Connected products are about to enter a new era of regulatory scrutiny. The EU Data Act (EDA) marks a significant shift by granting users the right to access both personal and non-personal data generated from their use of connected products and related services (i.e., digital services that affect product functionality). Many obligations under the EDA begin to apply from 12 September 2025. This briefing identifies the compliance steps data holders need to prioritise now, as well as those that, while less urgent, should remain on the compliance to-do list.
1 The timeline
The application of the EDA is staggered and the timeline below shows when the various obligations begin to apply.
2 What are the data sharing obligations?
The EDA is intended to unlock the value of data in connected products in the EU, sparking innovation, empowering users, and boosting competition by making data more accessible to users and to third parties at the user's request.
Product design requirements are on the horizon, but not for another year. However, since redesigns take time, now is still the time to get ready. From 12 September 2026, connected products hitting the EU market should enable users to directly access their data "easily, securely, free of charge and in a comprehensive, structured, commonly used and machine-readable format". However, importantly, this design obligation to provide direct access, without the intervention of the data holder, is not absolute and only applies "where relevant and technically feasible". Manufacturers of connected products will therefore have some discretion to decide whether to provide a digital interface that a user controls to directly extract data, or instead to require a user to submit a request to the data holder in order to access the data (i.e. indirect access). The EU Commission's FAQs (FAQ 22) confirm that there is flexibility around the direct access requirement.
In any event, businesses have some time to get to grips with the EDA's 2026 design obligations.
So, what are the September 2025 data access obligations?
More urgently, from 12 September 2025, any user (businesses or consumers) of a connected product in the EU can demand access to data that the data holder can access, including requiring that the data is shared with third parties. Data holders must respond by providing data in a commonly used machine-readable format—and, where relevant and technically feasible, make it available continuously and in real time.
There are a number of ways in which data holders may be able to comply with this obligation – for example, offering a website/app-based portal where users can request and access the data. Currently, there is no hard and fast rule as to how, practically, businesses can comply with the data sharing obligations.
3 What else do businesses need to do from September 2025?
Information notices
One of the drivers behind the EDA is increasing transparency. Data holders need to be clear about the data they collect and ensure that users are aware of how they too can access that data. This information needs to be provided pre-contract in a "clear and comprehensible manner".
Data holders—be they sellers, manufacturers, renters, or lessors—must inform users about the type, format, and estimated volume of data the product can generate, including whether data is created continuously or in real-time, how data is stored, retention periods, and ways to access, retrieve, or erase their data. Related digital services come with even more disclosure duties: in addition, users must be told about the frequency of data collection, how the data holder plans to use the data and with whom the data holder plans to share it (including contact details), how contracts can be ended, the user's right to complain, and information about trade secrets.
The Data Act suggests that one way to satisfy the information obligation is to maintain a stable uniform resource locator (a URL) distributed as a web link or QR code to point to the relevant information prior to concluding the contract.
Model contract terms (MCTs)
Data holders can only use data on the basis of a contractual agreement with the user – so data holders must ensure that their user-facing terms and conditions are sufficiently clear about the purposes for which they will use data and with whom they are entitled to share data. These limitations apply in addition to the constraints already imposed on business' use of personal data under the GDPR.
Contracts with consumers will be subject to consumer protection laws but the EDA will also require all B2B data sharing contracts to be on terms that are fair, reasonable and non-discriminatory (FRAND) and will impose a reverse burden of proof on data holders to prove that their terms and conditions are non-discriminatory. This obligation will apply to new contracts concluded after 12 September 2025. However, from 12 September 2027, it will also apply to certain pre-existing contracts.
An expert group appointed by the EU Commission has published final drafts of non-binding model contractual clauses (MCTs) under the EDA to cover data access and use, including terms on reasonable compensation and the protection of trade secrets – the EU Commission must decide whether it wishes to adopt them prior to 12 September 2025.
The draft MCTs (set out in the Final Report) consist of four contract types:
- Data Holder to User - where the data holder wishes to use data generated using the product/service.
- User to a Third-Party Data Recipient - where the user of a product/service has requested a data holder to make data available to the data recipient.
- Data Holder to a Third-Party Data Recipient - where a data holder makes data available to a data recipient.
- Data Sharer to Data Recipient - where the data sharer wishes to make data available to a data recipient independently of any request by a user or similar party (i.e. voluntary sharing).
The MCTs are drafted for B2B contracts. They could be used in B2C contracts, but they would need some adaptations to comply with consumer protection laws. The published MCTs will likely set the standard for what counts as FRAND under the EDA.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
