Data Act: Overview

Regulation: EU 2023/2854 Effective: 12 September 2025 (main provisions) Scope: Data access and sharing (IoT, cloud, B2B)

---

What is the Data Act?

The Data Act is an EU regulation on harmonised rules for fair access to and use of data. It regulates access to data from connected devices (IoT), the rights of cloud service customers to switch between providers, and rules for B2B data sharing.

Main pillars

Who falls under the Data Act?

Directly regulated entities

Entity	Description	Examples
IoT manufacturers	Manufacturers of connected products	Smart home, automotive, industrial machines
Service providers	Related services to IoT	Mobile apps for devices, cloud storage
Data holders	Holders of data from IoT	Manufacturers, platform operators
Cloud providers	IaaS, PaaS, SaaS	AWS, Azure, GCP, Salesforce, SaaS companies

Indirectly affected entities (gain rights)

Entity	New rights
IoT users	Access to data from their devices
Cloud customers	Right to switching, data portability
SMEs	FRAND conditions for data access
Third parties	Access to data at the user’s request

Out of scope

• Products primarily for displaying content (PCs, tablets, smartphones)
• Purely personal data (primarily GDPR)
• Financial sector regulated by DORA (lex specialis)

Key obligations

For IoT manufacturers / connected products

Obligation	Description	Deadline
Data access	Ensure user access to data	12.9.2025
Transparency	Information about data before purchase	12.9.2025
Real-time access	Data available continuously	12.9.2025
Machine-readable	Structured, machine-readable format	12.9.2025
Data access by design	Built-in access in new products	12.9.2026

For cloud/SaaS providers

Obligation	Description	Deadline
Switching rights	Allow the customer to switch at any time	12.9.2025
Max notice period	Maximum 2 months	12.9.2025
Data export	Provide data in a portable format	12.9.2025
Technical assistance	Assistance with migration	12.9.2025
Prohibition of switching fees	No switching charges	12.1.2027

For all B2B contracts

Obligation	Description	Deadline
Fair terms	Prohibition of unfair terms	12.9.2025 (new contracts)
Existing contracts	Fairness for existing contracts too	12.9.2027

Timeline

Penalties

Provision	Penalty regime	Maximum penalty
IoT data access (Ch. II)	GDPR regime	EUR 20M or 4% of turnover
B2B sharing (Ch. III)	National law	Per member state
Unfair terms (Ch. IV)	Contractual invalidity	N/A (civil disputes)
Cloud switching (Ch. VI)	National law	Per member state

Example: An IoT manufacturer violating data access obligations = up to EUR 20M or 4% of global turnover (under the GDPR regime).

Synergies with other regulations

---

Next steps

1. Run a Quick Assessment -> Data Act Assessment template
2. IoT Data Access obligations - for manufacturers of connected products
3. Cloud Switching requirements - for SaaS/cloud providers and customers
4. Go through the compliance checklist

---

Sources

• Data Act full text (EUR-Lex)
• European Commission: Data Act
• Data Act Explained

---

Disclaimer

This content is for informational purposes only and does not constitute legal advice. For your organisation’s specific situation, we recommend consulting a qualified lawyer.

What’s next?

Need help with implementation? We offer a free 15-minute consultation.

Book a consultation -> | Test your readiness -> | Self-Assessment ->