EU Data Act Guide: Regulation 2023/2854 Explained for Business

What Is the EU Data Act and Why Does It Matter?

The EU Data Act is a cross-sectoral regulation that establishes principles and guidelines applicable across all industries. Unlike sector-specific legislation, it creates a universal framework for data sharing, access rights, and fair contractual terms. The regulation addresses a fundamental asymmetry in the digital economy: while connected devices generate enormous volumes of valuable data, users—whether consumers or businesses—have historically had limited access to or control over that data.

The regulation matters for several critical reasons. First, Europe’s IoT market is projected to generate trillions of data points annually, yet much of this data remains locked within manufacturer ecosystems. Second, the EU estimates that unlocking data sharing could add €270 billion to the European economy by 2028. Third, the Data Act complements the broader EU regulatory framework including the Digital Markets Act, GDPR, and the AI Act, creating a comprehensive governance structure for the digital economy.

Key Provisions of the EU Data Act

The Data Act is structured around several major provisions, each addressing a specific aspect of the data economy:

Data Access Rights for Users of Connected Products

The most transformative provision gives users—both consumers and businesses—the right to access data generated by their connected devices. When you purchase a smart car, industrial sensor, or smart home device, the Data Act ensures you can access the data your usage generates. This includes real-time data from IoT devices, which manufacturers must make available in a readily usable format.

Connected products placed on the EU market must be designed to allow users to access their data directly. Where direct access is not technically feasible, data holders must provide access without undue delay and free of charge. This provision fundamentally shifts the power dynamic from manufacturers to users, enabling innovation and competition in aftermarket services.

Business-to-Business Data Sharing Obligations

The Data Act establishes clear rules for data sharing between businesses. When a user requests that their data be shared with a third party, the data holder must comply on reasonable terms. The regulation prohibits data holders from using the data to compete with the third party receiving it, preventing anti-competitive leveraging of data access.

Compensation for data sharing must be reasonable and non-discriminatory. For SMEs receiving data, the regulation limits compensation to costs directly related to making the data available, ensuring that larger companies cannot use pricing as a barrier to data access. The Commission has published model contractual terms to facilitate fair data-sharing agreements.

EU Data Act Cloud Switching and Interoperability Rules

One of the Data Act’s most impactful provisions addresses the cloud services market, where vendor lock-in has long been a concern. The regulation establishes the right for customers to switch between cloud service providers effectively, including the right to port data and applications to alternative platforms.

Key cloud-switching provisions include:

• Transition Period: Cloud providers must support switching within a maximum transition period, ensuring continuity of services during migration.
• Switching Charges Elimination: The regulation phases out switching charges, removing financial barriers that have historically prevented customers from changing providers.
• Functional Equivalence: Cloud providers must ensure sufficient interoperability to allow effective switching without significant loss of functionality.
• Data Portability: All customer data and digital assets must be exportable in standard, machine-readable formats.

These provisions are expected to significantly increase competition in the European cloud market, currently dominated by a handful of hyperscale providers. The ECB’s analysis of digital market concentration has highlighted the systemic risks of cloud provider dependency, making these provisions particularly significant for financial services firms.

Unfair Contractual Terms Protection

The Data Act addresses the reality that many data-sharing contracts are dictated by parties with significantly stronger market positions. The regulation establishes protections against unfair contractual terms that impede equitable data sharing, particularly targeting clauses that:

• Exclude or limit liability for intentional acts or gross negligence
• Exclude remedies available to the disadvantaged party in case of non-performance
• Give the imposing party exclusive rights to determine whether the data supplied is in conformity with the contract
• Grant the imposing party the right to interpret contractual terms unilaterally

The Commission has developed model contract clauses to help businesses, particularly SMEs, draft and negotiate fair data-sharing agreements. These standardized terms provide a baseline that reduces negotiation costs and ensures minimum protections for smaller parties.

Public Sector Data Access for Emergency Situations

The EU Data Act creates a framework for public sector bodies to access data held by the private sector in exceptional circumstances. This provision enables governments to respond to public emergencies—natural disasters, pandemics, or critical infrastructure failures—by accessing relevant data with minimal burden on businesses.

The data access framework for public bodies is carefully circumscribed:

• Access is limited to specific public interest purposes defined in the regulation
• Requests must be proportionate and clearly justified
• Data holders are compensated for the costs of making data available
• Personal data protections under GDPR remain fully applicable
• Data obtained cannot be used for purposes beyond the stated public interest objective

This provision balances the need for government access to critical data during emergencies with business confidentiality and individual privacy rights, building on lessons learned during the COVID-19 pandemic about the value of data for public health response.

IoT Data Rights: Practical Impact for Consumers and Businesses

The Data Act’s IoT data provisions have far-reaching practical implications across multiple industries:

Automotive and Connected Vehicles

Car owners gain access to performance, diagnostic, and usage data generated by their vehicles. This enables independent repair shops to compete with manufacturer-authorized service centers, potentially reducing maintenance costs by 20-30% according to industry estimates. The Commission has published specific guidance on vehicle data to support implementation in this complex sector.

Smart Agriculture

Farmers using connected agricultural equipment gain access to data about soil conditions, weather patterns, crop yields, and machinery performance. This data, previously locked within equipment manufacturer platforms, can now be analyzed using third-party precision agriculture tools, enabling optimization of crop yields and resource allocation.

Industrial Manufacturing

Manufacturing companies using connected machinery can access performance data to optimize production cycles, predict maintenance needs, and improve supply chain management. Machine-learning applications built on this data can identify patterns invisible to traditional analysis, driving significant efficiency improvements.

Smart Home and Consumer IoT

Consumer device users gain rights to data generated by smart thermostats, appliances, and home systems. This enables third-party services to offer energy optimization, home automation, and lifestyle analytics without being locked into manufacturer ecosystems. The implications for smart home energy management are particularly significant.

Database Directive Reform and Sui Generis Rights

The Data Act includes important clarifications regarding the Database Directive’s sui generis right, which protects substantial investments in obtaining, verifying, or presenting database contents. The reform ensures that this right does not prevent data sharing required under the Data Act, particularly for databases derived from data generated by IoT devices.

This clarification is crucial because the sui generis right could otherwise have been used by data holders to block access claims under the Data Act. By establishing that IoT-generated data doesn’t automatically qualify for database protection simply through collection, the regulation ensures that its data-sharing objectives are not undermined by legacy intellectual property frameworks.

Compliance Timeline and Implementation Strategy

The Data Act’s compliance timeline requires careful planning for affected organizations:

Organizations should develop a comprehensive compliance strategy that includes:

1. Data Mapping: Identify all connected products and IoT devices that generate data subject to the regulation
2. Technical Infrastructure: Implement systems for data access, portability, and sharing in compliant formats
3. Contract Review: Audit existing data-sharing agreements for unfair terms and align with model contractual clauses
4. Cloud Provider Assessment: Review cloud service agreements for switching rights and data portability compliance
5. Training and Governance: Establish internal data governance frameworks and train relevant staff on new obligations

EU Data Act and the Broader Digital Regulatory Framework

The Data Act operates alongside several other major EU digital regulations, creating a comprehensive governance framework for the data economy:

GDPR Alignment: The Data Act explicitly preserves all GDPR protections. Where IoT data includes personal data, both regulations apply simultaneously. The Data Act cannot be used to circumvent GDPR rights or to expand processing of personal data beyond what GDPR permits.

Digital Markets Act (DMA): While the DMA targets gatekeeper platforms specifically, the Data Act’s broader scope complements it by ensuring fair data access across all connected products and services. Together, they address both platform-specific and economy-wide data monopolization concerns, as analyzed in our coverage of big tech regulatory exposure.

AI Act Intersection: The availability of training data is critical for AI development. The Data Act’s provisions enabling broader data access could accelerate AI innovation in Europe by making more high-quality datasets available for machine learning, while the AI Act ensures such development occurs within ethical and safety boundaries.

Data Governance Act: The Data Governance Act establishes frameworks for data intermediaries and data altruism, while the Data Act addresses commercial data sharing rights. Together, they create the infrastructure for Europe’s envisioned data spaces across sectors like health, mobility, and energy.

Business Impact and Strategic Opportunities

For forward-thinking businesses, the EU Data Act creates significant strategic opportunities beyond compliance:

• New Service Models: Access to IoT data enables development of value-added services, predictive analytics, and personalized offerings that were previously impossible without manufacturer cooperation.
• Competitive Differentiation: Companies that embrace data sharing proactively can build trust and attract customers who value transparency and data control.
• Innovation Acceleration: Access to previously locked data streams catalyzes R&D across industries, from healthcare to manufacturing to digital services innovation.
• Market Entry: SMEs gain access to data that was previously available only to large incumbents, lowering barriers to entry in data-intensive markets.

Stay Ahead of EU Regulation with Libertify →