Today, 12 September 2025, the Data Act comes into force. This regulation establishes uniform rules for access to data generated by connected products (IoT) and related services, including personal, technical, telemetric, and operational data.
The Data Act also regulates access to data by public authorities in emergency situations.
Why is it a landmark regulation?
Thanks to the Data Act, users of devices or related services now have the right to request access to any data generated when using a product.
This information must be provided in a structured, machine-readable format of the same quality as is available to the entity collecting it, free of charge and without undue delay.
Who is affected by the obligations under the Data Act?
The Data Act imposes obligations on data holders. Data holders are entities that have the right or obligation to use and make available data generated when using a product or service, and include, without limitation:
- Manufacturers
- Operators
- Maintenance service providers
- Digital service providers
Obligations of data holders
Data holders must make data available to users and third parties of their choice, on clear terms and in confidence.
In particular, this includes:
- Providing the user with ‘readily available data’ – without undue delay, free of charge, with metadata, continuously and in real time, if possible
- Making data available to a third party designated by the user
- Protecting trade secrets through appropriate technical and organisational measures (the data holder may only refuse to disclose data if they can demonstrate a serious risk of damage)
- Being prohibited from practices that hinder the exercise of the right of access (dark patterns)
- Keeping records of disclosures and handling requests transparently
The obligation to make data available applies to raw and pre-processed data. However, information inferred or derived from such data remains outside the scope of the Regulation.
Data Act timeline
- 12 September 2025 – Data Act on user rights and access by public authorities
- 12 September 2026 – ‘access by design’ requirement for new products and services
- 12 January 2027 – prohibition on charging fees for changing data processing service providers (switching charges)
- 12 September 2027 – contracts concluded before the Regulation comes into force will also be covered if they are of indefinite duration or long-term
What to consider now
In order to meet the requirements and prepare for access requests, it is advisable to take the following steps as soon as possible:
- Inventory your data-generating devices and services
- Determine which data is ‘readily available’ and must be made available, and which is derived and need not be made available
- Review and adjust B2B contracts, particularly with regard to prohibited clauses affecting SMEs
- Develop procedures for making data available, prepare registers and anonymisation and pseudonymisation mechanisms
- Plan the process of switching cloud providers and adapt systems to ensure they are interoperable
- Integrate Data Act requirements with GDPR processes, including DPIA
The Data Act also brings new opportunities and models for business
The Data Act is not just about obligations.
It also creates new opportunities. Providing access to data for independent websites, integrators, and application providers enables the development of competitive services and new business models, boosting innovation.
Companies that prepare compliance procedures in good time can avoid regulatory risks and take advantage of the opening data market.
We can help you analyse specific cases, review contracts, and develop a plan for implementing the Data Act within your organisation.
If you are interested or have any queries, please contact us.
