EU Data Act: New rules for data access, IoT data, and cloud portability effective from 12 September 2025

On 12 January 2024, the EU Data Act (Regulation (EU) 2023/2854) came into force. Starting from 12 September 2025, it will now apply directly in all member states after the expiration of a transition period. The aim of the EU Data Act is to facilitate the use and sharing of data within the EU, promote innovation, and at the same time create fair competitive conditions.

For international companies, this results in new rights, obligations, and opportunities in handling data.

1. Core Elements of the EU Data Act

Access to Usage Data

Manufacturers of connected products and providers of associated services must enable users (companies and consumers) to access the data generated by them.

Sharing with Third Parties

Users can request that their data be transferred directly to third parties upon request – such as service providers or business partners.

Duties for Manufacturers & Providers

• Data must be provided in an easily accessible, free of charge, and machine-readable format.

• Contractual clauses that unreasonably restrict the use or sharing of data are invalid.

Public Authorities

In the event of a crisis or special public interest, authorities receive access to company data (e.g., during energy crises, pandemics).

Cloud Portability

The switch between cloud providers must become easier; so-called "vendor lock-in" should be prevented.

2. Addressed Parties and Practical Examples

Manufacturers of Connected Products

• Mechanical Engineering: Manufacturers of industrial CNC machines must provide operational and sensor data (e.g., via interfaces or dashboards).

• Automotive Industry: Car manufacturers must release in-vehicle generated data (e.g., driving and maintenance data, error messages) for customers and workshops.

• Home Technology/Smart Devices: Manufacturers of smart home devices (e.g., connected thermostats, heaters, household appliances) must make usage and performance data accessible to users.

Providers of Digital Services & Data Infrastructures

• Cloud providers must ensure data portability.

• SaaS providers (e.g., ERP or CRM systems) must provide machine-readable data extracts.

• Data intermediaries (e.g., mobility data marketplaces, energy data hubs, market data providers) may not impose unreasonable restrictions in their terms and conditions.

Indirectly Affected – All Companies that Use or Share Data

• Workshops & Aftermarket Services can request vehicle data directly from the manufacturer.

• Energy suppliers can use measurement data from smart meters for their own tariffs.

• Agriculture: Farmers can have operational data from connected tractors forwarded to external optimization services.

• Logistics companies can have real-time data from telematics providers transferred to third-party platforms.

3. Cloud Portability and Switching Requirements

A central element of the EU Data Act concerns "Data Processing Services" – i.e., infrastructure, platform, and software-as-a-service (IaaS, PaaS, SaaS). From 12 September 2025, special switching obligations will apply to facilitate customer switching:

• Prohibition of "Vendor Lock-ins": Providers may not establish technical or contractual barriers that complicate or prevent switching.

• Portability Deadlines: Data must be transferable within a maximum of 30 days.

• Transparency Obligations: Providers must provide customers with clear information on data structures and interfaces.

• Cost Regulation: Fees for switching will be completely prohibited from 2027 onwards.

• Exit Strategies: Providers must actively support customers in moving data and applications.

Important:
For companies as customers of cloud and SaaS services, this means: more freedom of choice, less dependency on large providers ("vendor lock-in") – but also the need to adapt cloud strategies and contracts early.

4. Privacy Policy & Trade Secrets

The EU Data Act does not change the existing protection of personal data and trade secrets:

Trade Secrets

Even if requested data contains trade secrets, they must generally be made accessible to users or third parties. However, the prerequisite is that the data owner was able to take appropriate protective measures beforehand – for example, through technical-organizational arrangements or the conclusion of non-disclosure agreements (NDAs). The data owner determines which information is deemed trade secrets. As long as no agreement on the (appropriate) protective measures is reached, the release may be temporarily refused.

Personal Data

The General Data Protection Regulation (GDPR) remains fully applicable. If the data also contains personal data, its accessibility, use, or sharing requires a legal basis under the GDPR (e.g., Art. 6 or Art. 20 GDPR). The EU Data Act itself does not create its own legal basis. In practice, it is therefore advisable to anonymize or pseudonymize personal data before disclosing it.

5. Importance for German Companies

• New Opportunities: Access to machine and IoT data (e.g., from industrial plants, vehicles, IoT devices) opens up new scope for service and business models.

• New Obligations: Manufacturers and providers must set up and legally operate interfaces and processes for data access and cloud portability.

• Contractual Adjustments: Business terms, license, and service agreements must be reviewed and adjusted with regard to the invalidity of "unfair" clauses.

• Compliance Risk: Inadequate or insufficient implementation can lead to fines and reputational damage.

• Strategic Relevance: Those who actively utilize the new data access rights can gain competitive advantages – especially in the aftermarket and in digital services.

Recommendations for Data Governance, IT, and Contract Compliance

• Conduct a Data Inventory: What data is generated in the company? Who has access so far?

• Review Terms and Contractual Regulations: Inspect supplier, service, and cloud contracts for "unfair" clauses and adjust if necessary.

• Establish Technical Processes: Provide interfaces and systems for data access and user and third-party access rights.

• Develop a Cloud Strategy: Ensure switching options and portability.

• Governance & Compliance: Define responsibilities and internal processes for data access, sharing, and cooperation with authorities (IT policies).

• Consider Privacy Policy & Trade Secrets: When sharing data, comply with GDPR requirements and implement non-disclosure agreements (NDAs) and protective measures early in contractual, IT, and compliance structures.

Conclusion

The EU Data Act creates a uniform legal framework for the use and sharing of data in Europe. For internationally active medium-sized companies, this means new opportunities through better data access and new obligations in handling product and service data. Those who timely adjust internal processes, contracts, and compliance structures can use the regulation as a competitive advantage.