The Regulation (EU) 2023/2854 on harmonized rules on fair access to and use of data — also known as the Data Act — entered into force on 11 January 2024 and into application on 12 September 2025. With the Data Act, the EU has implemented a central component of its data strategy by establishing new rules for access to and use of non-personal data.

The scope of the EU Data Act is extensive, covering various types of data and stakeholders. It applies to both personal and non-personal data, ensuring that data provided to controllers based on consent or contractual obligations is readily accessible. Furthermore, the Data Act shall also ensure data portability and interoperability by enhancing standards for data portability and promoting interoperable data formats and facilitating seamless data exchanges. Furthermore, it seeks to improve data governance and compliance through the implementation of standardized data exchange agreements and the promotion of voluntary agreements, incorporating mandatory specifications in the event of disputes.

The Data Act is a key pillar of the European data strategy and aims to make a significant contribution to the Digital Decade‘s objective of advancing digital transformation in the EU. In contrast to centralized frameworks such as the GDPR, the Data Act assigns primary enforcement responsibilities to individual EU member states.

The following article summarizes the Data Act and outlines its key aspects – from the political objectives and the main regulatory content to the implications for businesses and the unresolved issues surrounding its implementation.

The EU Data Act is a component of the extensive European data strategy introduced by the European Commission in February 2020, which is integral to the European Union’s digital strategy. This strategy seeks to establish a unified European data space where data can be utilized securely, equitably, and for the advantage of the economy, governance, and society. The Data Act is a crucial legislative tool for enhancing the economic and social value derived from data, while simultaneously ensuring governance over this data within the European legal framework.

The Data Act enhances current European legislation regarding data and digital policy within the broader political framework. The Data Governance Act (DGA) establishes a legal framework for voluntary data sharing, the creation of data intermediaries, and the reuse of specific public data, whereas the Data Act governs the compulsory access to and sharing of data produced by connected products or services. Collectively, these legal instruments establish the regulatory foundation for an operational European data economy. The Data Act is intricately connected to other EU data regulation, including the Digital Markets Act (DMA), the Digital Services Act (DSA), and the Artificial Intelligence Act (AI Act). Collectively, these legislative measures aim to enhance the EU’s digital sovereignty, mitigate competitive distortions within the digital single market, and establish a secure legal framework that fosters innovation.

As mentioned, the objective of the Data Act is to enhance the accessibility and utilization of data across various sectors. The regulation implements a system that grants all market participants access to data that was previously unutilized or solely controlled by specific entities. It mandates manufacturers and providers of connected products to grant users access to the data they generate, thereby fostering new avenues for data-driven innovation and services. At the same time, the regulation aims to ensure fair competition conditions. The Data Act therefore aims to reconcile two sides: on the one hand, greater data access and freedom of use (especially for users of networked products and services), and on the other hand, protection of investments in data collection, confidentiality of sensitive information and compliance with applicable data protection or trade secret rights.

The Data Act establishes an extensive legal framework governing access to and utilization of data produced by “connected products” (e.g. networked household appliances, industrial plants, vehicles) and “related services” (e.g. apps, cloud services, maintenance platforms). The regulations encompass both personal and non-personal data, with the General Data Protection Regulation (GDPR) maintaining primacy regarding personal data. The Data Act is applicable to all providers delivering products or services within the EU internal market, irrespective of their establishment within the European Union. The regulation consequently exerts extraterritorial influence on third-country companies operating in the European market.

The core of the regulation is to enhance user rights. Owners, tenants, or users of a connected product are afforded an immediate right to access the data generated from its utilization. This access right encompasses the receipt of data in a structured, machine-readable format and the entitlement to transfer the data to third parties. The data owner, typically the manufacturer or service provider, is required to grant access to the data at no cost, promptly, and in a reasonable manner. Exceptions are applicable solely within restricted parameters, such as when the revelation of data could compromise trade secrets or product safety. In such instances, the data owner is required to either justify the access or defer it to a subsequent stage.

The Data Act also governs contractual relationships between businesses (“B2B constellations”). Data owners are required to provide access to data for other enterprises under fair, reasonable, and non-discriminatory conditions (“FRAND principle”), contingent upon a legitimate interest in the intended use of the data. Unjust contractual provisions that excessively limit data access or are intended to solely disadvantage smaller market participants are explicitly not permissible. The Data Act differentiates between clauses deemed inherently unfair and those presumed to be unreasonable. This constrains the operational flexibility of companies with market power, while ensuring equitable access to industrial or usage-related data for small and medium-sized enterprises.

Public authorities or public sector entities may, under specific circumstances, seek access to data maintained by private companies when there is a compelling public interest. This is especially relevant in emergency and crisis scenarios, including natural disasters, pandemics, or the maintenance of public safety. Data access is permitted in additional legally specified instances, contingent upon stringent requirements of proportionality, transparency, and purpose limitation. The regulation mandates that authorities coordinate data requests to prevent duplication (the “once-only” principle”) and reduce the burden on the affected companies.

The Data Act includes extensive provisions on interoperability and data portability for cloud and data processing services to enhance competition and data mobility. Thus, customers of such services should be able to transition between providers more effortlessly, free from technical or contractual impediments (“lock-in effects”). Consequently, service providers must facilitate data export in standard formats and ensure that functionality and service quality are predominantly preserved during the transition. Commencing January 2027, no charges for data transfer (“data egress fees”) shall be imposed between service providers. The regulation aims specifically to curtail the market dominance of major cloud providers and foster competition within the European data ecosystem.

The Data Act includes specific provisions regarding protection against unauthorized foreign data access and data security. Entities that handle or retain data within the EU may transfer such data to authorities in third countries solely upon receiving a lawful and proportionate request for information, provided that adequate safeguards are in place to ensure the legal protection of the affected individuals or entities. Data processing services must implement suitable technical and organizational measures to guarantee data security, including encryption, access control, and regular audits, while also notifying their clients of potential access risks from third countries.

The Data Act creates a comprehensive legal framework that methodically governs access to industrial and usage-related data, seeks to enhance competition within the European single market, and simultaneously balances the rights of data proprietors, users, and the public sector. The regulation integrates data protection, commercial law, and technical elements into a cohesive framework that will underpin the European data economy moving forward.

The EU Data Act presents substantial economic opportunities for companies, while also imposing extensive organizational and legal responsibilities. The establishment of a universal right to data access for users of networked products is facilitating the expansion of the market for data-driven services. In the future, companies will gain enhanced access to usage and machine data that was formerly exclusive to manufacturers or platform operators. This will promote the emergence of novel business models, particularly in maintenance, data analysis, energy efficiency, and product optimization. It is to be expected that the Data Act will simultaneously bolster the standing of small and medium-sized enterprises, which have frequently been marginalized from data access and interoperable systems historically. The Data Act aims to establish equitable conditions within the European single market.

Nonetheless, enhanced data accessibility will necessitate modifications by companies. Manufacturers and providers of connected products must initially identify which of their products and services are in scope of the Data Act, as well as which data sets are governed by the rules regarding accessibility, sharing, and portability. Existing contractual frameworks must be examined, particularly usage, distribution, and maintenance agreements that lacked explicit clauses regarding data transfer or utilization. Liability concerns, confidentiality safeguards, and compensation structures must be reevaluated.

The Data Act mandates companies to furnish user-generated data in an accessible, machine-readable, and interoperable format. Consequently, interfaces, export functions, and internal data management systems may require modification or new development. The safeguarding of trade secrets and adherence to data protection regulations are of paramount significance. Consequently, companies must adopt technical and organizational measures to facilitate legally mandated data access while safeguarding their sensitive information.

The organization of compliance is of significant importance. Organizations must implement protocols to efficiently and transparently handle requests from users or third parties, and, if required, notify the appropriate regulatory authorities. This encompasses internal documentation and verification criteria necessary to comply with regulatory requirements during an audit.

The EU Data Act exerts a de facto extraterritorial influence on Swiss companies. The regulation applies to all providers offering products or services in the EU market, thus Swiss manufacturers and service providers whose products are available or utilized in the Union are also bound by the pertinent obligations. Consequently, these companies must modify their contracts and data procedures to align with European standards to secure market access and legal compliance. In the future, explicit contractual stipulations regarding data rights, access obligations, and compensation mechanisms will be necessary in cross-border supply and collaboration agreements.

The regulations indicate that the Data Act serves as both an economic policy tool for fostering data-driven innovation and establishes a mandatory legal framework compelling the relevant companies to systematically modify their contractual, technical, and organizational structures.

Although the Data Act aims to establish a fair and transparent internal market for data, numerous interpretative and delineative questions arise in its practical implementation. The relationship between the Data Act and existing EU regulations, particularly the General Data Protection Regulation (GDPR) and copyright and database protection provisions, remains inadequately defined in several aspects. The regulation encompasses both personal and non-personal data produced in relation to connected products. This may result in overlaps, such as when data encompasses both personal information and technical operational data. Furthermore, essential terms such as “connected product”, “minimally processed data”, and “reasonable compensation” are ambiguous and subject to interpretation, likely to be clarified solely through case law or formal guidelines.

The technical requirements for interoperability and data portability present a significant challenge. The requirement to supply data in a standardized, machine-readable format and to facilitate the transition between data processing services necessitates substantial investment in interfaces, data management, and system architectures. Industries utilizing intricate or proprietary technologies, such as industrial engineering or medical technology, must ensure technical compatibility while safeguarding their innovations. The practical application of interoperable standards remains inadequately harmonized; definitive specifications for data formats or communication protocols are predominantly still outstanding.

Moreover, the Data Act prompts enquiries regarding the safeguarding of trade secrets and the delineation of valid competitive interests. As users and third parties will soon possess the right to obtain and use specific data sets, a conflict arises between the legal entitlement to data access and the data holder’s right to confidentiality. Consequently, companies must establish procedures to accurately label sensitive information and safeguard it from unauthorized disclosure via technical or contractual means (e.g. NDAs or technical access restrictions). The Data Act simultaneously mandates that they cannot deny access solely based on a general assertion of confidentiality interests. The determination of “reasonable compensation” for data provision remains unresolved. The regulation mandates equitable and non-discriminatory conditions yet delegates their specific formulation to the contracting parties. This may lead to future disputes regarding pricing, equivalence, and market suitability.

Ultimately, there exist ambiguities concerning enforcement and penalties. The Data Act mandates EU Member States to appoint competent national authorities and establish sanctions for infringements, without standardizing these measures across the EU. This poses the risk of inconsistent enforcement practices and varying legal repercussions among the Member States. For companies, particularly small and medium-sized enterprises, implementation may require substantial administrative effort. Alongside technical and organizational modifications, ongoing compliance monitoring is essential to guarantee sustained adherence to legal obligations.

The Data Act marks a transformative change in European data and digital policy: users, whether private individuals or companies, are afforded enhanced rights over the data they produce; concurrently, manufacturers and service providers are mandated to facilitate data access, transferability, and interoperability of services. The Data Act presents significant opportunities for innovation and competition, while simultaneously establishing new regulatory frameworks, especially concerning data access, service portability, and data governance. The critical determinant will be the efficacy of the practical implementation across technical, contractual, and organizational aspects.