---
name: EU Data Act
type: regulation
status: running
version: 2023/2854
released: 2024-01-11
maintainer: European Parliament, Council of the EU
dependencies:
  - GDPR
  - EU Data Governance Act
  - ePrivacy Directive
  - Connected Device Manufacturers (mandatory)
license: Public Law (non-negotiable)
tags:
  - data
  - regulation
  - europe
  - iot
  - interoperability
  - cloud
  - b2b
  - compliance
---

EU Data Act

What it actually is

A binding ruleset that forces whoever collects data from connected devices to share it, on request, with whoever actually used the device to generate that data in the first place.

How it works

The core loop is deceptively simple:

User buys or operates a connected device (car, washing machine, industrial sensor, smart meter)
Device generates data. Manufacturer captures it. User sees none of it.
Data Act fires. User requests their data.
Manufacturer must provide it. In real time, where technically feasible. For free, to the user. At fair, reasonable, non-discriminatory terms if shared with third parties.

The Act also mandates cloud switching rights (exit costs reduced, data portable between cloud providers), introduces limits on public sector access to private data during emergencies, and forces interoperability standards that do not yet fully exist.

"Finally, the data I generated by driving my tractor belongs to me." — Anonymous farmer, paraphrased from EU consultation feedback

Features

User data access rights: individuals and businesses can retrieve data from any connected product they operate
Third-party data sharing: manufacturers must share with authorized third parties on user instruction
Cloud portability: switching providers cannot be held hostage by proprietary formats or exit fees
B2B fairness clauses: contractual imbalances in data-sharing agreements between large and small businesses are capped
Public emergency access: governments can request privately held data during crises, with defined limits
Trade secret protections: manufacturers retain some cover, though the scope is contested

Known bugs

Definition of "connected device" is broad enough to spark legitimate disagreement at every implementation meeting
"Technically feasible" real-time access has no hard benchmark, inviting creative interpretation
Interoperability standards are delegated to future specifications that are still being written
Trade secret exceptions and data access rights exist in permanent productive tension
Enforcement is distributed across 27 national authorities with 27 different appetites for confrontation
Small and medium enterprises get exemptions that large platforms will study carefully and structure around

Error codes

ERR_NO_ACCESS_PROVIDED       // Manufacturer denied data request without valid grounds
ERR_SWITCHING_FEE_ILLEGAL    // Cloud provider charged excessive exit costs post-2027
ERR_CONTRACT_UNFAIR_TERMS    // B2B data agreement violates FRAND conditions
ERR_SCOPE_AMBIGUITY          // Device classification under Article 2 disputed
ERR_NATIONAL_AUTHORITY_SLOW  // Complaint filed; regulator timeline: unknown

Changelog

Version	Date	Notes
Final text	Jan 2024	Entered into force
Transitional period	Sep 2025	Most obligations apply from here
Cloud switching full effect	Sep 2027	Portability rules fully active
Prior state	—	Manufacturers kept everything. Users asked nicely.

FAQ

Does this replace GDPR? No. GDPR governs personal data and privacy. The Data Act governs access and sharing of industrial and IoT data, including non-personal data. They overlap in uncomfortable ways.

Who actually benefits most? Businesses operating fleets of connected assets. Eventually, consumers. Currently, lawyers.

Is this global? It applies in the EU and to anyone selling connected products into the EU market. Which is most of the world's manufacturers, whether they have updated their compliance decks yet or not.

drafting spec…