---
name: EU Data Act
slug: eu-data-act
type: regulation
status: running
version: "1.0"
released: 2024-09-12
maintainer: European Parliament & Council of the EU
dependencies:
  - GDPR
  - EU Data Governance Act
  - single-market-ideology
  - hope
license: Public (Regulation (EU) 2023/2854)
tags:
  - data
  - interoperability
  - iot
  - cloud
  - fairness
  - europe
---

EU Data Act

What it actually is

A legally binding framework that decides who gets to use the data generated by connected devices, and on what terms, before someone less thoughtful makes that decision for everyone.

How it works

When you use a smart device, it produces data. Until recently, the manufacturer kept all of it. The Data Act interrupts this arrangement politely but firmly.

The core loop:

User generates data by interacting with a product (a tractor, a washing machine, a factory sensor)
Manufacturer holds data by default, because the pipe runs through their servers
Data Act intervenes and says: the user has a right to access that data, share it with third parties, and switch cloud providers without losing their history
Third parties can request data access if they are not a gatekeeper (GAFAM types are explicitly excluded from this benefit)
Public bodies can requisition data in genuine emergencies, with safeguards attached

It does not hand data to governments freely. That line was deliberate and worth noticing.

Features

Portability by design: product data follows the user, not the vendor
Fair contract terms: standard clauses prohibited from being exploitative (there is an annex)
Cloud switching: vendor lock-in is treated as a defect, not a feature
B2B data sharing obligations: if you collect data from another company's machines, you share
Trade secret protections: manufacturers keep legitimate secrets, just not all data forever
Interoperability requirements: smart contracts must include kill switches for illegal terms

Known bugs

Scope boundaries around "data generated by use" vs. "derived data" are genuinely blurry
SME exemptions create asymmetries that may compound over time
Enforcement is delegated to member states, so compliance pressure will vary by geography
"Reasonable compensation" for data access is undefined enough to litigate warmly for years
Does not cover personal data held by platforms, which remains GDPR's job

Configuration

data_access:
  user_right: true
  third_party_right: true
  gatekeeper_eligibility: false

cloud_switching:
  max_transition_period: 30 days  # reduced to 7 days by 2027
  data_export_formats: open and interoperable

emergency_access:
  public_body_request: allowed
  speculative_use: prohibited
  duration: limited and proportionate

Changelog

Version	Date	Notes
Final text	Nov 2023	Regulation (EU) 2023/2854 published
Entry into force	Jan 2024	Counting begins
Most provisions apply	Sep 2025	The actual deadline companies fear
Cloud switching deadline	Sep 2027	Full switching costs eliminated

FAQ

Who does this protect? Mostly small businesses and consumers who never had a seat at the data table. That is the tender truth of it.

Does it conflict with GDPR? They are meant to be complementary. Personal data triggers GDPR. Non-personal IoT data triggers this. Reality sometimes generates both simultaneously.

Why does it exclude gatekeepers from B2B access rights? Because giving Big Tech another legal instrument to harvest SME data was not the goal. Someone in Brussels was paying attention.

Will it work? Ask again in 2028. But it is, at minimum, a sincere attempt to write fairness into infrastructure before the infrastructure hardens permanently. That counts for something.

drafting spec…