Breaking down data rules from around the globe

Privacy laws

The Eu Data Act

The EU Data Act: Mandating Access and Use

The EU Data Act was adopted in 2023 and is coming into force in September 2025. The Act sets clear rules on data access, sharing, and use across various sectors. Its goal is to enhance the free and fair sharing of data while protecting consumers and businesses. Its objectives also include promoting data-driven innovation and economic growth by mandating access and facilitating seamless data sharing.

The act ensures data portability and interoperability by setting standards for data portability and promoting interoperable data formats.

This legislative framework also enhances compliance by introducing standardized data exchange agreements and promoting voluntary agreements. In case of disagreements, such agreements will become mandatory.

The EU Data Act is complex legislation, and businesses and individuals need to understand it and prepare for its implementation. Let’s delve deeper into its implications.

What Is the EU Data Act?

The EU Data Act is an EU regulation designed to create a competitive and innovative data market by making data more accessible and usable. This framework aims to foster data access and data sharing, particularly industrial data, encouraging data-driven innovation and increasing data availability within the European Union, particularly in sectors of connected devices, IoT, AI, and related products.

The act focuses on data generated by connected products and related devices, cloud services in the business-to-business (B2B) as well as business-to-consumer (B2C) contexts. Unlike the GDPR, which focuses on personal data protection, the EU Data Act emphasizes fair access and use of industrial and non-personal data. It is intended to allow users, both businesses and consumers, the right to access, use, and share this data freely using standardized data sharing formats.

The EU Data Act becomes applicable on September 12, 2025.

Key Objectives of the EU Data Act

The EU Data Act was created to fulfill several main objectives:

  • Guarantee fair access to data
    The EU Data Act aims to ensure fair access to and use of data for individuals and businesses. It aims to solve potential imbalances of knowledge and power between data holders and users. Preventing market concentration and dependency on large cloud providers.
  • Enhance data accessibility
    The EU Data Act aims to provide fair access to data for individuals and businesses, particularly data generated by connected devices and services.
  • Promote data sharing
    The Data Act aims to enhance data portability and interoperability across platforms by establishing rules for the sharing of data between data holders and recipients. It presents provisions and standards for data portability and interoperability, introduces standardized data exchange agreements, and promotes voluntary agreements.
  • Foster innovation
    By making data more readily available to everyone, the Data Act seeks to stimulate innovation in IoT, AI, and smart services and the development of new data-driven products and services.
  • Prevent market concentration
    The Data Act aims to create equal rights and competitive advantages for all-sized businesses by preventing market concentration and dependency on large cloud providers.
  • Protect user rights
    The act aims to protect the user rights, including their ability to access, use, and share data generated by their connected devices and services.

By setting these principles, the EU Data Act aims to mandate access and use of data, balancing the interests of data holders and data users.

Who Is Affected by the EU Data Act?

The EU Data Act has a broad application across the EU economy. Main stakeholders include:

  • Manufacturers of connected devices
    Manufacturers of connected devices (IoT, smart devices, automotive, healthcare) are affected the most since they have to implement the requirements of the Act such as data sharing infrastructure and uniform formats.
  • Businesses using connected devices
    Businesses using connected devices or IoT products to generate operational data also have to implement data sharing practices and interoperability.
  • Cloud service providers
    Cloud service providers, especially huge ones, should have the same rights for huge databases as small businesses.
  • Consumers
    Consumers benefit from the act by gaining more control over data generated by their devices.
  • Public sector
    Public sector organizations also need to adapt their data access and usage practices to comply with the Act.

This wide scope ensures that both businesses and consumers benefit from fairer access to valuable data.

Data Sharing and Access Requirements of the EU Data Act

The data sharing and access rights are designed to allow users to transfer their usage data to alternative providers of the same product or service, or to analytical services that empower users to analyze and optimize their use of the relevant product or service.

The Act sets the obligation for businesses to provide data to the user upon request. In addition, Article 5 of the Act requires data holders to provide "readily available data" to third parties after a request from the user.

The "readily available data" that are required to be available to third parties is:

  1. Product data
    Product data is data generated when using the connected product that is designed to be retrievable via an electronic communications service, physical connection or on-device access.
  2. Related service data
    Related service data is data about the usage of the product and events related to the connected product. Such data could be recorded intentionally by the user or generated as a by-product of the user's behavior.
  3. Metadata
    This type of data is necessary to analyze and optimize the above-mentioned categories of data.

 

Data holders must provide access to data generated by connected products and services. This access must be:

  • Free of charge.
  • In a comprehensive, structured, and machine-readable format.
  • Continuous and in real time (where technically feasible).
  • Fair, reasonable, and non-discriminatory.
  • Secure, respecting trade secrets and privacy.

Businesses must provide such types of data on request in a readable format only when it does not require disproportionate effort. This means that users could ask to provide raw and unprocessed data. Derived and processed data is out of scope, and businesses don’t have an obligation to provide such data.

For example, a car manufacturer must give the vehicle owner or another third party access to the car’s technical data and settings for repair, maintenance, or service optimization. The car manufacturer must also share car usage data with the owner’s insurance company.

The data needs to be made available online without undue delay. Preferentially, the data could be shared online in real-time.

The Role of Businesses and Consumers

Data sharing and access requirements under the EU Data Act will affect businesses and consumers, providing benefits and obligations.

Obligations and benefits for businesses

For businesses, the EU Data Act has both obligations and benefits.

The Act places significant obligations on businesses, primarily focusing on data access, sharing, and interoperability. Data holders must make data accessible to other businesses and public authorities and have to implement data portability requirements between service providers and ensure their systems are interoperable. Furthermore, businesses must be prepared for potential data requests from public authorities, especially in emergencies.

On the other hand, the Act presents many benefits for businesses, especially when operating with connected devices or IoT devices. By seamlessly sharing the data of connected devices or IoT products with manufacturers, the EU Data Act empowers businesses to use industrial data for product improvements, analytics, and product or service innovation.

Implications for cloud providers and IoT devices

The aim of the Act is to make the European cloud market more competitive. Thus, the EU Data Act targets cloud providers by introducing obligations on data portability and the possibility to switch between cloud services. This empowers consumers by preventing dependency on a single provider.

The regulation requires IoT manufacturers to design devices that could share data easily with users and third parties upon request. This requirement involves product design and development from the initial stages, changing business ecosystem, and fostering innovation.

Benefits for consumers

Consumers will benefit from the EU Data Act. The Act states that end-users have the right to share their data with third parties of their choice. It prevents vendor lock-in and fosters competition, providing the opportunity to change service providers and enhancing transparency.

Fines for Violating the EU Data Act

If the data holder fails to comply with the EU Data Act or refuses to make their data of connected devices publicly available, they will receive fines or penalties.

Each EU Member State will have to decide the maximum penalty for failing to comply with the data sharing provisions. However, they can impose a fine not greater than €20 million or 4 % of the total worldwide annual turnover.

How Does the EU Data Act Interact with GDPR?

The EU Data Act and GDPR are complementary.

Note that the EU Data Act does not provide a legal basis to share data with third parties, so businesses are still required to comply with the GDPR.

The GDPR protects personal data, which could be provided in a readable format upon the user’s request, only in cases when the user is the data subject. If the user is not the data subject, personal data can only be provided in a readily format if there is a valid legal basis for providing such data under Article 6 GDPR.

The Act does not explicitly explain which party is responsible for setting a legal basis for the data sharing. However, since data sharing occurs on consumer instruction, the consumer would be the data controller.

On the other hand, the EU Data Act regulates industrial, product, and non-personal data. This type of data could be shared between service providers, fostering transparency, competitiveness, and innovation.

In cases where both laws apply, businesses must ensure compliance with both frameworks, balancing data protection with data access rights.

CookieScript, a professional Consent Management Platform (CMP), can help you to balance data protection with data access rights and comply with the regulation.

Challenges and Criticisms of the EU Data Act

The EU Data Act raises some challenges:

  • Consumer privacy
    Consumers may worry about their personal data being shared with third parties without their knowledge, increasing the risk of data breaches.
  • Trade secret concerns
    Businesses worry about the exposure of their trade secrets and sensitive data.
  • Implementation costs
    Adapting IoT products, services, and platforms may be costly and time-consuming, particularly for small businesses. Huge financial and administrative burdens of adapting to new data access and sharing requirements could have a significant negative effect on these companies.
  • Legal complexity
    Ensuring consistent enforcement across all EU member states may be challenging. Such inconsistencies across EU countries could potentially lead to legal conflicts and court cases. In addition, the requirement to comply with both GDPR and the EU Data Act at the same time may create conflicting obligations and confusion.

Nevertheless, the EU believes that the economic opportunities created through wider data access and sharing will eventually outweigh these challenges and bring benefits for both consumers and businesses.

The future of data governance in the EU

The EU Data Act marks a turning point in European data governance. By requiring fair access and sharing of data, the regulation promotes innovation in AI, IoT, and digital services.

Businesses that adapt early will gain a competitive advantage in a more open and interoperable data economy.

The Act could inspire other countries or regions to implement similar laws on data governance, as the GDOR inspired data privacy laws around the globe.

Compliance Strategies for Organizations

Any business producing or working with connected products or related services should consider the following practical steps:

  1. Scope
    Consider to what extent the requirements under the Act apply to you. Do you work with connected devices, AI, IoT, digital services, or related products? Do you collect or produce data that falls under the scope of the Act?
  2. Data mapping and categorization
    Conduct an inventory of the data you collect and process to determine what data falls under the scope of the Act. Identify what data is generated that will need to be made available for third parties. Also, classify between personal and non-personal data, that will have to be treated very differently.
  3. Redesign
    Evaluate if your connected products in use need to be redesigned to comply with the Act. When designing new IoT products, design them with built-in data portability options.
  4. Implement technical data access mechanisms
    Establish secure and reliable mechanisms for accessing data generated by your connected products or related services easily. You may need to develop APIs or other interfaces that allow for the seamless and standardized transfer of data to users or other businesses.
  5. Strengthen security
    Not all data should be shared or revealed openly. After you have made data mapping and categorization and grouped data, treat these groups differently. Implement secure practices to protect trade secrets, confidential information, and the Personal Information of consumers.
  6. Transparency and documentation
    Prepare documents and inform users about the requirements of the Act relating to the data generated by a connected product or related service. Be transparent and place these documents on your website in an easy-to-find place.
  7. Compliance requirements
    Develop compliance guides that align with GDPR and other sectoral laws.

Consent Management Platform (CMP) like CookieScript can help you to grant user consent and manage personal and non-personal data by keeping consent logs.

In Spring 2025, CookieScript received its fourth consecutive G2 badge as the Best Consent Management Platform.

The platform is also recognized as a Google-certified CMP in the Gold tier, highlighting its compliance with privacy and the latest consent management requirements.

Frequently Asked Questions

What is the EU Data Act?

The EU Data Act is an EU regulation designed to create a competitive and innovative data market by making data more accessible and usable. This framework aims to foster data access and data sharing, particularly industrial data, encouraging data-driven innovation and increasing data availability within the European Union, particularly in sectors of connected devices, IoT, AI, and related products.

Who is affected by the EU Data Act?

The EU Data Act has a broad application across the EU economy. Main stakeholders include manufacturers of connected devices, businesses using connected devices, cloud service providers, consumers, and the public sector. They will all have the obligation or right to the non-personal data generated by connected devices or related products.

Who is obliged to make data available under the EU Data Act?

Data holders. This includes businesses producing or working with connected devices, AI, IoT, digital services, or related products. Use CookieScript CMP to comply with the EU Data Act.

How do businesses have to make available the data to third parties under the EU Data Act?

The data needs to be made available online without undue delay. Preferentially, the data could be shared online in real-time.

Will the data holder be compensated for making data available?

Data holders must provide the data free of charge in cases of a public emergency. If requested by the data holder, the EU Institution will make a public acknowledgement of the data holder's contribution. In all other cases, the data holder may charge fair compensation to cover its costs plus a reasonable margin.

What is the penalty for non-compliance with the EU Data Act?

Each EU Member State will have to decide the maximum penalty for failing to comply with the data sharing provisions. However, they can impose a fine not greater than €20 million or 4 % of the total worldwide annual turnover. Use CookieScript CMP to comply with the EU Data Act and avoid penalties.

How does the EU Data Act interact with GDPR?

The EU Data Act and GDPR are complementary. The GDPR protects personal data, which could be provided in a readable format upon the user’s request, only in cases when the user is the data subject. The EU Data Act regulates industrial, product, and non-personal data. This type of data could be shared between service providers and consumers without restriction.

New to CookieScript?

CookieScript helps to make the website ePrivacy and GDPR compliant.

We have all the necessary tools to comply with the latest privacy policy regulations: third-party script management, consent recording, monthly website scans, automatic cookie categorization, cookie declaration automatic update, translations to 34 languages, and much more.