The European Union (EU) Data Act (EDA) came into force on January 11, 2024, and took effect on September 12, 2025. It is set to reshape how companies handle data generated by connected products, smart devices and cloud services across Europe. Its goal is to create a fairer and more competitive digital economy by enhancing user rights, ensuring fair access to and sharing of data, and maintaining robust data protection safeguards.
Applicability: Who Must Comply?
The EDA applies widely across industries, including both EU and non-EU organisations that manufacture or offer connected products across the EU, process user-generated data within the EU or provide data processing services to users in the European Economic Area (EEA). Any connected product that generates or collects data in the course of its use and communicates it via the internet or another network will fall within the scope of the EDA.
Key groups include:
- Manufacturers of Connected Products: Internet of Things devices, smart appliances, wearables, vehicles or industrial machinery. From September 12, 2026, connected products placed on the EU market must be designed to allow users to access their generated data, either directly or on request.
- Providers of Related Services: Software-as-a-Service, Platform-as-a-Service, Infrastructure-as-a-Service or edge computing providers linked to connected products fall within scope. They must enable interoperability, data access and portability, and facilitate seamless switching between providers.
- Data Holders and Recipients: Obligations
differ based on role. For example:
- The "Data Holder," often the manufacturer or service provider, controls access to the data;
- The "User," who may be the owner, renter or lessee of the product, has the right to access and share the data; and
- The "Data Recipient," such as an after-market service provider or third party, may obtain access when authorised by the "User."
- Non-EU Companies: Companies established outside the EU are also subject to the EDA if they place connected products on the EU market, provide related services or offer data processing services to EU/EEA users.
- Public Authorities: EU Member State authorities, along with EU institutions and agencies, may request data held by private entities during emergencies (such as cybersecurity events) or legal mandates, with appropriate safeguards in place. For non-emergency public interest requests, data sharing is permitted on fair, reasonable and non-discriminatory terms, and compensation must cover the costs incurred in making the data available.
Organisations can have multiple roles simultaneously, making it critical to understand their obligations in the data ecosystem.
Key Points for Companies
- Data Access and Portability: Users have the right to request, access and use data generated by connected products of related services, including both personal and non-personal data, in structured, machine-readable formats. They may also share or transfer this data to other providers. Cloud providers must remove technical and contractual barriers to switching services, ensuring interoperability and seamless data portability.
- Transparency: Organisations must clearly inform users about what data is collected, how it's stored, retention periods and who can access it. Pre-contractual information may need updating to meet these requirements.
- Contractual Fairness: Business-to-business agreements must be fair, reasonable and non-discriminatory. Unilateral, unfair clauses related to data access, use or liability are prohibited. Restrictions on unfair contracts apply to new agreements from September 12, 2025, and will extend to pre-existing contracts from September 12, 2027.
- Safeguarding Data: Companies must protect trade secrets and prevent unauthorized access, including from non-EU governments. Data holders may implement confidentiality agreements, technical safeguards and model contractual terms to protect sensitive information.
- Compliance and Coordination: The General Data Protection Regulation (GDPR) will continue to govern personal data. Organisations must segregate personal and non-personal data, document legal bases for sharing, and coordinate legal, IT, product and compliance teams to ensure compliance with both the GDPR and the EDA.
Next Steps
Organisations should engage in the following next steps to ensure compliance with the EDA:
- Perform a Gap Analysis: Determine what services, products and entities are in scope and what roles they have under the EDA.
- Map Data: Review and map data that is captured by the EDA.
- Policies and Procedures: Update policies and procedures to ensure compliance with data access rights and other compliance obligations under the EDA.
- Contract Review: Review and update applicable contracts and required documentation.
- Safeguards and IT Security: Review and ensure that appropriate safeguards and IT Security are implemented.
Looking Ahead
The EDA is poised to transform Europe's digital economy, promoting competition, innovation and user empowerment. Compliance will require operational, technical and contractual adjustments, but it also presents opportunities. For example, small to medium-sized enterprises will gain protection against unfair contract terms; users can access valuable data to drive insights and innovation; and companies that act proactively will reduce regulatory risk and gain a competitive advantage.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
