's requirements when sharing and using data. Some limitations and exemptions apply for the protection of trade secrets and personal data, and to avoid adverse effects to the health, security or safety of people.
Are there sanctions for non-compliance?
The Data Act establishes enforcement mechanisms and requires Member States to appoint competent authorities to ensure compliance with its provisions and those authorities will set penalties for non-compliance which should be effective, proportionate, and dissuasive.
Member States may also set up certified dispute settlement bodies to assist parties that cannot agree on fair, reasonable and non-discriminatory terms for making data available. Parties are free to address any dispute settlement body – either in the Member State in which they are established or in another.
Key dates and deadlines
- 12 September 2025 – the Data Act becomes applicable and can be enforced.
