How does the Data Act interact with the GDPR?

The Data Act does not create a new legal basis for processing personal data. Where product-generated data includes personal data, the GDPR applies in full as lex specialis for data protection. Data holders must still identify a GDPR legal basis before sharing personal data, even when the Data Act grants users an access right. The Data Act's user access rights supplement -- but do not override -- GDPR data subject rights.

Can data holders refuse to share data to protect trade secrets?

Data holders may take proportionate technical and contractual measures to protect trade secrets, but they cannot use trade secret protection as a blanket refusal. Where sharing is possible with adequate protective measures (e.g., NDAs, technical access controls, aggregation), the data holder must share the data subject to those protections. Only where no proportionate measure can prevent disproportionate harm may sharing be refused entirely.

What compensation can data holders charge for sharing data with third parties?

Compensation must be reasonable and non-discriminatory. For sharing with SMEs, it must not exceed the cost of making the data available. For sharing with larger enterprises, data holders may add a reasonable margin. Compensation may not be used as a barrier to data access. The Commission will publish guidelines on calculating reasonable compensation.

How does the Data Act affect existing cloud service contracts?

Cloud providers must bring all existing contracts into compliance with Data Act switching provisions by 12 September 2025. This means updating terms to include maximum transition periods, data portability obligations, and functional equivalence guarantees. Switching charges must be reduced progressively and eliminated entirely by 12 January 2027.

Are DMA gatekeepers excluded from the Data Act?

Gatekeepers designated under the Digital Markets Act cannot be named as third-party recipients of data shared under Article 5 of the Data Act. This prevents large platforms from leveraging the Data Act to further consolidate data power. However, gatekeepers are still subject to the Data Act as data holders if they manufacture connected products or provide related services.

What are the penalties for non-compliance?

The Data Act delegates penalty setting to Member States. Penalties must be effective, proportionate, and dissuasive. Contractual terms that violate the Data Act are automatically void -- they have no legal effect regardless of what the parties agreed. National competent authorities have investigative and enforcement powers including the ability to impose fines and order compliance.

Does the Data Act apply to data generated before September 2025?

The main provisions apply from 12 September 2025 to data generated from that date. For connected products placed on the market before that date, data access and sharing obligations apply from 12 September 2026, but only where technically feasible without requiring disproportionate redesign. Data generated before the relevant application date is not covered.

TOPICS·TECHNOLOGY·REGULATION (EU) 2023/2854

EU Data Act

REGULATION ON FAIR ACCESS TO AND USE OF DATA

The EU's horizontal framework for who can access and use data generated by connected products and related services. Applicable from 12 September 2025, the Data Act establishes user data access rights, B2B data sharing obligations on FRAND terms, cloud switching rules, smart contract requirements, and safeguards against unlawful third-country government data access.

EUIN EFFECT56 regulations trackedUpdated April 2026

WHAT

EU regulation on fair access to and use of data generated by connected products and related services (IoT data, industrial data). It creates new rights for users to access and share their data, regulates B2B data contracts, and mandates cloud switching freedoms.

WHO

Manufacturers of connected products, data holders, cloud and edge service providers, third-party data recipients, and public sector bodies requesting private-sector data in cases of exceptional need.

WHEN

Entered into force 11 January 2024. Main provisions apply from 12 September 2025. Cloud switching charges eliminated by 12 January 2027. Legacy connected products covered from 12 September 2026.

PENALTY

Set by Member States; must be effective, proportionate, and dissuasive. Contractual terms violating the Data Act are automatically void. National competent authorities have investigative and enforcement powers.

THE ESSENTIALS

Every time you use a smart thermostat, drive a connected car, or operate an industrial machine, that device generates data. Until now, the manufacturer who built the device typically kept that data for themselves -- even though your use of the product created it. The EU Data Act changes who gets to access and use that data.

Starting 12 September 2025, users of connected products have the right to access the data their devices generate, free of charge and in real time where technically feasible. Users can also request that the manufacturer share that data with a third party of their choice -- for example, an independent repair shop or a competing service provider. The manufacturer must comply, on fair and reasonable terms, and cannot charge more than the cost of making the data available.

The law also tackles cloud lock-in. Cloud and edge service providers must support customers who want to switch providers or run multi-cloud setups. Switching must be completed within 45 days, and from January 2027, providers cannot charge any switching fees at all. Smart contracts used for automated data sharing must include safety mechanisms like kill switches and audit trails.

For businesses, the practical impact depends on your role. If you manufacture connected products, you need to redesign them for data access by default. If you are a cloud provider, you must update contracts and eliminate switching barriers. If you are a smaller company that depends on data from a larger partner, you gain new leverage: unfair terms in data-sharing contracts can be challenged and voided. The Data Act does not replace the GDPR -- where personal data is involved, both sets of rules apply in parallel.

IOT DATA ACCESS FLOW

The Data Act creates a structured flow for accessing data generated by connected products. Each step has specific legal requirements and timeframes.

DATA GENERATIONConnected Product

IoT device, smart appliance, or industrial machine generates data through normal use. Data includes both raw sensor data and data derived by the related service.

DIRECT ACCESSUser

Product must be designed so the user can access data directly, free of charge, continuously, and in real time where technically feasible. Pre-contractual information about data types and access methods must be provided.

SHARING REQUESTUser → Data Holder

User requests the data holder to share data with a named third party. Request may be made electronically. Data holder must comply without undue delay, at the same quality as available to the data holder.

THIRD-PARTY DELIVERYData Holder → Third Party

Data holder shares data with the third party on FRAND terms. Compensation limited to cost of making data available (plus reasonable margin). Trade secret protections may apply.

USE LIMITATIONSThird Party

Recipient may only use data for the agreed purpose. Must not develop a competing connected product. Must not sub-license to a DMA gatekeeper. Must delete data when no longer needed.

STRUCTURE OF THE DATA ACT

The Data Act is organised into eleven chapters covering data access, sharing, fairness, public sector access, cloud switching, smart contracts, and enforcement.

Connected products must be designed so that users can access the data they generate easily, directly, and free of charge. Where direct access is not possible, the data holder must provide it without undue delay, at the same quality, and in a comprehensive, structured, commonly used, machine-readable format.

KEY REQUIREMENTS

Products must enable direct user access to data by default at design stage

Data holders must make data available free of charge, continuously and in real time where feasible

Users receive pre-contractual information on what data is generated and how to access it

Includes data generated by connected products and related services (IoT, smart devices, industrial machines)

Trade secrets may justify restrictions, but only with proportionate protective measures

STAKEHOLDER RIGHTS & OBLIGATIONS MAP

The Data Act creates an interconnected web of rights and obligations across five stakeholder categories. Select a stakeholder to see their full position.

CLOUD SWITCHING PROCESS

The Data Act imposes strict timelines on cloud service switching. From January 2027, all switching charges must be zero.

Customer notifies current cloud provider of intent to switch or use multi-cloud. Written notice triggers the switching process.

Provider acknowledges and begins transition planning. Provider must share all relevant technical information including data formats, schemas, APIs, and migration tooling.

Full data export in a commonly used, machine-readable format. Provider must assist with migration and ensure functional equivalence at the destination service. No degradation of service during transition.

Customer verifies data integrity and service functionality at the new provider. Original provider maintains service access during verification. Both environments run in parallel.

Customer confirms successful migration and terminates original contract. From 12 January 2027, no switching charges may be applied. Before that date, charges must be reduced progressively.

SWITCHING CHARGE PHASE-OUT

Sep 2025Reduced switching charges only

Jan 2027Zero switching charges mandatory

SMART CONTRACT REQUIREMENTS

Smart contracts used for automated data sharing under the Data Act must meet essential requirements in Annex I. Vendors must self-certify conformity.

B2B CONTRACT FAIRNESS

The Data Act introduces a fairness test for data-sharing contracts between businesses. Certain terms are blacklisted or grey-listed when unilaterally imposed on SMEs.

IMPLEMENTATION TIMELINE

The Data Act uses a phased application model, with different provisions taking effect at different times between 2025 and 2028.

Sep 2025Application date for main provisionsArt. 50(2)

Jan 2027Cloud switching charges eliminatedArt. 29(5)

OngoingMember States designating authoritiesArt. 37

Sep 2028Commission review deadlineArt. 49

KEY IMPLEMENTATION CHALLENGES

Access by design: Manufacturers must redesign connected products to enable direct data access. Retrofitting existing products on the market before September 2025 is only required where technically feasible.

FRAND term definition: No fixed formula exists for "fair, reasonable, and non-discriminatory" compensation. The Commission will publish guidelines, but disputes will likely arise during early implementation.

Trade secret balancing: The boundary between legitimate trade secret protection and obstruction of data access rights will be tested case by case. Businesses need clear internal policies on what constitutes a proportionate protective measure.

Cloud contract remediation: Cloud providers must update all existing contracts to include switching rights, portability obligations, and the fee elimination timeline. Enterprise contracts with bespoke terms require individual renegotiation.

KEY MILESTONES

Feb 23, 2022

PROPOSALEuropean Commission publishes the Data Act proposal as part of the European Data Strategy

Mar 14, 2023

COUNCILCouncil of the EU adopts its general approach on the Data Act

Jun 27, 2023

TRILOGUEPolitical agreement reached in trilogue between Parliament, Council, and Commission

Nov 9, 2023

ADOPTEDEuropean Parliament adopts the Data Act by 481 votes in favour

Dec 22, 2023

PUBLISHEDRegulation (EU) 2023/2854 published in the Official Journal of the EU

Jan 11, 2024

IN FORCEData Act enters into force. 20-month implementation period begins

Sep 12, 2025

FULL APPLICATIONMain provisions become applicable: data access rights, B2B sharing, unfair terms, public sector access, cloud switching (reduced charges), smart contracts, international safeguards

Apr 23, 2026

YOU ARE HERE

Sep 12, 2026

CONNECTED PRODUCTSData access and sharing obligations extend to connected products placed on the market before 12 September 2025, where technically feasible

Jan 12, 2027

ZERO SWITCHING FEESAll cloud switching charges must be completely eliminated. Free-of-charge switching becomes mandatory

Sep 12, 2028

COMMISSION REVIEWEuropean Commission evaluates the application and impact of the Data Act and reports to the European Parliament and Council

KEY QUESTIONS & INTERPRETATIONS

DATA REGULATIONS56

EU56

US0

COURT RULINGS0

REGULATORY ACTIVITY OVER TIME

20021

20155

20161

20181

20193

20201

20211

20229

20236

202414

202511

20263

EU US

BY STATUS

Adopted54

In Force2

BY TYPE

directive11

regulation36

decision9

MOST CONNECTED REGULATIONS

JUR.	TITLE	STATUS	LINKS
EU	Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance)	Adopted	12
EU	Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) (Text with EEA relevance)	Adopted	8
EU	Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act) (Text with EEA relevance)	Adopted	8
EU	Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) (Text with EEA relevance)	Adopted	5
EU	Regulation (EU) 2024/1257 of the European Parliament and of the Council of 24 April 2024 on type-approval of motor vehicles and engines and of systems, components and separate technical units intended for such vehicles, with respect to their emissions and battery durability (Euro 7), amending Regulation (EU) 2018/858 of the European Parliament and of the Council and repealing Regulations (EC) No 715/2007 and (EC) No 595/2009 of the European Parliament and of the Council, Commission Regulation (EU) No 582/2011, Commission Regulation (EU) 2017/1151, Commission Regulation (EU) 2017/2400 and Commission Implementing Regulation (EU) 2022/1362 (Text with EEA relevance)	Adopted	4
EU	Commission Regulation (EU) 2024/1103 of 18 April 2024 implementing Directive 2009/125/EC of the European Parliament and of the Council as regards ecodesign requirements for local space heaters and separate related controls and repealing Commission Regulation (EU) 2015/1188	Adopted	3
EU	Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act) (Text with EEA relevance)	Adopted	3
EU	Directive (EU) 2022/2556 of the European Parliament and of the Council of 14 December 2022 amending Directives 2009/65/EC, 2009/138/EC, 2011/61/EU, 2013/36/EU, 2014/59/EU, 2014/65/EU, (EU) 2015/2366 and (EU) 2016/2341 as regards digital operational resilience for the financial sector (Text with EEA relevance)	Adopted	2
EU	Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act) (Text with EEA relevance)	Adopted	2
EU	Commission Implementing Regulation (EU) 2026/286 of 10 February 2026 authorising an exemption pursuant to Regulation (EU) 2024/573 of the European Parliament and of the Council, with regard to the use of fluorinated greenhouse gases in certain chillers used for semiconductor manufacturing	Adopted	1

DATE	JUR.	TITLE	STATUS
Mar 11, 2026	EU	Directive (EU) 2026/706 of the European Parliament and of the Council of 11 March 2026 amending Directive 2014/32/EU as regards measuring systems for electric vehicle supply equipment and compressed gas dispensers, and electricity, gas and thermal energy meters (Text with EEA relevance)	Adopted
Feb 10, 2026	EU	Commission Implementing Regulation (EU) 2026/286 of 10 February 2026 authorising an exemption pursuant to Regulation (EU) 2024/573 of the European Parliament and of the Council, with regard to the use of fluorinated greenhouse gases in certain chillers used for semiconductor manufacturing	Adopted
Feb 9, 2026	EU	Commission Implementing Regulation (EU) 2026/330 of 9 February 2026 amending Implementing Regulation (EU) 2024/2754 imposing a definitive countervailing duty on imports of new battery electric vehicles designed for the transport of persons originating in the People’s Republic of China following a partial interim review pursuant to Article 19(2) of Regulation (EU) 2016/1037 of the European Parliament and of the Council	Adopted
Dec 11, 2025	EU	Council Decision (CFSP) 2025/2539 of 11 December 2025 amending Decision (CFSP) 2022/2269 on Union support for the implementation of a project ‘Promoting Responsible Innovation in Artificial Intelligence for Peace and Security’	Adopted
Nov 13, 2025	EU	Council Decision (EU) 2025/2350 of 13 November 2025 on the position to be taken on behalf of the European Union within the Committee of Ministers of the Council of Europe on the Draft Recommendation on equality and artificial intelligence	Adopted
Oct 17, 2025	EU	Corrigendum to Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) (OJ L, 2024/2847, 20.11.2024)	Adopted
Oct 13, 2025	EU	Commission Regulation (EU) 2025/2052 of 13 October 2025 laying down ecodesign requirements for external power supplies, wireless chargers, wireless charging pads, battery chargers for portable batteries of general use and USB Type-C cables, pursuant to Directive 2009/125/EC of the European Parliament and of the Council and repealing Commission Regulation (EU) 2019/1782	Adopted
Jul 18, 2025	EU	Regulation (EU) 2025/1561 of the European Parliament and of the Council of 18 July 2025 amending Regulation (EU) 2023/1542 as regards obligations of economic operators concerning battery due diligence policies (Text with EEA relevance)	Adopted
Jul 2, 2025	EU	Corrigendum to Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) (OJ L, 2024/2847, 20.11.2024)	Adopted
May 6, 2025	EU	Commission Implementing Regulation (EU) 2025/847 of 6 May 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards reactions to security breaches of European Digital Identity Wallets	Adopted
Mar 11, 2025	EU	Council Regulation (EU) 2025/517 of 11 March 2025 amending Regulation (EU) No 904/2010 as regards the VAT administrative cooperation arrangements needed for the digital age	Adopted
Mar 11, 2025	EU	Council Directive (EU) 2025/516 of 11 March 2025 amending Directive 2006/112/EC as regards VAT rules for the digital age	Adopted
Mar 7, 2025	EU	Commission Implementing Regulation (EU) 2025/454 of 7 March 2025 laying down the rules for the application of Regulation (EU) 2024/1689 of the European Parliament and of the Council as regards the establishment of a scientific panel of independent experts in the field of artificial intelligence	Adopted
Jan 10, 2025	EU	Corrigendum to Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) (OJ L 265, 12.10.2022)	Adopted
Dec 19, 2024	EU	Directive (EU) 2025/25 of the European Parliament and of the Council of 19 December 2024 amending Directives 2009/102/EC and (EU) 2017/1132 as regards further expanding and upgrading the use of digital tools and processes in company law (Text with EEA relevance)	Adopted
Dec 5, 2024	EU	Corrigendum to Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) (OJ L, 2024/2847, 23.10.2024)	Adopted
Oct 29, 2024	EU	Commission Implementing Regulation (EU) 2024/2754 of 29 October 2024 imposing a definitive countervailing duty on imports of new battery electric vehicles designed for the transport of persons originating in the People’s Republic of China	Adopted
Oct 23, 2024	EU	Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) (Text with EEA relevance)	Adopted
Aug 28, 2024	EU	Council Decision (EU) 2024/2218 of 28 August 2024 on the signing, on behalf of the European Union, of the Council of Europe Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law	Adopted
Jul 3, 2024	EU	Commission Implementing Regulation (EU) 2024/1866 of 3 July 2024 imposing a provisional countervailing duty on imports of new battery electric vehicles designed for the transport of persons originating in the People’s Republic of China	Adopted