Skip to main content

Clifford Chance

Clifford Chance
All
Data<br />

Data

Talking Tech

EU Data Act: A new era for data sharing has begun

Data Privacy 19 September 2025

On 12 September 2025, the majority of the EU Data Act's provisions became applicable. These provisions require companies to enable access to, and sharing of, both personal and non-personal data generated by using connected products and related services. These data-sharing obligations impact manufacturers of connected products and companies holding data from these products and related services across all sectors.  Businesses can also explore how the ability to access additional data could help support their strategic initiatives and the development of new, innovative products and services.

This briefing focuses on key points to know about the EU Data Act's data access and re-use provisions. The EU Data Act also includes provisions aimed at facilitating switching between data processing services and interoperability requirements for data processing services and data spaces (see our previous summary: Entry into force of the EU Data Act).

What is the EU Data Act?

The EU Data Act (Regulation (EU) 2023/2854) is a landmark regulation forming a central pillar of the EU’s digital and data strategy. Its stated aims include unlocking the value of data generated by connected products and related services, fostering data-driven innovation and helping to create a competitive and secure data economy.

Main aims of the EU Data Act in respect of data access and re-use

  • Unlocking access to, and sharing of, data generated by use of connected products and related services data ("IoT data"): The EU Data Act removes barriers to accessing and sharing IoT data (including non-personal data) by giving users of connected products and related services (consumers and businesses) new rights to access and share their data, while requiring manufacturers of connected products and data holders to adapt their product design, processes and contractual terms. In special situations, such as public emergencies, public sector bodies can also request data holders to grant access to certain data. These data-sharing obligations are subject to specific exceptions and restrictions, including exceptions designed to protect technical security and trade secrets.
  • Enhancing transparency: The EU Data Act requires the provision of transparent and clear information to users of connected products and related services regarding the processing of their data and the exercise of their right to IoT data access and sharing under the EU Data Act.
  • Ensuring fairness in data sharing: The EU Data Act sets out requirements for what it considers to be fair contractual terms for data sharing, especially for SMEs.
  • Safeguarding data against international governmental access: The EU Data Act introduces safeguards against unlawful international governmental access to non-personal data.
  • Securing the use of smart contracts for data sharing: The EU Data Act sets essential requirements for smart contracts used in data sharing.

Key Dates and phased entry into effect

The EU Data Act is entering into effect gradually, with the majority of its provisions now being applicable:

  • 11 January 2024: EU Data Act entered into force.
  • 12 September 2025: Most provisions became applicable, including:

-         User rights to access and share data

-         Data holder obligations

-         Unfair contractual terms rules (Chapter IV) apply to contracts concluded after 12 September 2025

  • 12 September 2026: Product/service design obligations (Article 3(1)) apply to connected products and related services placed on the market after this date.
  • 12 September 2027: Unfair contractual terms rules (Chapter IV) apply to certain long-term or indefinite B2B contracts concluded on or before 12 September 2025.

Standards and guidance (including model terms) to support the implementation of the EU Data Act are still expected. Many enforcement mechanisms are also still to be established and competent authorities to be officially appointed, at the Member State level.  This is one space to watch in the coming weeks and months.

Who is impacted?

The EU Data Act impacts operators across the entire data value chain:

  • Manufacturers and providers of connected products and related services.
  • Users (consumers and businesses) of connected products and related services in the EU.
  • Data holders (individuals or entities who can use and make available product data or related service data).
  • Data recipients (third parties receiving data at the user’s request or in accordance with a legal obligation).
  • Public sector bodies.

As well as applying to EU entities, the EU Data Act has extraterritorial effect. For example, the EU Data Act's data access and reuse provisions apply to non-EU/EEA businesses if their connected products or related services are placed on the EU market.

What data is covered?

'Data' is broadly defined in the EU Data Act as any digital representation of acts, facts or information and any compilation of these. The business-to-user and business-to-business data access and re-use obligations apply to 'product data' (meaning data generated by the use of a connected product that the manufacturer designed to be retrievable in certain ways) and 'related services data' (meaning data representing the digitisation of user actions or of events related to the connected product, recorded intentionally by the user or generated as a by-product of the user’s action during the provision of a related digital service). The recitals to the EU Data Act discuss its application to all raw and pre-processed data generated through the use of a connected product or related service, provided the data is accessible to the data holder (such as the manufacturer or service provider). This encompasses both personal and non-personal data, as well as relevant metadata – for example, information about the device’s environment, interactions, performance, status, malfunctions, battery level, and sensor data such as measurements, temperature and pressure.

Inferred or derived data resulting from additional investment, such as highly enriched data or audiovisual content, are excluded from the scope of the EU Data Act.

Compliance implications for businesses

The specific compliance actions required under the EU Data Act—and the associated level of effort—will vary from one business to another, depending on their sector, whether they are data-driven, and the extent of their control over data flows.

For many businesses, the first steps of an EU Data Act compliance journey should focus on:  

  • Undertaking a high-level review of data use cases to pinpoint products, services and data flows likely to fall within the scope of the EU Data Act (while also assessing any potential exceptions).
  • Categorising the relevant data (e.g., product data, related services data, personal data, and non-personal data).
  • Defining the role of each business entity within the data processing chain (e.g., data holders, users, or third-party recipients).

This initial mapping is crucial, as it allows businesses to clearly determine their rights and obligations, to establish a solid foundation for compliance and to understand any opportunities arising from the EU Data Act's data access and re-use provisions. Achieving this requires a structured approach, drawing on business, technical and legal expertise.

Relying on this initial mapping, businesses can then:

  • review their existing contracts and processes to evaluate any potential compliance gaps and their level of risk;
  • set a compliance roadmap, with priorities and appropriate timelines;
  • implement appropriate safeguards (e.g, to protect their trade secrets and IP rights); 
  • identify opportunities (e.g., new forms of data access, potential data monetisation).

Navigating the interactions with other laws (e.g., in the EU, the General Data Protection Regulation, the Digital Markets Act, the Data Governance Act, cybersecurity legislation such as the Cyber Resilience Act) as well as with considerations relating to IP and trade secrets will also be essential for achieving comprehensive compliance. Businesses may want to leverage existing compliance processes and frameworks developed for other regulations to streamline their efforts. While this approach can be useful for some processes, it is important to be aware of potential pitfalls. For example, simply applying GDPR transparency requirements or processes for data subject rights may not be relevant or sufficient to meet the specific obligations of the EU Data Act.

For further detail on the EU Data Act, see Clifford Chance’s previous briefing: Entry into force of the EU Data Act.

Toolkits & Client Log-in