IoT Data Access
Chapter II-III of the Data Act | For manufacturers of connected products and related services
What are connected products?
Connected products are physical products that:
- Obtain, generate or collect data about their use or environment
- Communicate via an electronic network (internet, Bluetooth, etc.)
- Have a “related service” --- software/service necessary for operation
Examples of connected products
| Category | Examples | In scope |
|---|---|---|
| Smart Home | Thermostats, lighting, security systems, doorbells | YES |
| Automotive | Connected vehicles, telematics, infotainment | YES |
| Industry 4.0 | Sensors, CNC machines, robots, production lines | YES |
| Wearables | Fitness trackers, smartwatches, health monitors | YES |
| Medical Devices | Connected diagnostics, monitoring, implants | YES |
| Smart Appliances | Washing machines, fridges, dishwashers, HVAC | YES |
| Energy | Smart meters, solar inverters, EV chargers | YES |
Out of scope
| Category | Reason |
|---|---|
| PCs, servers, tablets | Primarily for displaying/processing content |
| Smartphones | Primarily for displaying/playing content |
| Cameras (without analytics) | Primarily for recording content |
| USB drives, storage | Data storage only |
Manufacturer obligations
Chapter II: Data Access Rights
Chapter III: B2B Data Sharing
| Obligation | Description | Conditions |
|---|---|---|
| Sharing on request | Data holder must provide data to a third party | At the user’s request |
| FRAND conditions | Fair, Reasonable, Non-Discriminatory | Non-discriminatory pricing |
| Compensation | Maximum marginal cost of provision | For SME recipients |
| Format | Machine-readable, interoperable | Standard formats |
| Speed | Without undue delay | Typically immediately |
User rights
What a user can request
| # | Right | Description |
|---|---|---|
| 1 | DIRECT ACCESS TO DATA | Data from own device, free of charge, real-time |
| 2 | SHARING WITH THIRD PARTIES | Right to determine who receives the data (independent service, analytics provider) |
| 3 | DATA AFTER SERVICE TERMINATION | Access to historical data, export before departure |
| 4 | INFORMATION BEFORE PURCHASE | What data the product generates, how to access it |
Restrictions for third parties (data recipients)
| Restriction | Description |
|---|---|
| Competing products | Must not develop a competing product from the data |
| Trade secrets | Must respect trade secrets |
| Onward sharing | Must not share data without consent |
| Security | Must ensure appropriate data protection |
Implementation requirements
For Manufacturing / Industry 4.0
PHASE 1: AUDIT (by 31.1.2026)
- Inventory of all connected products
- Map generated data (type, volume, frequency)
- Identify data holders (who has access)
- Gap analysis vs. Data Act requirements
PHASE 2: TECHNICAL IMPLEMENTATION (by 30.6.2026)
- API/interface for data access
- Authentication mechanism
- Data export function
- Real-time streaming (where applicable)
- Logging and audit trail
PHASE 3: DOCUMENTATION (by 31.8.2026)
- Terms of Service update
- Pre-purchase information
- User manual for data access
- Process for third-party requests
- SLA for data availability
PHASE 4: DATA ACCESS BY DESIGN (new products from 12.9.2026)
- Design review for new products
- Built-in data access mechanisms
- User interface for access
- Testing and validation
Technical specifications
| Requirement | Specification |
|---|---|
| Data format | JSON, CSV, XML (machine-readable) |
| API | REST API recommended, documented |
| Authentication | OAuth 2.0 or equivalent |
| Real-time | WebSocket, MQTT for streaming |
| Export | Bulk export function (ZIP, tar.gz) |
| Metadata | Timestamp, source device, unit, accuracy |
Example use cases
Smart Factory (Industry 4.0)
SCENARIO: A manufacturing company has CNC machines from various manufacturers
| Aspect | BEFORE DATA ACT | AFTER DATA ACT |
|---|---|---|
| Data | Locked in proprietary systems | Company has access to all operational data |
| Access | Manufacturer controls | Can share with independent service |
| Maintenance | Independent maintenance impossible | Own predictive maintenance |
| Integration | Vendor lock-in | Integration into central system |
Connected Vehicle
SCENARIO: Fleet of company vehicles
New company rights:
- Access to telematics data (consumption, location, diagnostics)
- Sharing with a third-party fleet management system
- Independent service can access diagnostics
- Historical data for optimisation
Smart Building
SCENARIO: Commercial building with IoT systems
Data access enables:
- Integration of different systems (HVAC, lighting, security)
- Third party for energy management
- Independent analytics for optimisation
- Predictive maintenance
Synergies with the AI Act
Data for AI Training
Practical example
PREDICTIVE MAINTENANCE AI
| Regulation | Requirements |
|---|---|
| 1. DATA ACT | Right to access data from machines; Real-time streaming of sensor data; Machine-readable format (JSON) |
| 2. AI ACT | Documentation of training data; Bias assessment (various machines, conditions); Performance monitoring |
| 3. RESULT | Compliant AI system with legal access to data |
Penalties for violations
| Violation | Penalty | Note |
|---|---|---|
| Denial of access to data | Up to EUR 20M / 4% of turnover | GDPR regime |
| Insufficient transparency | National penalties | Per member state |
| Failure to provide data to a third party | Up to EUR 20M / 4% of turnover | At the user’s request |
| Unreasonable data charges | National penalties | FRAND violation |
Next steps
- Conduct an IoT product inventory
- Identify gaps vs. Data Act requirements
- Plan technical implementation
- Go through the complete checklist