The EU Data Act (Regulation (EU) 2023/2854), applicable as of Sept. 12, 2025, introduces a user‑centric access and sharing regime for both personal and non-personal data generated by IoT (Internet of Things) products, with a profound impact on how “data holders” design products, structure contracts, and monetize data. The Data Act shifts control of the data to the user, including the right to use and to commercialize non‑personal data. This is a paradigm change in EU data law with significant implications across business sectors.
Broad Scope of Application
- Functional Scope: The new rules in Chapter II of the Data Act apply to data generated by “connected products.” These include virtually any IoT device that collects and transmits data such as smart home appliances, connected vehicles, industrial machinery, and wearable devices. The obligations also extend to “related services,” meaning digital services that are necessary for the product to perform its function (like mobile applications enabling remote control of a device or cloud-based analytics platforms). It should be noted, though, that the obligations apply to the raw data generated by IoT products or services and related metadata – but not to data derived from such data.
- Personal Scope: The Data Act establishes rules for the relationship between users of connected products (typically the owner of the product) and the respective “data holder,” i.e., the entity controlling access to the data. In many IoT ecosystems, the product manufacturer will qualify as the data holder.
- Territorial Scope: The Data Act has an extra‑territorial reach, applying to manufacturers and providers that place connected products and related services on the EU market, irrespective of their place of establishment.
New: Use of Data by Manufacturers (or Other Data Holders) Requires a Data License from the User
The user‑centric access and sharing regime introduced by the Data Act is not only a compliance challenge. It may fundamentally reshape existing and future business models of data holders. Under Article 4(13), data holders (i.e., manufacturers of connected products and other data holders) may no longer use or share data generated by the product without a contractual agreement with the user (“data license”). This applies to both personal and non-personal data and effectively allocates the right to commercialize non‑personal data to the user – a significant shift from the traditional default where manufacturers could freely use product data.
From an operational point of view, the new rules require that manufacturers and other data holders enter into data license agreements with the users of their connected products if the holders want to use any data that is generated by these products, even if merely for product maintenance, development of new features, or innovation. Additionally, data holders must comply with the requirements of Chapter IV of the Data Act, which introduces rules on unfair contractual terms in B2B agreements (where users are consumers, the EU and national rules on B2C agreements apply anyway). These provisions aim to prevent terms that are unilaterally imposed by one party and materially deviate from good commercial practice, similar in spirit to consumer protection rules.
New: The User’s Rights to Receive and Share Product Data
The Data Act grants users of connected products and related services effective rights of access to data generated through their use of the connected products. Key rights include:
- Access by design and pre-contractual transparency (Art. 3): From Sept. 12, 2026, onwards, connected products and related services must be designed so that data is easily and securely accessible by default. Users must also be informed in advance about the type, format, and volume of data generated and how it can be accessed.
- Right of Access or Use (Art. 4): Where data is not directly accessible from the product or service, the data holder must make it available to the user free of charge, in a comprehensive, structured, machine‑readable format, continuously and in real time.
- Right to Share with Third Parties (Art. 5): Upon user request (or a party acting on the user’s behalf), the data holder must transmit the data to a designated third party on the same technical terms as for the user.
Exposure to Competitors
The obligation to share data with users or third parties designated by them creates significant competitive exposure for manufacturers and service providers. Users are not only allowed but incentivized to commercialize the data, including by granting access to competitors of the data holder. The Data Act introduces certain safeguards to limit this risk:
- Gatekeepers (as defined under the Digital Markets Act) are not eligible to receive data.
- Data recipients may not use the data to develop competing products.
- Users and third parties are obliged to protect trade secrets and to agree on measures necessary to preserve confidentiality of the shared data.
However, it is questionable whether these measures will be sufficient to prevent the misuse of business-critical information. Within narrow legal boundaries, data holders may agree with users on restrictions to access or onward sharing of data, but such agreements must comply with the Data Act’s strict limitations.
Sanctions
To enforce the Data Act’s regulatory framework, competent supervisory authorities may impose effective, proportionate, and dissuasive penalties. For infringements of Chapter II of the Data Act, the GDPR sanction regime applies, allowing for administrative fines of up to EUR 20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Key Takeaways for Data Holders
The rules for connected products are not just another compliance challenge. They represent a strategic shift in how product data is governed and monetized in the EU. In an AI‑driven market where data fuels product improvement, after‑sales services, and innovation, users now hold the primary rights to product data. Data holders that move early – by product design changes, clear user licensing, robust recipient controls, and disciplined contracting – can mitigate legal and competitive risks and position themselves to benefit from emerging data-sharing ecosystems. Data holders may wish to consider the following:
- Assess applicability and exposure: Map products and services against the Data Act’s definitions (connected products, related services, user, data holder); confirm territorial nexus (placed on the EU market; making data available in the EU); consider a structured gap assessment across legal, operational, and product design workstreams.
- Re‑think data use rights: Put in place user data licenses that secure permission for use of non‑personal data. Avoid terms that could be struck down under Articles 7(2) and 13 of the Data Act.
- EU Commission’s model terms: The EU Commission’s Expert Group has published non‑binding model contractual terms (MCTs) for typical data‑sharing constellations. While the MCTs do not have any legal status and are non-binding, users may regard them as standard and measure any data license against them. However, the MCTs are user‑protective by design, and in many parts may not live up to industry-standard contract language and go beyond the statutory requirements. They should be carefully reviewed and tailored to an organization’s legal obligations and commercial objectives.
- Redesign for data accessibility and transparency: Plan for access-by-design compliance for units placed from Sept. 12, 2026, and build APIs and interfaces that can scale to real-time user and third-party access; update pre-contractual disclosures (type/format/volume of data; how to access).