The Data Act (Regulation EU 2023/2584) sets out new rules for fair access to and use of data in the EU. The European Commission has published a new FAQ on technical and legal issues related to the implementation of the Data Act. We provide an overview of the most important provisions and explain the challenges for companies.
Interactions between the Data Act and GDPR
The Data Act pursues the goal of increasing market dynamics in the Internet of Things (IoT), facilitate data portability and improve data exchange between companies (B2B) and between companies and the public sector (B2G). It is designed as Horizontal control which is applied across all sectors.
The Data Act is no data protection law! It regulates the Access to and use of data. The General Data Protection Regulation (GDPR) remains fully applicable insofar as personal data is concerned.
Article 1(5) of the Data Act clarifies that in the event of a conflict between the two sets of rules, the GDPR takes precedence. This means that personal data may only be processed and disclosed in accordance with the GDPR.
Another important difference:
- GDPR (Article 20) grants data subjects the right to data portability under certain conditions (only for personal data and if it was processed on the basis of consent or a contract).
- Data Act (Articles 4, 5) extends this right considerably by non-personal data are also included and No restriction of the legal basis exists.
Scope and data categories of the Data Act
The Data Act concerns in particular Raw and pre-processed datagenerated by connected products or associated digital services. There are different types of data that fall within the scope of the regulation:
Product data is data that is generated by IoT devices. For example, through sensors that record information about the use, performance or environment of the product. This data can be used to improve the efficiency and functionality of products or to develop new business models based on it.
Service-related data, on the other hand, is generated during the use of a networked service. This includes, for example, data generated in apps or cloud-based platforms when users use these services. This data is often crucial for optimizing services and providing personalized user experiences.
In addition, there is data that falls under trade secrets and therefore enjoys special protection. Such data has a high economic value as it can contain strategic information about companies. The Data Act ensures that this information remains protected. At the same time, access to less sensitive but commercially valuable data is facilitated.
Direct vs. indirect access
The Data Act also distinguishes between direct and indirect access to data. This distinction is of central importance as it creates different technical and legal frameworks for the use of data.
Direct access means that the user can access the generated data directly, without additional authorization or mediation. This can be made possible, for example, by an API or a user interface via which the user can access the data in real time. Direct access promotes transparency and facilitates the immediate further processing of the data by the user or by commissioned third parties.
Indirect access, on the other hand, requires the user to submit a request to the data controller in order to obtain the data. In this case, the data controller decides on the provision and can, for example, require compliance with certain protective measures or agreements on use. This form of access is particularly relevant if business secrets need to be protected or if there are specific regulatory requirements for the transfer of data.
The choice between direct and indirect access has a significant impact on the economic usability of data, the protection of sensitive information and the enforcement of users' rights. While direct access enables faster and more flexible use, indirect access offers more control options for data holders, for example to ensure security and data protection requirements.
Interoperability and cloud switching
A central goal of the Data Act is the Avoidance of vendor lock-in for cloud services. Open interfaces and standardized formats should enable companies to migrate their data easily between different service providers. This should ensure that customers are not permanently tied to a specific cloud provider, but can decide flexibly where their data is stored and processed.
Interoperability means that cloud services must be compatible with each other to enable a seamless transition. Providers are obliged to provide standardized interfaces that ensure secure and loss-free data transfer. This makes it easier for companies to switch between different cloud platforms and promotes competition in the market for cloud services.
In addition, the Data Act stipulates that cloud providers must gradually reduce their switching costs by 2027 and ultimately abolish them completely. This is intended to prevent high switching costs from preventing companies from changing their cloud provider. This will create greater flexibility, especially for SMEs that were previously tied to one provider due to financial hurdles.
Rights and obligations of market players
The regulation defines clear rights for users of connected products as well as specific obligations for data owners and third parties. Users have the right to access the data they generate and to share it with third parties. This is particularly important for alternative maintenance services or service providers who can access the required data independently of the manufacturer of the connected product. Special protection applies to small and medium-sized enterprises (SMEs). They are protected from unreasonably high fees for data access.
Data owners, i.e. manufacturers or service providers who manage the generated data, must pass on data to authorized users and third parties under certain conditions. They can demand a reasonable fee for this, provided the recipient is not an SME or a non-profit organization. However, the protection of business secrets remains intact: if disclosing the data would lead to significant economic disadvantages, companies can refuse to disclose it. This protective measure is known as Trade Secrets Handbrake and serves to ensure that innovation protection is not jeopardized.
Third parties who receive data from users or data holders are subject to strict conditions. They may only use the data for the purposes agreed with the user. In particular, they are prohibited from using this data to develop a competing product or to sell it to large platform operators (Gatekeeper in the sense of the Digital Markets Act) to be passed on. This regulation is intended to prevent dominant market participants from gaining unfair competitive advantages through preferential access to data.
Reading tip: EDPB opinion on the use of personal data in AI models
Enforcement and sanctions
Each EU Member State is obliged to designate a competent authority to ensure compliance with the Data Act monitored. This authority has the task of ensuring that companies fulfill their obligations and that users are granted their legally guaranteed rights. Violations of the Data Act may result in legal consequences, whereby the level of penalties depends on the national regulations of the respective member states. The authorities are authorized to impose sanctions, which may include both financial and administrative measures.
Companies must ensure that their data processing systems meet the requirements of the Data Act in order to avoid penalties. In particular, this includes the provision of data access options for authorized users and compliance with the regulations on interoperability and data portability. Failure to comply with the requirements can result in companies facing severe fines or restrictions on their business activities.
The national authorities work closely with the European Commission to ensure uniform implementation of the regulations. This monitors the general enforcement of the Data Act at European level and can take measures in the event of systematic violations. Companies should therefore adapt their internal processes and ensure that they implement the regulatory requirements in good time in order to avoid sanctions.
Each Member State must have a Competent authority that ensure compliance with the Data Act monitored.
Data Act and challenges for companies
The Data Act represents a comprehensive regulatory measure that presents companies with numerous new challenges. In order to meet the new legal requirements, companies must take measures at an early stage. Manufacturers and platform operators in particular are obliged to provide technical interfaces that enable direct and indirect access to data. This may require considerable investment in IT infrastructures and security measures in order to meet the requirements for data access and transfer without jeopardizing the protection of business secrets or the security of systems.
For companies that offer networked products or digital services, the Data Act an increased obligation to provide data to users and third parties acting on the basis of user consent. They must ensure that data is made available in a standardized and interoperable format in order to promote competition and enable data portability. At the same time, they are obliged to introduce appropriate protection mechanisms for sensitive or protected data and only allow its disclosure under clearly defined conditions.
Especially for SMEs, the Data Act new opportunities. They can expand their business models and develop innovative data-driven services by facilitating access to data. At the same time, they must be careful not to incur excessive costs for the use of this data, as the legislator has established clear rules for fair and appropriate remuneration. For data holders, this means that they must adapt their pricing structures and set transparent, non-discriminatory conditions for the use of data.
Cloud providers are also facing new obligations. They must make it easier to switch between their services. This includes the provision of open interfaces and the reduction of switching costs by 2027. This will allow companies that rely on cloud services to act more flexibly and reduce dependencies on specific providers.
Time is running out: The Data Act will apply from September
The Data Act will will entail far-reaching changes for the European data economy. As the regulation will be fully applicable from September 12, 2025, there will be limited preparation time to adapt processes and technical solutions accordingly. Early measures to implement the new requirements are therefore essential in order to avoid legal risks and benefit from the new opportunities of the data economy.
Do you still have questions about the Data Act? We will be happy to advise you! Simply get in touch with us:
Phone: +1 (954) 852-1633
Mail: info@2b-advice.com
Source: FAQ on the Data Act of the EU Commission (Version 1.2)
English 
German 
Italian 
French