What’s new?
The EU Data Act introduces design obligations for smart products, data-sharing requirements and mandatory contractual obligations. It applies to all raw data generated by these products, not just personal data.
If you have “smart” technology products connected to the internet available in the EU, or provide data-based services related to such products, you have less than a year to consider your business model.
When?
Most obligations of the Data Act take effect from 12 September 2025. Don’t wait until the last minute, because this isn’t a quick fix: the new law could affect how you design your products, how you share data and how you protect your trade secrets. You’ll likely have to renegotiate your contracts.
What should I do?
The immediate steps we recommend are to:
- Set up a working group to determine how the Data Act applies to your products, services and data.
- Classify the information your products or services generate to identify what information you have to share and what information you may wish to share or, indeed, receive.
- Consider what technical protections you have in place to protect proprietary information.
- Check your contracts to see if they comply with the new requirements and include sufficiently broad data rights/protections.
Tell me the purpose of this Data Act in less than a minute
The goal of the Data Act is to drive the “data economy” and “data-driven innovation” in the EU.
To achieve this goal, one goal of the Data Act is to give users more control over information produced from connected products and services. It aims to increase transparency of what information is generated. And it gives more access to that information.
Who does the Data Act apply to?
Designers, manufacturers and users of connected products that obtain generate or collect data which can be communicated via a cable or wireless connection (e.g. the IoT). This includes:
- companies involved in consumer devices like wearable fitness technology and similar electronics, home appliances like smart doorbells, smart lighting, cleaning robots and smart fridges
- companies that make modern cars and airframe and engine manufacturers
- data-related services such as analytics, streaming and voice assistants. Other examples include an app to adjust the brightness of lights or regulate the temperature of a fridge
What are the key requirements?
At an overarching level, relevant products must be designed and manufactured in a way that product data is “[…] by default, easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format, and, where relevant and technically feasible, directly accessible to the user”. In other words,
- Ensure operational processes are in place to share information generated by connected devices with third parties upon request where required.
- This includes metadata necessary for interpreting the data. Given the scope for competitors to access data, we expect this will be a highly contentious area. But, you can contractually restrict the further use or sharing of data if it could undermine the security of the connected product. There are also protections for owners of trade secrets so third parties can’t use the data to create competing products. Also, derivative data (where investment has gone into assigning insights from the data) is out of scope.
- Make sure data generated by these products is accessible and portable where required. There is some discretion to make it directly or indirectly available. Keep in mind though, you can apply technical measures, e.g. smart contracts and encryption, to prevent unauthorised access to data.
- Data holders (e.g. manufacturers) should set up an approval process (e.g. web portal where requests can be submitted by users to access and use non-personal data) if this is being made available indirectly.
In addition to IoT-related data-sharing obligations, the Data Act also sets out interoperability standards, for example, for data processing services including cloud vendors. To prevent technical lock-in (making it harder for users to switch), it requires data processing services to be changeable at no cost without downtime. Currently, the scope of the Data Act seems to be underestimated by many businesses. As these rules apply beyond the context of connected products and related services.
How we can help you
As we discovered in our 2024 Tech Index, there is a growing number of IoT use cases being developed and a huge scope for more innovation. However, businesses are concerned about increased regulatory requirements, especially in Europe. So it’s important to be prepared for the Data Act. DLA Piper can help you with:
- Scoping how the Data Act applies to you
Do you have a right to receive information or do you have to share it? There are lots of new definitions, data holders, users, data recipients, manufacturers of connected products and providers of related services. We can help work out which obligations/rights apply to you.
- Building your data classification methodology – we’ve found this isn’t clear-cut and affects every business differently.
You need to think bigger than the Data Act. This should be one part of your data governance programme. You’ll want to classify, at a data point level, what is generated by your products and whether that information is raw data, metadata or derivative data. You’ll also want the whole business to understand what is proprietary. We can help you align your internal definitions with the Data Act.
- Looking at your contracts.
New data-sharing rules prohibit contractual terms considered unfair. They’ll be unenforceable. Sound familiar? There are huge parallels with consumer unfair terms regulations. For example, a unilateral right to use the other contracting party’s data to their significant detriment is unfair. But the Data Act doesn’t list all of the unfair terms. We regularly help clients with similar projects. We’ll share insights on how to manage compliance and update your terms. Cloud vendors have their own obligations around portability and may also be looking at their terms – you should be prepared to respond.
Contact Linzi Penman, Sophie Lessar, Huw Cookson or Isla Neil if you think the Data Act might apply to you. Or visit our EU Digital Decade microsite to find out more.