Addressees of the EU Data Act: Who is affected and what obligations apply?

The addressees of the Data Act are broadly defined.
Categories:
,
{ "@context": "https://schema.org", "@type": "BlogPosting", "@id": "https://2b-advice.com/de/2025/07/11/adressaten-des-eu-data-act-wer-ist-betroffen-und-welche-pflichten-gelten/#article", "headline": "Addressees of the EU Data Act: Who is affected and what obligations apply?", "image": [ "https://2b-advice.com/wp-content/uploads/2025/07/EU-Data-Act-Adressaten.jpg" ], "datePublished": "2025-07-11", "dateModified": "2025-07-11", "author": { "@id": "https://2b-advice.com/de/aristotelis-zervos/#person" }, "publisher": { "@type": "Organization", "@id": "https://2b-advice.com/#organization", "name": "2B Advice", "url": "https://2b-advice.com/", "logo": { "@type": "ImageObject", "url": "https://2b-advice.com/wp-content/uploads/2024/02/Ailance_Logo_Yellow_White_large_RGB.png" } }, "mainEntityOfPage": "https://2b-advice.com/de/2025/07/11/adressaten-des-eu-data-act-wer-ist-betroffen-und-welche-pflichten-gelten/" }
Picture of Aristotelis Zervos

Aristotelis Zervos

Aristotelis Zervos, Editorial Director at 2B Advice, combines legal and journalistic expertise in Data protectionIT compliance and AI regulation.

The EU Data Act (EU Regulation 2023/2854) came into force on January 11, 2024 and, after a transition period as of September 12, 2025 directly applicable in all EU Member States. The aim is to facilitate access to the growing volume of industrial and IoT (Internet of Things) data and promote innovative business models. To date, an estimated 80 % of all industrial data has remained unused. Often because only manufacturers or large companies control this data. The Data Act is now intended to Users more control over the data they generate and the Data transfer on Third under fair conditions. The following section looks at this, which actors (addressees) the Data Act specifically covers and which new obligations, especially for manufacturers and service providers apply.

Who are the addressees of the Data Act?

The Data Act follows the market location principle and therefore covers aAll companies that offer connected products or associated digital services in the EU, regardless of where the company is based. The regulation therefore also affects non-European manufacturers and service providers as soon as their products or services are placed on the market or offered in the EU. Specifically, Art. 1 Data Act names the following addressees:

  • Manufacturer of networked products (e.g. manufacturers of IoT devices, smart machines, connected vehicles) and providers of connected servicesthat are offered in the EU. This also includes software or apps without which a smart device could not function (e.g. the app for controlling a smart home device or the software of a networked machine).
  • Users of the aforementioned networked products and services in the EU. This includes both Consumers (private individuals) and Commercial users (e.g. companies that use IoT devices or buy/lease machines).
  • Data owner (data holder). This refers to natural or legal persons who are authorized or obliged to provide data from networked products or services. In practice, this usually coincides with the manufacturers/providers of the products.
  • Data recipient. These are Thirdto whom data is made available. This includes companies to which a user has their device data passed on, e.g. external service providers, repair workshops or other third parties.
  • Provider of data processing services. In particular Cloud service providerwho offer their services to customers in the EU. This group is covered by the Data Act, as the regulation aims to promote data portability and simple provider changes in the cloud sector.
  • Public bodies and authorities in the EU. Although they are not explicitly named as "obligated" addressees in the scope of application of Art. 1, the Data Act grants Authorities and public institutions under certain conditions to request data from companies. Chapter V of the Data Act regulates the Data exchange between the state and the private sector (B2G) and defines when authorities may request access to data in the public interest.

Very broadly defined group of addressees in the Data Act

In addition to these main addressees, the Data Act also includes Participants in data rooms and smart contract applications one. For example, this includes people or companies that provide smart contracts for others to automatically execute data exchange agreements.

Also Seller, lessor and lessor belong to the group of Data Act addressees. They are subject to pre-contractual Duty to inform (see below).

Overall, the circle of addressees is therefore very broad. "All players in the data-based economy" can be affected by the Data Act, from IoT manufacturers and users to cloud providers and authorities.

Reading tip: EU publishes FAQ on the Data Act

Exceptions: The Data Act applies to these companies to a limited extent

Micro and small companies (less than 50 employees and ≤ €10 million annual turnover/annual balance sheet) are exempt from many obligations. The legislator wants to relieve the burden on very small companies. Unless they are partner companies or affiliated with companies that do not qualify as micro or small enterprises. However, larger medium-sized companies (50 employees or more) must implement the requirements. There are also exceptions for research institutions.

At the heart of the Data Act, however, are the manufacturers of networked devices and providers of the associated services. This is because they are typically also the Data owner. For them, this results in far-reaching New obligationsto facilitate data access for users and Third to ensure that

Ensure data access for users

Perhaps the most important innovation is the Right of the user to access the Usage data of his product. The data controller (e.g. the manufacturer) must provide the user with free of charge and, if technically possible, provide continuous direct access to the data generated by the device in real time. In practical terms, this means that products and services technically designed that the user can access the data. Manufacturers must therefore provide interfaces or functions in the product design that enable data retrieval. One Transmission of the data to the user "at home" is not mandatory. It is sufficient, for example, if the user can view or retrieve the data on the manufacturer's servers.

Refuse the data owner may only grant access for strictly limited reasons. For example, if the disclosure of specific data records would reveal information relevant to business secrets. But even then, reasonable partial access or protective measures (e.g. Anonymizationconfidentiality agreement) is required in order to restrict user data access as little as possible. Abuse of this exemption option is prohibited.

Transparency and Duty to inform

Transparency and Duty to inform: Already before concluding a contract Data owners must provide comprehensive information about a networked product or service. Users should know before buying/renting/using, Which data generates and stores the product, like and how long they are stored, who has access to it and like the user himself can access it. It must also be disclosed whether data can be passed on to potential data recipients and under what conditions.

This transparency obligation is similar to the idea of a data "product description" and is intended to avoid surprises: The user learns, for example, whether their Smart TV Usage data and whether these are Third (such as service partners). In Germany, this will mean that manufacturers will have to supplement their product information and general terms and conditions accordingly.

Agree rights of use

Data owners must contractually secure the necessary Rights of use to the data generated by their products can be granted. Until now, it has often been unclear who "owns" the non-personal IoT data. In future, contracts (e.g. purchase/user contracts) should stipulate that the manufacturer/service provider may use the data generated by the device and pass it on under the conditions of the Data Act.

These clauses create legal certainty, but are No carte blanche for exclusive use of data: The Data Act makes it clear that manufacturers must pay for the Usage data no longer exclusively utilize but must share them at the request of the user.

Data transfer to Third at the request of the user

Users of IoT devices receive the right, your data to Third of their choice. If the user requests it, the data controller must provide certain Usage data immediately and, if possible, in real time to a person designated by the user. Data recipient (third-party provider). This can even be a Competitors of the manufacturer. This right is intended to Follow-up and additional services be promoted. For example, independent garages, insurance companies or analysis service providers can gain access to data via the user's detour, which was previously often monopolized by the manufacturer.

For the provision of the data to the third party, the data controller may, in principle, request a Remuneration demand, but only on fair and reasonable terms (FRAND principle). Excessive prices or discriminatory conditions are not permitted. A reasonable margin on the provision costs is permitted. Exception: The receiving Third is an SME. From small and medium-sized data-receiving companies no margin may be demanded at all become. The EU Commission will Guidelines for appropriate fees in order to facilitate practical application.

Contractual clauses and "anti-abuse" rules

In order to address power imbalances, the Data Act prohibits unfair contract terms in data contracts between companies. Particularly in B2B constellations with unequal negotiating power, no unilateral conditions may be imposed that deviate significantly from good business practice and violate good faith. Clauses that oblige the user to agree to the transfer of data are considered unfair. all of his or her data in a blanket manner, or which give the data owner far-reaching Liability without consideration. Such conditions are legally invalid. In case of doubt, the data owner must prove that its clauses fair and appropriate are.

These regulations are intended to strengthen small and medium-sized customers in particular, who have often had to accept less favorable contractual conditions in the past. And they are intended to fair competitive conditions by preventing powerful market players from cementing their position through non-transparent or one-sided contracts. In addition, in relation to Data owner - Data recipient expressly applies the FRAND principle (fair, reasonable and non-discriminatory) for data access.

Data market to become fairer

From 2025, the EU Data Act will introduce a new data usage regime that will have an impact across all sectors. Manufacturer and data owner in Germany must focus on Extended information and disclosure obligations set, Users gain comprehensive Data rights, Data recipient new possibilities subject to conditions.

The regulation does not stand alone, but complements and modifies the existing legal framework: from data protection and competition rules to administrative procedures. Companies would do well to use the remaining time to Compliance measures to initiate: internal Data inventories contracts, set up technical interfaces and train employees. At the same time, the opportunities should not be overlooked: A fairer data market can Innovation and competition and everyone involved benefits from this.

Source: EU Data Act (Regulation 2023/2854)

Aristotelis Zervos is Editorial Director at 2B Advice, a lawyer and journalist with profound expertise in data protection, GDPRIT compliance and AI governance. He regularly publishes in-depth articles on AI regulation, GDPR compliance and risk management. You can find out more about him on his Author profile page.

Contact us
Tags:
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts