Skip to content Skip to sidebar Skip to footer
Menu
Menu
Data Protection & Cybersecurity

EU Data Act Into Force: What Companies Must Do Now to Comply

3 days ago
8 minRead time
data act into force
Share This Article
Share Post

With the EU Data Act now into force, companies must urgently prepare for sweeping new obligations on data access, sharing, and interoperability across connected products and services.

With the aim of ensuring a uniform and harmonized approach to technological innovation, the European legislator has, over the last few years, adopted various laws aimed at regulating the impact of new technologies in different sectors.ย Just think of the AI Act, the DORA Regulation or the NIS 2 Directive, to name but a few. These are complex and highly innovative pieces of legislation that impose new obligations and outline specific regulatory frameworks. Regulation (EU) 2023/2854 (known as the “Data Act”) is no exception, as it represents the first European regulatory framework for the management of data generated by connected products or related services.

The Regulation was published on 22 December 2023 and entered into force on 11 January 2024, with its provisions set to apply gradually starting from 12 September 2025. Its significance is further amplified by its interaction with the AI Act, which becomes applicable as of 1 August 2024.

What is the Legal Framework and the Key Obligations Under the Data Act?

The Data Act is designed to ensure fair access to data for users โ€” both consumers and businesses โ€” generated through the use of what the Regulation refers to as connected products. These include any products that obtain, generate, or collect data in relation to their use and are capable of transmitting such data via electronic communications services. Essentially, this definition encompasses all Internet of Things (IoT) devices.
Within this context, the Regulation introduces a number of key obligations for parties that interact with connected products or are involved in related services (defined as services enabling one or more functionalities of the connected product). These include:

  • Providers of connected products and/or related services must provide users with detailed information, including several specific elements listed directly in the Regulation;
  • Manufacturers of connected products must design and build devices that allow users to access the data generated during use in a direct and user-friendly way. They must also disclose information regarding the nature of the data, access methods, data volume, and expected format;
  • Businesses involved in the handling and processing of data must implement technical and contractual measures throughout the supply chain to ensure that end-user rights are effectively upheld.

In addition to regulating relationships with end users, the Data Act also introduces several rules governing business-to-business data sharing. It provides safeguards against unfair contractual terms by defining certain clauses as abusiveโ€”and therefore unenforceable.
Another notable aspect is the framework for public sector access to privately held data under exceptional circumstances, which outlines the specific conditions under which public authorities may request such access.

The Regulation also places strong emphasis on interoperability and data portability in cloud and edge computing services. Specific provisions are included to facilitate switching between service providers and to prevent vendor lock-in scenarios. Cloud service providers must ensure that data migration can be carried out in a structured, efficient, and cost-free manner, within defined timeframes.

Finally, Chapter VIII addresses data access by EU bodies and public authorities for purposes of public interest, while Chapter IX promotes the development of European standards for interoperabilityโ€”both technical and contractual. Adherence to these standards is strongly encouraged to ease compliance and reduce legal uncertainty.

What is the intersection between the Data Act and the AI Act?

As mentioned, the rules governing access to and use of data are particularly relevant in the context of artificial intelligence systems, which are typically composed of complex datasets, models, software, and hardware components.

Where AI systems are embedded in connected products or related services โ€” for instance, smart voice assistants, machine learning-based industrial automation systems, or other IoT-integrated applications โ€” companies will need to assess how the two frameworks interact and ensure that both technical and contractual safeguards are in place to meet all applicable obligations.

One example is the Data Actโ€™s requirement that connected products must enable users to easily and securely access, use, and share the data they generate. This obligation dovetails with the AI Actโ€™s focus on transparency and accessibility, making it essential for organizations to implement measures that fulfill the requirements of both regulations.

What activities shall be done to ensure compliance?

The new regulatory landscape introduces several areas that organizations will need to focus on in the coming months to ensure timely and effective compliance. Key action points include:

  • Risk assessment and gap analysis: Organizations should conduct thorough assessments to understand how the Regulation impacts their business and what steps are needed to achieve full compliance;
  • Defining contractual responsibilities: Contracts between all relevant partiesโ€”manufacturers, service providers, distributors, resellers, and end usersโ€”should clearly set out the measures in place to ensure data access and sharing, allocate responsibilities for implementing and monitoring these measures, and establish each partyโ€™s rights and obligations;
  • Technical interoperability and standardization: Companies must evaluate whether their existing infrastructure supports compliance with the Regulationโ€™s requirements. For example, they should determine whether users can effectively access all the data generated by the device, or whether new measures need to be introduced to enable this.

It is worth noting that the European Commission is expected to develop model contractual clauses to support businesses in drafting fair and balanced data-sharing agreements.

When is the Data Act coming into force?

In line with the EUโ€™s recent regulatory practice, the Data Act adopts a phased implementation approach, as follows:

  • From 12 September 2025: General application of the main provisions on data access obligations for manufacturers of connected products and providers of related services;
  • From 12 September 2026: Entry into force of specific obligations on the design and manufacture of connected products that must ensure user-friendly access to generated data;
  • From 12 March 2027: Application of the rules governing data portability and switching between data processing service providers.

In the coming months, it will be essential for businesses to develop a clear understanding of the regulatory framework and its intersections with existing lawsโ€”particularly the AI Act. The first step must be to identify the concrete actions required to achieve full and effective compliance, along with a realistic implementation timeline that accounts for both technical measures and the necessary contractual and informational adjustments.

On the same topic, you can read the article “Data Act: the level of enrichment of data for it to be considered inferred or derived“.

(Visited 82 times, 1 visits today)
Tags:
0LikesShare Post