The latest installment in the Brussels' ever-growing catalogue of laws, the EU Data Act became applicable 12 Sept. 2025.
Over time, EU regulators have sharpened their focus on empowering users, anchored in a fundamental rights approach while ensuring fair market conditions. The EU General Data Protection Regulation marked a turning point, embedding human centrality in data governance and reflecting both rapid digitalization and growing awareness of individual rights. The Data Act builds on this trajectory, aiming to make more data available to individuals, businesses and the public sector while ensuring that access empowers users by giving them greater control over the data they generate.
This is the first article in a multipart series addressing the top operational impacts of the Data Act. It sets the scene: what led to the creation of the Data Act, its objectives, the negotiation backdrop, how it fits within the EU's digital rulebook, and what it means for an organization's compliance journey. The remaining articles in the series will explore some of the Data Act's key pillars and what they mean in practice.
At its core, the act reflects the EU's single-market vision and seeks to boost Europe’s digital economy by making industrial and Internet of Things data more accessible and usable. It grants users of connected products, and their chosen third parties, rights to access and share the data they generate with safeguards for trade secrets, intellectual property and reasonable compensation for data holders.
Beyond user rights, the act aims to level the playing field by strengthening cloud portability and reducing vendor lock-in, restraining unfair contract terms, allowing public authorities to request private-sector data in exceptional circumstances such as emergencies, and promoting interoperability to enable seamless cross-border and cross-sector data flows, all while protecting against unlawful third-country access to non-personal data.
By way of example, imagine a smart washing machine connected to a companion app that monitors temperature, water flow, and energy use. Under the Data Act, all raw and pre- processed sensor data that is readily accessible to the manufacturer or app provider falls within scope. The user has a right to access this data and can choose to share it with a third party, such as a company offering energy efficiency advice, either by extracting it themselves or by instructing the data holder to share it, provided the recipient is not a EU Digital Markets Act gatekeeper.
The creation of the Data Act
First proposed by the European Commission in February 2022 as part of the EU Digital Strategy, the Data Act was presented as a way to unlock the value of industrial and IoT data for innovation, competition, and public interest. After more than a year of negotiations, the European Parliament and the Council of the European Union reached political agreement in June 2023, with final approval following in November 2023. The regulation entered into force in January 2024 and became enforceable in September 2025 after a 20-month transition period — longer than the initially proposed 12 months — to give industry more time to adapt.
The key measures established by the final text include user rightsallowing individuals and businesses to access and share co-generated data from connected devices. Manufacturers are obliged to support this, except when it would endanger trade secrets — reflecting one of the most debated points during negotiations. It also provides for business-to-governmentaccess, enabling public authorities to request private-sector data in exceptional cases, such as major cybersecurity incidents, or when justified under public-interest tasks or research purposes.
Another important measure addressed in the text is cloud switching, which requires providers to allow customers to change services without lock-in and aligns with contractual terms established by the act itself to enhance transparency and fairness. Finally, the text addresses data transfers and interoperability with safeguards against unlawful third-country access and measures to promote EU-wide standards.
Diverging views and common grounds
The legislative journey exposed divisions with industry, institutions, civil society and research communities voicing concerns over issues ranging from data definitions and trade secret protections to public sector access, competition safeguards, privacy and the cost of data sharing.
For example, thirty cross-industry organizations pressed for legal clarity in a joint statement, demanding safeguards for trade secrets, privacy, and security and clear definitions for the terms data and data holder. Similarly, DIGITALEUROPE and its members echoed these concerns, warning that the Data Act lacked sufficient safeguards for trade secrets and cybersecurity and left B2G access too open, leading to potential misuse and data breaches.
Ambiguities in key definitions were also highlighted in relation to B2G requests, with several groups calling for clearer criteria around terms such as public interest, emergency, and exceptional need. Leaving these concepts to member states' interpretation, they argued, risks inconsistencies in enforcement across the EU. Further uncertainty stems from the fact that provisions on penalties and enforcement authorities are left to national discretion, raising the possibility of divergent, and even conflicting, interpretations.
The European Data Protection Service and the European Data Protection Board also had concerns and issued a joint opinion arguing for stronger privacy guardrails. They highlighted, among others, risks in processing personal data from IoT and Internet of Behavior devices, including sensitive categories such as health data, and warned against the commodification of personal data.
The opinion stressed the need to avoid inconsistencies with data protection law, a concern reflected in the Data Act's confirmation of GDPR, EU Data Protection Regulation, and ePrivacy primacy, and the act does not create a new lawful ground for data processing. The organizations also called for anonymization or limiting access to user data, alongside the upholding of data minimization and privacy-by-design principles.
The research community also raised concerns. The introduction of a price tag for data access, if set above mere availability costs, could hinder research. Researchers also emphasized the importance of ensuring personal data remained within the regulation's scope given its value for academic use.
The 2021 public consultation conducted by the Commission offered a preview of these tensions. A large majority supported measures to facilitate B2G data sharing, such as for environmental protection and crisis management, while flagging barriers including insufficient safeguards for purpose limitation and limited incentives. On business-to-business sharing, respondents welcomed model contract terms, fairness tests, and smart contracts as useful enablers for IoT data flows and portability. The Commission also noted concerns about standards, such as data format, and legal tensions like competition issues, the lack of lawful grounds for data sharing, and the protection of intellectual property and trade secrets. For cloud services, many supported a binding portability right for business users, backed by standardization measures, e.g., for application programming interfaces and data format, and raised concerns about foreign access to non-personal data where trade secrets and confidential business information were at stake.
Timelines and enforcement
Although the Data Act became applicable September 2025, some obligations are deferred. Design and manufacturing requirements for simplified data access will only apply to connected products and related services placed on the market after September 2026. Provisions on unfair contract terms apply to contracts concluded after September 2025, with a further deferral until 2027 for certain pre-existing contracts that are either of indefinite duration or expire after 11 January 2034.
Statutory data-sharing obligations will only apply where new EU or national legislation requires them. Member states must also notify the Commission of national penalties for noncompliance; some member states are already setting high thresholds. In the Netherlands, for example, fines can reach 1,030,000 euros or 10% of EU-wide annual turnover for violations not involving personal data.
In preparing for compliance, less can be more, and organizations should consider leveraging existing processes wherever possible. For example, an organization could use GDPR data subject rights channels for data access requests and apply established principles of privacy by design, security, and data minimization, while also ensuring safeguards for trade secrets, IP, and confidentiality.
From a contractual standpoint, organizations should review the Commission's nonbinding model contractual terms on data access and use and standard contractual clauses for cloud computing contracts, made available by the Expert Group on B2B data sharing and cloud computing contracts. This Data Act series will dedicate a piece to these contractual aspects and to the implications for cloud services.
Conclusion
In today's digital, data-driven economy, the EU is betting that stronger data quality, interoperability, and fair, secure sharing practices will unlock growth, innovation and competitiveness. Whether this will deliver its intended outcomes remains to be seen; we'll know more when the Commission publishes its evaluation report within three years of the Data Act's entry into force, as required under Article 50.
Giorgia Vulcano, AIGP, CIPP/E, CIPT, is a senior manager in global digital ethics, cybersecurity and AI.
