EU Data Act in a nutshell
The EU Data Act boils down to:
obligations (and rights) of subjects who have to give access to data
manufacturers of connected products
provider of related services
data holders
rights (and obligations) of subjects who have access to data
users
third parties
public bodies
These obligations and rights fall within the following domains:
the definition of contractual terms between the parties
the design of connected products
information provided to the users of connected products
technical implementation of data sharing functions
to users (B2C)
to third parties (B2B)
to public bodies (B2G)
The act also defines:
obligations for providers of data processing services, to facilitate switching between providers
the basis for setting interoperability standards
Important dates
September 12, 2025: most of rights and obligations will apply
September 12, 2026: obligations related to the design of connected products will apply
September 12, 2027: rules on unfair contractual terms will apply
Special conditions for SMEs
Micro and Small Enterprises (headcount < 50 and turnover < € 10M)
B2C and B2B data sharing obligations do not apply
Medium Enterprises (headcount < 250 and turnover < € 50 M)
B2C and B2B data sharing obligations apply 1 year after the date on which the connected product was placed on the market
Which products fall within the scope of the Data Act ?
The scope of the Data Act extends to a very wide range of products, literally any kind of connected product.
The Data Act defines a connected product as any product that can generate, obtain, or collect, by means of their components or operating systems, data about their use, performance, or environment and that are able to communicate this data via a cable-based or wireless Internet of Things connection.
Examples:
connected home equipment
connected vehicles
connected ships
connected aircraft
connected health and lifestyle equipment
connected agricultural machinery
connected industrial machinery
connected professional food & beverage equipment
The Data Act applies to any connected product already placed on the market in the EU and new products (when placed on the market), irrespective of the place of establishment of its manufacturer.
Are you a Data Holder ?
The core obligations of the EU Data Act apply to Data Holders.
Determining whether there is a Data Holder and who it is does not depend on who produced the hardware or software, but on who controls access to the readily available data. This entity can be:
the manufacturer
a third party contracted by the manufacturer
the provider of a related service
Moreover there are cases where there is no Data Holder at all.
If you are a manufacturer, to find out if you are also a Data Holder just answer this question:
What are your connected products connected to?
The manufacturer is Data Holder
If your connected products are connected to your IoT system → you are a Data Holder.
%20Learn%20ENG%20_%20Part%20A.png?sv=2022-11-02&spr=https&st=2025-03-20T01%3A32%3A57Z&se=2025-03-20T01%3A46%3A57Z&sr=c&sp=r&sig=tWrVCA9mFkWwGxY224m8lwwDfgFy8EFxXgEN3Gio%2FSg%3D)
The manufacturer is not Data Holder
If your connected products are connected to the IoT system of your customer → you are not a Data Holder.
In this case there is no Data Holder at all.
%20Learn%20ENG%20_%20Part%20B.png?sv=2022-11-02&spr=https&st=2025-03-20T01%3A32%3A57Z&se=2025-03-20T01%3A46%3A57Z&sr=c&sp=r&sig=tWrVCA9mFkWwGxY224m8lwwDfgFy8EFxXgEN3Gio%2FSg%3D)
What data are in the scope of the Data Act ?
Raw and pre-processed data
The Data Act distinguishes: Raw Data, Pre-processed Data, Processed Data.
Raw Data: data points that are automatically obtained, generated, or collected by the connected product without any further form of processing.
Pre-processed Data: data accompanied by the necessary metadata to make it understandable and usable.
Processed Data: highly enriched data, meaning inferred or derived data or data that result from additional investments (including by way of proprietary, complex algorithms).
Only Raw Data and Pre-processed Data are in scope.
Processed, enriched data are out of scope.
Readily available data
Only data that is already stored, or transmitted, and readily available are in scope.
Where the design of the connected product, and/or its components, does not provide for data being stored or transmitted outside, such data are out of scope. The Data Act does not impose an obligation to store data on the central computing unit of a connected product.
Only data generated/collected after the entry into application of the Data Act (Sep 12, 2025) are in scope.
Aspect to which the data refer
Almost any kind of Raw Data falls within the scope of the Data Act. Such as:
data about the use of the product by the user, recorded intentionally or which result indirectly from the user’s action
data generated by the user interface (HMI) or via a related service (a Mobile App that allows remote control of the connected product)
data about physical quantity or quality detected by the product, such as temperature, pressure, flow rate, audio, pH value, liquid level, position, acceleration or speed
data collected by sensors regarding the environment in which the product operates and the interactions it may have
data collected by internal sensors or applications regarding the status of the product and its operations
data about malfunctions of the product (eg. error codes)
data about the components that are part of the product (eg. batteries)
data generated or collected even when the user is not acting on the product, or while the product is in stand-by mode
Also metadata
The Data Act also requires the sharing of all metadata necessary to make Raw Data understandable and usable, for example its structure, unit of measure, context, meaning and timestamp.
The Data Act underlines the importance of metadata to concretely help users and third parties to harness Raw Data for generating innovation and the development of digital and other services to protect the environment and health, to support the circular economy, to facilitate the maintenance and repair of the connected products.
Exceptions
It is possible to exclude some Raw Data from the scope if there is a risk that the security requirements of the connected product could be undermined, resulting in a serious adverse effect on the health, safety or security of natural persons.