Glossary · EU Data Regulation Data Act
The 2024 EU regulation establishing rights to access and use data generated by IoT devices and connected products, addressing non-personal data alongside GDPR's personal data focus.
## What the Data Act actually does
The Data Act (Regulation (EU) 2023/2854) is the EU's regulation governing access to and use of data generated by connected products and related services. It entered into force in January 2024, with most provisions applying from September 2025.
Where GDPR addresses personal data, the Data Act addresses **non-personal data** generated by IoT devices and connected products. The Act creates rights for users (consumers and businesses) to access data their devices generate and to share that data with third parties they choose.
## Why the Data Act exists
The Act emerged from operational concerns about data control in the IoT economy:
**1. Data lock-in by manufacturers.** When a connected car generates data about driving patterns, that data has typically been controlled exclusively by the car manufacturer. Repair shops, insurance providers, and after-market service providers couldn't access it without manufacturer cooperation.
**2. After-market service competition.** Restricted data access has limited competition in IoT-related services (repair, insurance, fleet management, etc.). The Data Act addresses this by creating data portability rights for connected products.
**3. Competition policy concerns.** Vertical integration around data (manufacturer → device → data → after-market services) created competition concerns. The Data Act addresses this through unbundling.
**4. AI training data needs.** AI systems benefit from access to operational data. The Data Act creates legal frameworks for sharing this data with appropriate safeguards.
## Core obligations
The Data Act imposes several categories of obligations:
### Right to access generated data
Users (the people or businesses operating connected products) have the right to access data their devices generate. Manufacturers must:
- Make data accessible by default (or upon request)
- Provide data in machine-readable format
- Cover the data generated, not just configured outputs
- Offer access at no charge or at fair, reasonable costs
### Right to share data with third parties
Users can authorize third parties to receive data their devices generate. Manufacturers must:
- Enable such sharing without obstruction
- Provide direct data access mechanisms
- Allow users to choose data recipients freely
### Restrictions on competing with users
Manufacturers cannot use device-generated data to compete with users in after-market services. The Data Act prevents using customer data to disadvantage customer-chosen service providers.
### Cloud switching rights
The Data Act includes provisions on cloud service portability — addressing concerns about data lock-in at cloud provider level. Cloud providers must:
- Enable customer data portability
- Reduce switching costs (eliminated for some customer types)
- Provide clear contract terms about data access
- Support standard formats and protocols
### Business-to-government data access
In specific exceptional circumstances (public emergencies, public-sector tasks of public interest), governments can require business data sharing. This is heavily constrained — the Act sets clear limits to prevent expansion.
## Why this matters for European businesses
The Data Act creates several practical implications:
### For IoT product manufacturers
If you sell connected products in the EU (consumer or B2B), Data Act compliance is mandatory:
- Build data access mechanisms into product architecture
- Document data generation patterns
- Enable user-directed data sharing with third parties
- Avoid using product data to compete with users in after-market services
This is substantial product engineering work. New products designed since 2024-2025 typically build Data Act compliance in; legacy products often need significant retrofitting.
### For after-market service providers
If you provide services that depend on data from connected products (repair, insurance, fleet management, agricultural services, etc.), the Data Act creates new opportunities:
- Request data access on behalf of customers
- Build services that leverage previously-locked data
- Compete more effectively with manufacturer-affiliated services
### For cloud providers and customers
Cloud switching provisions create operational implications:
- Cloud providers must reduce switching friction
- Customer-side architecture should consider portability requirements
- Multi-cloud strategies become operationally easier
### For data spaces
The Data Act enables broader data exchange ecosystems. Industry-specific data spaces (Catena-X for automotive, Manufacturing-X for manufacturing, etc.) gain stronger legal foundation under the Act.
## The relationship to GDPR
The Data Act and GDPR are complementary but distinct:
**GDPR**: addresses personal data (data relating to identifiable natural persons)
**Data Act**: addresses non-personal data (machine-generated data, sensor data, operational data)
When data is personal under GDPR (e.g., driving patterns linked to specific individuals), GDPR applies and Data Act provisions are subordinate. When data is non-personal (aggregated machine sensor data, technical parameters), Data Act provisions apply primarily.
In practice, IoT data often contains both personal and non-personal elements. Compliance requires applying both regulations appropriately.
## Penalty structure
Data Act enforcement uses national supervisory authorities designated by member states. Penalties are determined at national level but the Act allows substantial penalties for non-compliance.
For SMEs, the Act includes various proportionality provisions and exemptions to avoid disproportionate compliance burden on smaller businesses.
## What's been delivered through 2026
Mid-implementation status:
**Operational:**
- Most connected product manufacturers have implemented baseline Data Act compliance
- Data sharing requests are being made and processed
- After-market service providers are building data-leveraging services
- Cloud switching provisions are creating real switching activity
**Still developing:**
- Industry-specific data spaces continue to mature
- Standardized data formats and APIs are being defined
- Cross-border enforcement coordination
- AI training use cases under Data Act framework
## Cloud-specific provisions matter most
For most European tech buyers, the Data Act's cloud switching provisions are the most operationally relevant. The Act has accelerated the movement away from cloud lock-in by:
- Reducing legal uncertainty about cloud switching
- Requiring providers to enable portability
- Eliminating switching fees for some customer types
- Creating standard format support
This complements the broader European cloud sovereignty story — making it operationally easier to move workloads from US hyperscalers to European cloud providers.
## What 2026-2027 brings
- **Continued enforcement maturation** as national supervisory authorities establish patterns
- **Standardization work** on data formats and APIs
- **Industry-specific data spaces** continuing development (Catena-X, Manufacturing-X expanding)
- **AI Act intersection** — AI training use cases under Data Act framework
- **Cross-border enforcement coordination** as more cases emerge
The Data Act will continue evolving. Its interaction with the AI Act, GDPR, and sector-specific regulations will be the ongoing implementation story.
## Practical implications
For European businesses:
1. **If you sell connected products** — Data Act compliance is non-negotiable; build it in
2. **If you provide after-market services** — leverage Data Act access rights
3. **If you use cloud services** — cloud switching rights make portability strategically easier
4. **If you participate in industry data spaces** — Data Act provides stronger legal foundation
5. **If you're a B2B SaaS** — your cloud-deployed offerings should support Data Act portability requirements
The Data Act is less famous than GDPR but increasingly operationally relevant. For European tech ecosystem development, its long-term impact may be substantial.
Was this helpful?
Thanks for your feedback!