Given the amount of media coverage and the discussions around the EU AI Act, the arrival of the Data Act has flown somewhat under the radar and deserves more attention than it’s been getting. Often the Data Act is reduced to connected devices and IoT, but its scope is much broader – catching digital business activities across a variety of industries. This makes the Data Act highlight relevant legislation with far-reaching consequences. This series of articles aims to shed light on the scope and the practical implications of the Data Act for the various types of providers.
1. Why another regulation?
The EU Data Act (Regulation (EU) 2023/2854) establishes a horizontal set of rules for data access and use. It is routed in the European data strategy with its analysis that a small number of companies currently hold and control a large part of the world’s data, making it inaccessible to everyone else. The Data Act’s main goal is to change this by enabling data sharing, reducing vendor lock-in, and making it easier to switch between providers. It also promotes interoperability between systems. Together, these measures aim to promote data-driven innovation.
Early feedback from the market shows the Data Act can successfully break open data silos. However, businesses currently see it as yet another regulation to comply rather than a business enabler offering opportunity for growth. It remains to be seen if innovation can be driven by regulation.
2. Structure
The Data Act is structured into nine chapters. Chapters I and IX deal with general provisions such as scope, definitions and enforceability, while ChaptersII-VIII each address distinctive issues and therefore have separate objectives and differing scope:
Important to note that the Data Act covers both personal and non-personal data. Where personal data is being processed, the GDPR and the Data Act apply in parallel, although critics highlight that there is legal uncertainty on the interplay of the two regulations.
3. Which type of organizations are subject to the Data Act?
The Data Act applies to various types of organizations. Depending on the organization type, the rules may apply to both EU and non-EU entities as follows:
Every type of provider faces a different set of obligations under the Data Act. This makes a correct classification even more important keeping in mind that a company is likely to classify for multiple of these categories.
3.1. Manufacturers of connected products
A key group covered by the Data Act includes manufacturers of connected products placed on the market in EU and, by extension, providers of related services to such products. The Data Act defines “connected product” as:
an item that obtains, generates or collects data concerning its use or environment and that is able to communicate product data via an electronic communications service, physical connection or on-device access, and whose primary function is not the storing, processing or transmission of data on behalf of any party (Art 2 (5))
The definition is broad, capturing all devices which generate data and share it through whatever channel. The practical applications seem endless, from devices dominating our personal life like wearables, communication devices, health and lifestyle equipment, vehicles or smart home products to products at the heart of commercial and industrial processes.
However, the definition includes an important exception. Products whose main purpose is to store or process data in any other way on behalf of third parties are not considered connected products. The logic is that these devices serve purely as outsourced IT infrastructure, i.e. they’re not used to generate any insights from product data. This exception excludes servers, cloud infrastructure, and similar products.
Manufacturers of connected products fall within the scope of the Data Act irrespective of their place of establishment if they place connected products on the EU market.
3.2. Providers of services related to connected products
A service is related to the connected product if it has an impact on its actions or behaviour (Recital 17). This means that the operations of the connected product can be controlled via the service which is only possible when transmitting data or commands to the product. Reading data from a connected product is therefore not enough to qualify as a related service – the communication must be two-way. Examples for related services include medical devices adjusting a therapy based on the data collected by a device, smart home controls controlling light, temperature or access, or maintenance of manufacturing robots based on sensor data. One separately mentioned use case of related services are virtual assistants. Data generated when a user interacts with a connected product via a virtual assistant are also covered by the Data Act.
Often the provider of a related service is also the manufacturer of the connected product.
3.3. Users
A “user” is defined as a person (legal or natural) located in the EU who either owns the product or who has a temporary right to use the product by virtue of a contract, i.e. they rent or lease it. . This means that the Data Act applies both in Business to Business (B2B) and Business to Consumer (B2C) scenarios.
Users are entitled to various rights under the Data Act such as
These rights are support by the individual right to lodge a complaint with the competent authority and the right to seek redress before a court.
In case the user is also a data subject under the GDPR these rights shall complement the data subject rights, and the data protection and privacy rights shall prevail.
3.4. Data holders
A data holder is an organization that has the right to use data and is obliged to make that data available to the user. Typically, the data holder is either the manufacturer of a product or the provider of related services.
It is important to highlight that data processors as defined under the GDPR, i.e. who process data only on behalf of the controller, do not qualify as data holder (recital 22 Data Act). The data holder is an organisation that controls access to data and must therefore have a contract with the user governing access, usage and sharing of the data that is generated by the connected product or related service.
Public sector bodies are not considered to be data holders, but public undertakings may be.
3.5. Data recipients
The data recipient is any entity, other than the user, to which the data holder provides data. For example, under Art 5, the user can instruct the data holder to transfer their data to a third party. In this case, the third party that is granted access to the data is the data recipient. The Data Act applies if the data recipient is located in the European Union.
Data recipients shall only process data for the purposes, and under the conditions, agreed with the user and in line with EU data protection law.
3.6. Participants in data spaces
The Common European data spaces at the moment are industry specific initiatives providing a common data infrastructure for data pooling, access, and sharing. Data spaces are open for stakeholder participation and are a forum to agree on governance frameworks. The goal is to gradually interconnect the various data spaces to a single market of data. Currently, there are 14 data spaces from agriculture, to energy, health, and tourism to name a few (full list).
Key objective of the data spaces is to facilitate interoperability ensuring that data, data sharing mechanisms, and services can work together seamlessly across different sectors and purposes. These requirements include measures such as the clear description of data, the use of standardized formats, ease of access to data and the enablement of automation such as smart contracts.
Participating in a data space leads to the applicability of the Data Act on the participating organization.
3.7. Vendors of applications using smart contracts
Smart contracts are software programs usually run on a blockchain and designed to self-execute an agreement. If certain predefined events take place automated actions are triggered such as transactions. Smart contracts were identified as a tool for the automated execution of data sharing agreements. The obligations of the Data Act should therefore apply to the vendors of smart contracts to ensure conformity.
4. Exceptions
The Data Act includes some notable exceptions that limit both its overall scope and, in some cases, to the obligation to share data. The most important ones are:
4.1. Exceptions for small companies
The SME exceptions probably has the biggest practical implications. Exempted are certain small businesses from the obligation to share data of connected products. Article 7(1) exempts both small and micro-enterprises from data sharing obligations. This exception apples to any company with fewer than 50 employees and whose annual turnover or annual balance sheet total does not exceed EUR 10 million. However, if the company is part of a group of companies that exceeds these limits or acts as a subcontractor for a larger company, the obligations may apply again under certain circumstances.
For medium-sized enterprises (i.e., those with fewer than 250 employees and either an annual turnover not exceeding EUR 50 million or an annual balance sheet total not exceeding EUR 43 million), certain transitional periods apply in under Art 7(1). Medium-sized companies are exempt from data disclosure obligations if they have held that classification for less than one year, and their products are also exempt during the first year after being placed on the market.
4.2. Other exceptions
The data holder may withhold data if there are no agreed measures for the security of such data or if the third party fails to implement measures agreed to preserve trade secrets. In exceptional circumstances, data may be withheld if serious economic damage would result from the disclosure of the trade secrets.
Recital 15 clarifies that the Data Act covers raw data and data that has been processed to make it understandable or usable. However, it does not cover data processed by complex or proprietary algorithms. Therefore, under the Data Act, a provider is not required to share insights or forecasts derived from raw data, for example.
As with many EU legal acts, the Data Act also contains certain exceptions for public authorities, particularly concerning criminal prosecution and public safety.
Finally, the obligations that products must make the product data available to users by default, apply only to products placed on the market from 12 September 2026 onwards. This applies regardless of the size of the company.
