The regulation on harmonised rules on fair access to and use of data (Regulation (EU) 2023/2854; ‘EU Data Act’) entered into force on 11 January 2024 and, following a transition period, has been directly applicable since 12 September 2025. The EU Data Act contains a number of provisions aimed at enabling greater and better use of data in various areas of life in the future. It complements the GDPR, which primarily protects personal data, by focusing more on industrial and non-personal data. The aim is to promote the European data economy, greater innovation through data access, fairer competition and greater control for users.

The EU Data Act affects a whole range of players, in particular manufacturers of connected products such as various types of machines, cars and smart home devices, as well as data owners, users and providers of data processing services.

At the heart of the EU Data Act is the right of users of connected products and services to directly access the data they generate. To this end, the data owner must grant access free of charge, continuously if necessary, and in real time if possible. Manufacturers are also obliged to disclose clearly and comprehensively, even before the contract is concluded, which data is collected, what it is used for, who has access to it, and how the user can access it themselves. In addition, companies require a contractual basis in order to be permitted to use the generated data themselves. However, users may also demand that their data be passed on to third parties. In such cases, a data sharing agreement must be concluded between the data owner and the third party. Data transfers may only take place under fair, reasonable and non-discriminatory conditions. Furthermore, the EU Data Act provides for a general prohibition of abusive contractual clauses. These include, for example, contractual provisions that unreasonably restrict data access or data use for third parties, particularly in cases of an imbalance of bargaining power. To ensure that trade secrets are protected when data is shared, the EU Data Act stipulates that all necessary measures must be taken. These include, in particular, technical and organizational measures as well as confidentiality agreements which must be concluded with the user or third party before data is disclosed.

The regulation also has far-reaching consequences for providers of data processing services such as cloud and edge services. They must facilitate a change of provider from a technical and organizational perspective, the termination of existing contracts is simplified, and switching fees are gradually being abolished. Standards for interoperability and data sovereignty are being created.

In summary, companies affected by the EU Data Act must first analyze what data is generated by their connected products or services in order to avoid violations and the associated fines. It must also be clarified how this data can be technically provided and shared, and how users can be informed about this in advance. Furthermore, they must ensure that usage and data provision agreements are in place that comply with the requirements of the EU Data Act. At the same time, it must be ensured that trade secrets are effectively protected, for example through technical measures and appropriate confidentiality agreements. Companies that provide data under the EU Data Act must also verify in parallel whether the GDPR is being complied with.