Data Act Regulation

The Data Act (Regulation 2023/2854) is the EU's regulation on access to and use of data. The regulation gives users and organisations the right to access data generated by connected products and creates rules for fair data sharing across the European market.

Back to Dictionary

What is the Data Act?

The Data Act is an EU regulation (officially Regulation 2023/2854) that governs who has the right to access data generated by connected products and related services. The regulation was adopted in December 2023 and applies from 12 September 2025.

The purpose is to create a fair and well-functioning internal market for data. Today, manufacturers of smart devices typically control all the data their products generate. This gives them a disproportionate advantage over competitors, repairers and users themselves. The Data Act changes that dynamic by granting users and organisations statutory rights to data.

The regulation covers both personal data and non-personal data. When personal data are involved, GDPR continues to apply in full. The Data Act does not replace GDPR but supplements it with new rules on data access and data sharing.

Central rules and rights

The Data Act is built on four main pillars:

**1. Users' right to data.** If you use a connected product, you have the right to access the data the product generates. The data holder must make data available without undue delay, free of charge and in a structured format.

**2. B2B data sharing.** Users may request that their data be shared with a third party. The data holder must honour the request on FRAND terms (Fair, Reasonable and Non-Discriminatory). Read more under B2B data sharing.

**3. Cloud switching and data portability.** The Data Act gives customers of cloud and data processing services the right to switch providers without unreasonable barriers. Switching fees must be phased out, and providers must ensure interoperability. See also cloud switching and data portability.

**4. Public authorities' access.** In extraordinary situations (natural disasters, pandemics, emergencies), public authorities may require access to data from organisations. This right is limited to situations where data cannot be obtained by other means.

Cloud and data processing services

A significant part of the Data Act concerns breaking vendor lock-in with cloud providers. If you use cloud, edge or SaaS services, the regulation grants you concrete rights:

Switching fees must be phased out by 2027 at the latest
Your provider must offer functional equivalence, so you can move your data and applications to a new provider without loss of functionality
The provider must ensure that your data can be exported in standardised, machine-readable formats
The transitional period for a cloud switch must not exceed 30 days

These rules aim to ensure genuine competition in the market for data processing services and prevent customers from being locked in with a single provider.

Relationship with other EU rules

The Data Act is part of the EU's broader data strategy and must be seen in the context of other regulations:

GDPR: Protects personal data. The Data Act does not alter GDPR rights but adds new rules on data access.
NIS2: Sets requirements for cybersecurity. Data sharing under the Data Act must take place with appropriate security measures.
DORA: Regulates digital operational resilience in the financial sector. Financial organisations using connected products must comply with both DORA and the Data Act.

You must therefore ensure that your data-sharing practices comply with all relevant regulatory frameworks. A solid compliance approach requires you to view the rules in context and not treat them in isolation.

Practical preparation

Whether you are a manufacturer of connected products, a cloud provider or a user of smart devices, you need to prepare for the Data Act. Here are the key steps:

Map your data: Identify which connected products and services your organisation uses or produces, and which data they generate.
Assess your role: Are you a data holder, user or data recipient? Your role determines your rights and obligations.
Update contracts: Your agreements with suppliers and customers must reflect the Data Act requirements. This is particularly relevant for data-sharing terms and cloud services.
Implement technical solutions: Ensure your systems support data portability and interoperability. A well-functioning ISMS is a good starting point.

The Data Act creates new opportunities for innovation and competition. Organisations that proactively adapt can use data sharing as a strategic advantage.

Frequently Asked Questions about Data Act Regulation

What is the Data Act?

The Data Act (Regulation 2023/2854) is an EU regulation that governs access to and use of data generated by connected products and related services. The regulation ensures that users and organisations can access data on fair terms.

When does the Data Act apply?

The Data Act was adopted in December 2023 and applies from 12 September 2025. Organisations must comply with the rules from that date.

Who is covered by the Data Act?

The Data Act applies to manufacturers of connected products, providers of related services, data holders, data recipients and providers of data processing services (cloud, edge, SaaS). Both EU organisations and organisations outside the EU operating in the European market are covered.

What is the relationship between the Data Act and GDPR?

The Data Act supplements GDPR. When data from connected products contain personal data, GDPR continues to apply in full. The Data Act does not alter rights under GDPR but creates new rules on access to both personal and non-personal data.

What happens if you do not comply with the Data Act?

Enforcement is carried out through national authorities in EU member states. Sanctions are determined by each country, but the Data Act requires them to be effective, proportionate and dissuasive.