EU Data Act: New rules for data access, IoT data, and cloud portability effective from 12 September 2025

On 12 January 2024, the EU Data Act (Regulation (EU) 2023/2854) came into force. From 12 September 2025 it will now apply directly in all member states after the expiration of a transitional period. The aim of the EU Data Act is to facilitate the use and sharing of data within the EU, to promote innovation, and at the same time to create fair competition conditions.

For internationally active companies, this brings about new rights, obligations, and opportunities in dealing with data.

1. Key Elements of the EU Data Act

Access to Usage Data

Manufacturers of connected products and providers of associated services must enable users (businesses and consumers) to access the data generated by them.

Sharing with Third Parties

Users can request that their data be transmitted directly to third parties if desired – for example, to service providers or business partners.

Obligations for Manufacturers & Providers

• Data must be provided readily accessible, free of charge, and in a machine-readable format.

• Contract clauses that unduly restrict the use or sharing of data are invalid.

Public Authorities

Authorities receive access to company data in times of crisis or when there is a particular public interest (e.g., in energy crises, pandemics).

Cloud Portability

Switching between cloud providers must be made easier; so-called "Vendor Lock-in" should be prevented.

2. Addressees and Practical Examples

Manufacturers of Connected Products

• Mechanical engineering: Manufacturers of industrial CNC machines must provide operational and sensor data (e.g., via interfaces or dashboards).

• Automotive industry: Car manufacturers must release the data generated in vehicles (e.g., driving and maintenance data, error messages) to customers and workshops.

• Home technology/Smart Devices: Manufacturers of smart home devices (e.g., connected thermostats, heaters, household appliances) must make consumption and performance data accessible to users.

Providers of Digital Services & Data Infrastructures

• Cloud providers must ensure data portability.

• SaaS providers (e.g., ERP or CRM systems) must provide machine-readable data extracts.

• Data intermediaries (e.g., mobility data marketplaces, energy data hubs, market data providers) must not stipulate unreasonable restrictions in terms and conditions.

Indirectly Affected – All Companies Using or Sharing Data

• Workshops & Aftermarket Services can request vehicle data directly from the manufacturer.

• Energy suppliers can use measurement data from smart meters for their own tariffs.

• Agriculture: Farmers can have operational data from connected tractors forwarded to external optimization services.

• Logistics companies can have real-time data from telematics providers transmitted to third-party platforms.

3. Cloud Portability and Switching Requirements

A central element of the EU Data Act concerns "Data Processing Services" – i.e., Infrastructure, Platform, and Software-as-a-Service (IaaS, PaaS, SaaS). Special switching requirements will apply from 12 September 2025, designed to facilitate customer switching:

• Ban on "Vendor Lock-ins": Providers may not impose technical or contractual barriers that make it difficult or impossible to switch.

• Portability Deadlines: Data must be transferable within a maximum of 30 days.

• Transparency Requirements: Providers must provide customers with clear information about data structures and interfaces.

• Cost Regulation: Fees for switching will be completely prohibited from 2027.

• Exit Strategies: Providers must actively support customers when moving data and applications.

Important:
For companies as customers of cloud and SaaS services, this means: more freedom of choice, less dependency on large providers ("Vendor Lock-in") – but also the need to adapt cloud strategies and contracts early on.

4. Privacy Policy & Trade Secrets

The EU Data Act does not change the existing protection of personal data and trade secrets:

Trade Secrets

Even if the requested data contains trade secrets, they must basically be made accessible to users or third parties. However, the prerequisite is that the data owner was able to take adequate protection measures beforehand – such as through technical and organizational precautions or the conclusion of non-disclosure agreements (NDAs). The data owner determines which information is considered trade secrets. As long as no agreement is reached on the (appropriate) protection measures, disclosure may be temporarily refused.

Personal Data

The General Data Protection Regulation (GDPR) remains fully applicable. If the data also contains personal data, making it accessible, using it, or sharing it requires a legal basis under the GDPR (e.g., Art. 6 or Art. 20 GDPR). The EU Data Act itself does not create its own legal basis. In practice, it is therefore advisable to anonymize or pseudonymize personal data before disclosure.

5. Significance for German Companies

• New Opportunities: Access to machine and IoT data (e.g., from industrial plants, vehicles, IoT devices) opens up possibilities for new service and business models.

• New Obligations: Manufacturers and providers must establish and operate interfaces and processes for data access and cloud portability in a legally compliant manner.

• Contractual Adjustments: Business conditions, license, and service agreements must be reviewed and adjusted regarding the ineffectiveness of "unfair" clauses.

• Compliance Risk: Failure to implement or inadequate implementation can lead to fines and reputational damage.

• Strategic Relevance: Those who actively use the new data access rights can gain competitive advantages – especially in the aftermarket and digital services.

Recommendations for Data Governance, IT and Contract Compliance

• Conduct Data Inventory: What data is being collected in the company? Who has had access so far?

• Review Terms and Contractual Arrangements: Review supplier, service, and cloud contracts for "unfair" clauses and adjust if necessary.

• Set Up Technical Processes: Provide interfaces and systems for data access and the access rights of users and third parties.

• Develop Cloud Strategy: Ensure switching possibilities and portability.

• Governance & Compliance: Establish responsibilities and internal processes for data access, sharing, and cooperation with authorities (IT policies).

• Consider Privacy Policy & Trade Secrets: Comply with GDPR requirements when sharing data, and implement non-disclosure agreements (NDAs) and protective measures early in contract, IT, and compliance structures.

Conclusion

The EU Data Act creates a uniform legal framework for the use and sharing of data in Europe. For internationally active medium-sized companies, this simultaneously means new opportunities through better data access and new obligations in dealing with product and service data. Those who timely adapt internal processes, contracts, and compliance structures can leverage the regulation as a competitive advantage.