Edited by Paola Furiosi, Giulia Iozzia, Andrea Strippoli, Edoardo di Maggio and Francesco Gaggioli
September 12, 2025 marked a major milestone in the EU Digital Strategy, as Regulation (EU) 2023/2854 – the Data Act – became fully applicable.
The Data Act establishes uniform rules governing the access, use, and circulation of data generated by connected products (Internet of Things – IoT) and related services placed on the European Union market. The range of products and services covered is extensive, encompassing, for example, connected vehicles and appliances, smart electricity meters, and industrial IoT solutions. The broad scope of this legislation, both in terms of the number of economic operators involved and the cross-sectoral nature of the data subject to the new requirements, makes the Data Act a fundamental piece of compliance for many European companies (and beyond).
The Data Act grants end users and businesses the right to access data generated by their IoT products and related services, as well as to share such data with other operators. This aims to address the common issue of vendor lock-in and to unlock the significant economic potential of data, which is increasingly recognized as a strategic asset.
The ability for users to access data generated by their IoT products means that manufacturers, sellers, lessors, and service providers are required to:
- Design products and services to ensure users can easily port and access their data – including any necessary metadata – in a complete, structured, and machine-readable format. This is a significant step beyond compared to the data portability right under the GDPR, as it covers both personal and non-personal data. However, the GDPR continues to apply in relation to personal data.
- Provide users with direct access to the generated data, embedding the principle of “access by design” into the development of IoT products and related services, wherever technically feasible.
- Clearly inform customers about the data collection capabilities of IoT products, specifying the nature, format, and volume of the data collected, and explaining both their rights and the practical steps for accessing and sharing their data.
- Enable users to share their data with third parties of their choice. To comply with the Data Act, such sharing must occur under fair, reasonable, and non-discriminatory conditions. The Regulation also identifies a number of unfair contractual terms in this context.
Despite the broad nature of the obligations introduced by the Data Act, the Regulation also provides important safeguards to protect data holders:
- Only raw and pre-processed data – that is, data that has not been further refined – falls within the scope of the Regulation. Data that has been enriched or processed in a way that makes it eligible for intellectual property protection is excluded.
- Sharing data that qualifies as trade secrets is subject to the adoption of appropriate confidentiality measures (such as confidentiality agreements, standard contractual clauses, access protocols), with the possibility for the data holder to suspend the sharing of or prevent access to data, under certain circumstances (the so-called “trade secrets handbrake”). Unlike EU Directive 2016/943 on trade secrets, the Data Act requires that potential risks to trade secrets be assessed before data sharing, rather than after disclosure.
- In addition, data made accessible under the Data Act cannot be used to develop or market products that compete with the IoT product from which the data originated.
While these safeguards are significant, they do not exempt companies from the required obligations under the Data Act. Full compliance requires businesses to take a number of practical steps, including:
- Mapping the data they hold to determine which data falls within the scope of the Regulation;
- Conducting a detailed review to identify data that may qualify as a trade secret;
- Ensuring that contracts with relevant parties meet the data sharing requirements under Data Act, updating existing agreements as needed to ensure they are fair, reasonable and non-discriminatory, and free from unfair contractual terms;
- Setting up an operational framework to handle requests for data access and sharing.
Additionally, Data Processing Service providers (such as cloud service providers) will need to remove, under Chapter VI of the Regulation, any barriers that make it difficult for customers to switch providers – whether technical, by improving interoperability between platforms, or contractual and commercial. They must also ensure that customers can terminate contracts with minimal notice and make it easy to migrate data and applications to other platforms.
Despite ongoing uncertainty around the designation of a national supervisory authority and the current lack of an internal enforcement mechanism, the Data Act marks a new chapter in digital transformation.
In this landscape, having a deep understanding of the Data Act is not only crucial for regulatory compliance, but also serves as a strategic advantage to fully capitalize on the opportunities offered by this new regulatory framework and to gain a competitive edge.
Let’s Talk
For a deeper discussion: