The Data Act (Regulation (EU) 2023/2854) is set to transform how data generated by connected products and related services is accessed, shared, and used across the EU. Previously, much of this data remained with manufacturers or service providers. The Regulation shifts this balance, granting users greater access and control to the data they generate, and in turn it attempts to foster a fairer and more competitive data economy.
The Regulation will largely apply directly in all EU Member States from 12 September 2025 with certain obligations relating to the design of connected products and related services kicking from 12 September 2026. This leaves businesses, manufacturers, service providers, and public authorities a limited timeframe within which to adapt their systems, contracts, and internal processes.
Defining the Data in Scope
The Regulation applies to inter alia manufacturers, providers of
data processing service and users of connected products and related
services placed on the EU market as well as data holders and
recipients of data generated by such connected products or related
services, in the case of manufacturers or providers, the regulation
will apply regardless of where the manufacturer or provider is
established if such products or related services are placed on the
EU market.
Connected products are physical items capable of collecting,
generating, or transmitting data about their use or environment via
electronic communication, physical connection, or on-device
processing. These can range from wearable fitness trackers and
smart home appliances, to automotives and aircrafts.
Related services are those services that are connected to a
product, and that collect and generate data from the use of a
connected product. Examples include virtual assistants embedded in
a device, and navigation systems integrated into vehicles.
The Regulation focuses on readily available data, such as raw data,
being data that can be accessed from the connected product or
related service without disproportionate effort. However, it does
not extend to data that has been significantly processed beyond a
simple operation. It will cover both personal and on-personal data
though, in the cases of personal data, it will also operate
alongside the GDPR.
Stakeholders and their Roles under the Data Act
The Regulation creates a framework involving several
stakeholders. These include the manufacturer, user of the connected
product and related service, the data holder, the data recipient
and providers of data processing services.
Data holders being the individual or organisation (typically the
manufacturer or service provider that controls access to data
retrieved or generated from a connected product or related service,
and has the right or obligation to use and share that data are
particularly affected by this regulation. In fact, for these
persons, compliance with the Data Act means undertaking a review
across several fronts, including:
- Determining the scope and applicability of the Data Act
- If applicable, updating contracts and documentation such as terms of service.
- Creating and implementing operational processes:
- Meeting design obligations for future connected products or related services:
A data recipient is any third party, acting for purposes related
to their trade or profession, to whom the data holder makes data
available. This could be an application developer, or even a public
authority in certain circumstances. They must use the data only for
the purposes for which it was shared, respect applicable trade
secret rules, and not use the data to develop competing connected
products.
The data processing service provider is any entity providing
services that enables access to shared computing resources, such as
cloud storage, to their customer. Providers of data processing
services will be required to enable their customers to terminate
contracts and migrate data to other data processing services
without undue delay or cost, removing barriers to competition and
ensuring interoperability.
Enforcing the Data Act
The enforcement of the Data Act will be decentralised, with each Member State designating competent authorities responsible for monitoring compliance and handling complaints. Each Member State shall designate one or more competent authorities to be responsible for the application and enforcement of the Data Act. In turn, persons shall have the right to lodge a complaint with the relevant competent authority in the Member State of their habitual residence, place of work or establishment if they consider that their rights under the Data Act have been infringed. In Malta, the Malta Digital Innovation Authority (MDIA), together with the Malta Communications Authority (MCA), are the prospective Competent Authorities responsible for the application and enforcement of the provisions of the Data Act.
While the Regulation does not set specific penalty amounts in case of non-compliance, it requires that Member States establish penalties that are effective, proportionate and dissuasive. This leaves room for variation across Member States. Although these penalties will be borne by companies as legal entities, directors should not overlook their personal exposure in the event of non-compliance by a company. While the Data Act does not explicitly create liabilities for directors, their existing duties and responsibilities under national laws, specifically the Companies Act (Chapter 386 of the Laws of Malta), mean that they can potentially be held accountable for a company's failure to adhere to the Data Act. This stems from a director's overarching duty to exercise the care, diligence and skill expected of their position.
The Data Act marks a shift towards a data economy in which value is shared more equitably between those who generate data and those who hold it. With key provisions applying from 12 September 2025, organisations must act swiftly in making operational, contractual, and technical changes to meet their new obligations. For directors, proactive oversight and a commitment to compliance remain the most effective safeguard against liability in this regulatory landscape.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
