European Data Act: IoT Compliance Guide
The EU Data Act (Regulation 2023/2854) is now in force, reshaping how data from connected devices must be shared. If your business makes, sells, or supports IoT products in the EU, you need to be fully compliant.
This guide breaks down the rules, who they affect, and the steps to take to stay ahead. Ignoring these requirements could lead to significant penalties and lost business opportunities.
What is the European Data Act?
The European Data Act establishes harmonised rules for data sharing across all economic sectors in the European Union. It targets the vast amounts of data generated by connected devices, from smart home appliances to industrial equipment, that have historically remained locked away by manufacturers.
The Act forms a core pillar of the broader European data strategy and the EU’s Digital Decade goals. Its objectives are straightforward:
• Fair access to data: Breaking manufacturer monopolies over valuable data from IoT devices
• User empowerment: Giving consumers and businesses control over the data their devices generate
• Innovation promotion: Opening data flows to stimulate competition and new services
The Data Act works alongside several other regulations. The General Data Protection Regulation (GDPR) continues to govern the protection of personal data. The Data Governance Act creates frameworks for voluntary data sharing. The Digital Markets Act addresses competition in digital markets. The Data Act specifically fills the gap in access to data from connected products.
Key Provisions and Rights Under the Data Act
User Rights and Data Access
Users, whether consumers or businesses, now have new rights under the Data Act. You can request access to all data generated by your connected products, free of charge. This includes personal and non-personal data, provided promptly in a machine-readable format. You can also share this data with third parties, for example, sending your smart car’s performance information to an independent maintenance provider. The manufacturer must make this possible.
The Data Act also restricts unfair contract terms. “Take-it-or-leave-it” clauses that place heavy burdens on users are no longer permitted. One important rule is that shared data cannot be used to develop competing products, protecting manufacturers from misuse of their own data.
Data Holder Obligations
Data holders have new responsibilities. They must quickly give users access to their data. Where possible, this should be done in real time via secure channels such as dashboards or APIs.
They must also tell users what data their products collect. Non-personal data cannot be used without consent. Manufacturers can no longer use all device data freely. Data should be shared in standard formats that are easy for others to use.
Who Must Comply with the Data Act?
The scope catches more organisations than many expect.
Manufacturers of connected products placed on the EU market fall squarely within scope. If your device connects to the internet and generates usage data, the Act likely applies.
Service providers offering related services to connected products, such as apps that interact with smart devices, analytics platforms, or software updates, must comply with data sharing obligations.
Cloud service providers and edge computing providers face specific requirements around data portability and switching.
Non-EU entities offering connected products or services to EU customers cannot escape by being headquartered elsewhere. You must designate a legal representative in the Union.
Public sector bodies gain special access rights to private sector data during a public emergency or when needed for evidence-based decision-making and informing early warning systems.
Connected Products and Data in Scope
Definition of Connected Products
The Data Act defines connected products broadly. Any item that obtains, generates, or collects data concerning its use or environment, and communicates that data electronically, qualifies.
Covered examples include:
• Smart home appliances (thermostats, refrigerators, televisions)
• Connected vehicles
• Industrial equipment and factory machinery
• Medical devices
• Wearables and fitness trackers
Exclusions apply to:
• Products whose primary function is data storage, processing, or transmission (like servers)
• Prototypes not yet on the market
• Certain infrastructure sensors
Types of Data Covered
The regulation targets “raw but usable” data that has been pre-processed, structured, and made machine-readable.
In scope:
• Sensor data (temperature, pressure, speed, location)
• Both personal data and non-personal data
• Metadata providing structured descriptions
• Aggregated and anonymised data in certain contexts
Out of scope:
• Inferred or derived data (manufacturer’s proprietary analytics)
• Audiovisual content created by users
• Trade secrets (with specific safeguards)
Compliance Steps for Organisations
Data Mapping and Assessment
Start with a complete inventory.
• Identify every connected product and related service in your portfolio. This includes devices you manufacture, services you provide, and any cloud infrastructure you operate.
• Categorise the data generated. Determine which falls under the Data Act’s provisions versus pure GDPR territory. Mixed datasets containing both personal and non-personal data require dual compliance.
• Assess your current data governance framework. Do you have mechanisms for users to request data? Can you deliver it in machine-readable formats?
System and Process Updates
Technical preparation is unavoidable.
• Upgrade systems for standardised data sharing. Products may need redesigning to enable direct user access rather than manufacturer-only retrieval.
• Develop APIs for interoperable data access. Users and their chosen third parties need practical ways to gain access to their data.
• Establish internal data-sharing policies. Staff need clear guidance on handling data access requests.
• Implement user notification mechanisms. Before purchase or contract signing, users must understand what data types their products generate.
Interaction with GDPR and Other Regulations
The Data Act does not replace GDPR; it complements it.
For personal data, GDPR takes precedence. All standard requirements regarding lawful bases, data subject rights, and transfers continue to apply.
The Data Act extends data portability beyond the scope of GDPR’s Article 20. Where GDPR portability covers personal data processed on the basis of consent or contract, the Data Act covers all data generated by connected devices, regardless of the processing basis.
Key regulatory intersections:
• Data Governance Act: Creates infrastructure for voluntary data sharing; the Data Act mandates specific sharing obligations
• Digital Markets Act: Addresses platform gatekeeper behaviour; Data Act covers connected product ecosystems more broadly
• ePrivacy: Continues governing electronic communications and device access
• Non-personal data regulation: The Data Act largely supersedes earlier frameworks for non-personal data stored in the cloud
International data transfer considerations remain relevant. Cloud providers must implement safeguards against unlawful third-party access when they store non-personal data for EU customers.
Cloud Services and Data Portability
Cloud service providers face dedicated obligations.
Switching between data processing services must be facilitated. Users cannot be trapped by prohibitive exit fees or technical barriers. Providers must complete data transfers within 30 days.
Covered service models include:
• Software as a service
• Platform as a service
• Infrastructure as a service
• Cloud and edge services generally
Interoperability standards will be developed to make switching between data processing providers genuinely practical.
Contractual requirements for data processing service providers include transparent terms about data portability, no excessive switching charges, and clear timelines for data retrieval.
Mobile network operators offering cloud services fall within the scope. So do providers of data processing services involving virtual assistants, software processing audio, gestures, or text to control connected products.
Enforcement and Penalties
Teeth back up these requirements.
Each member state designates national enforcement authorities. These bodies handle complaints, investigate violations, and impose sanctions.
• For violations involving personal data, GDPR-level penalties apply. That means fines up to €20 million or 4% of global annual turnover.
• For non-personal data violations, member states set proportionate penalties. Expect significant fines, though specific amounts vary by jurisdiction.
Users can challenge data-sharing refusals through enforcement authorities or courts. If a data holder refuses a legitimate request, the user has recourse.
Conclusion
The European Data Act has fundamentally changed how data from connected devices must be shared in the EU. Organisations that manufacture, sell, or support IoT products must act decisively to ensure compliance. By mapping data flows, updating systems, revising contracts, and integrating these obligations with existing GDPR and data governance programs, businesses can protect themselves from penalties while empowering users and fostering innovation.
Frequently Asked Questions
Do I need a legal representative if I’m outside the EU?
Yes. Non-EU manufacturers or service providers offering connected products or related services in the EU market must designate a legal representative established in a member state. This mirrors the GDPR Article 27 representative requirement.
What data can be withheld for trade secret protection?
Data holders can apply purpose limitations and require confidentiality measures from data recipients to protect trade secrets. They cannot refuse access entirely, but can impose reasonable safeguards. The balance protects legitimate commercial interests without undermining user rights.
How does the Data Act affect existing cloud service contracts?
Contracts signed before September 12, 2025, that contain terms contradicting the Act become unenforceable for those specific provisions as of the application date. Review and renegotiate now rather than facing disputes later.