EU Data Act

A major shift in data governance is coming. From 12 September 2025, the EU Data Act (EUDA) will take effect, bringing new rules for how data is shared, accessed, and controlled within the European Union (EU).

That means businesses have less than six months to assess whether they’re affected and what changes they might need to make to stay compliant. The clock is ticking!

What is the EU Data Act?

EUDA will make it easier for people and businesses to access and share data generated by ‘connected products’, including both personal and non-personal data.

A ‘connected product’ is any device that collects or generates data about its usage or surroundings and can share that data electronically, by physical connection, or on-device access. For example: smart home devices, industrial sensors, connected vehicles, and fitness trackers all fall under this definition.

However, devices primarily used for storing, processing, or transmitting data on behalf of others (for example, routers and servers) are not considered connected products under EUDA.

What are the new access rights?

The following user groups will have new data access rights under EUDA:

• Users: (including individuals and businesses) will have the right to access the data they generate through using their connected products;
• Third Parties: may be granted access but with the users’ consent; and
• Public Bodies: may request access for data but only in limited circumstances.

The aim is to promote greater data transparency and stimulate competition within the EU whilst still safeguarding personal information.

Will it affect me or my business?

If your business sells or operates ‘connected products’ or related services on the EU market you will likely be affected by EUDA, even if your company is based outside the EU.

What do you need to do?

As EUDA promotes greater transparency, businesses will have new responsibilities when handling data. Key obligations include:

• Easy Cloud Switching: Customers must be able to switch cloud service providers without unnecessary barriers, and these rights should be clearly outlined in contracts.
• Pre-Contract Information: Users must know before signing a contract what kind of data is generated and how it will be used or shared. This responsibility lies with the data holder even if you’re not the one directly contracting with the user.
• Right to Access: If users can’t access the data directly, it must be stored in a way that enables free, timely and secure access and is machine-readable and reusable.
• Access by Design: Any new connected products launched after 12 September 2026 must be designed to give users better direct access to their own data.

These data access rights must be offered free of charge. However, if you’re sharing data with third parties (with the user’s permission), you may be entitled to fair compensation under certain conditions.

What about GDPR?

The EUDA does not override GDPR, which focuses on protecting privacy over personal data. This means that while the EUDA encourages data sharing, businesses must still comply with GDPR when handling personal information.

Non-personal data can be shared more freely under the EUDA, but greater inspection should be given before disclosing personal data under EUDA to avoid violating privacy laws.

How we can help

Navigating these changes can be tricky, especially if your business deals with connected products or services across borders. Our commercial team is here to help you understand how the EUDA applies to you and what steps you may need to take.