The EU Data Act - one year to go: what you need to know to prepare

Whether you want to explore different aftercare services for the IoT products you use, switch your cloud service provider, or agree reasonable terms around your data sharing arrangements, now is the time to consider whether the EU Data Act could help. With one year to go before most of the key obligations under the Act apply, it is also important for manufacturers, data holders and service providers who may be in scope to check preparations are on track to ensure compliance.

Here is a high-level overview of what the Act entails and the key dates you need to keep in mind. 

The EU Data Act: a quick reminder 

As we discussed in our previous post, the EU Data Act is designed to enhance the EU’s data economy and foster a competitive data market by making data more accessible and usable, encouraging innovation and increasing data availability. 

The Act covers both personal and non-personal data and it applies to: 

• manufacturers of connected products (e.g. connected cars and medical and fitness devices) and providers of related services (e.g. an app that makes a connected product behave in a specific manner);
• users of connected products and related services;
• data holders and data recipients;
• public sector bodies;
• providers of data processing services; and
• other participants in data spaces. 

Key rights and obligations 

Given the multifaceted nature of the data market, the measures taken by the EU to meet the Act’s objectives are wide-ranging, with the Data Act covering matters ranging from unfair terms to switching restrictions to access to IoT generated data.  The key obligations include: 

1. Design requirements: manufacturers of connected products and providers of related services must design their products so that any data generated and/or captured is available to users directly (where possible) and without cost. 
    
2. Data sharing with the user or third parties: data holders are required to share data with users or a third party on request by the user. Such data must be shared under fair, reasonable, and non-discriminatory terms and in a transparent manner.
    
3. Unfair contractual terms: the Act provides protection against unfair contractual terms in a business-to-business context. Companies cannot unilaterally impose unfair contractual terms concerning access to and use of data, or liability and remedies for the breach or the termination of data related obligations.
    
4. Business to government data sharing: public bodies have the right to access data held by private bodies where there is an exceptional need (e.g. to respond to a public emergency, subject to certain restrictions, including restrictions on how the data is used).
    
5. Removing obstacles to switching data processing services: users have the right to access and transfer their data across different service providers. This ensures that individuals and businesses can move their data freely and make the most of different services without being locked into a single provider.
    
6. Unlawful third country government access: to ensure that protection afforded to data in the EU travels with any data transferred outside the EU, providers of data processing services must implement appropriate safeguards to prevent international transfers of industrial data or access by a third government that would not be compatible with EU or national legislation. 
    
7. Interoperability: data space participants should comply with several requirements to allow data to flow within and between data spaces. The Act also introduces harmonised standards and open interoperability specifications for data processing services. 

Now is the time to start preparing for these changes. Businesses that fall within the remit of the Act will need to review and update their data management practices, contracting policies and (where relevant) design and manufacturing processes to ensure compliance. In addition to compliance requirements, businesses should also consider whether the Data Act provides them with any opportunities – for example to access data which could help develop new aftermarket services for a connected product.

Important dates

Although the Act entered into force on 11 January 2024, there are transition periods and most of its rights and obligations will apply from 12 September 2025. However,  there are other important dates to keep in mind. In September 2026, the design and manufacturing requirements for connected products and related services will apply, and a year later (September 2027) the rules on unfair contract terms will apply to contracts entered into on or before 12 September 2025 (meaning older contracts must be amended by this date). 

For more information on the Data Act, please see our “EU Data Act at a glance” flyer here. For our previous blog posts on the Act see here and here.