EU Data Act — Regulation (EU) 2023/2854
The EU Data Act (2023/2854) governs fair access to and use of IoT data, cloud switching, and data sharing for businesses and consumers.
Summary
The EU Data Act, Regulation (EU) 2023/2854, is the second key legislative instrument of the European Data Strategy after the Data Governance Act. It establishes harmonised rules on fair access to and use of data generated by connected products and related services.
The regulation addresses a core problem of the data economy: although users of connected devices — from smart home systems to industrial machines — generate substantial volumes of data, it was primarily device manufacturers who could access and commercially exploit this data. The Data Act strengthens users' rights to access their IoT data and share it with third parties.
Furthermore, the Data Act regulates switching between cloud services by gradually eliminating switching and porting fees, and sets rules against unfair contractual terms in data access agreements between businesses. The regulation applies from 12 September 2025, with transitional periods for certain obligations extending to 2027.
History
The Data Act traces back to the European Data Strategy presented in February 2020, which announced a comprehensive framework for the data economy. On 23 February 2022, the European Commission published the Data Act proposal — the second legislative instrument of this strategy after the Data Governance Act.
In June 2023, Parliament and Council reached a provisional political agreement. The European Parliament adopted the regulation on 9 November 2023, and the Council approved it on 27 November 2023. The Data Act was published in the Official Journal on 22 December 2023 and entered into force on 11 January 2024. The majority of provisions apply from 12 September 2025, with transitional periods for device design obligations (September 2026) and certain legacy contracts (September 2027).
Scope
The Data Act affects a broad range of economic actors in the EU and beyond:
- Manufacturers of connected products: Manufacturers of IoT devices (smart home devices, connected vehicles, industrial machinery, wearables) must design their products to enable users to access the data generated.
- Providers of related services: Providers of digital services necessary for the functionality of connected products (e.g. companion apps, cloud backends) are subject to data access obligations.
- Users of connected products: Both consumers and businesses that use or lease connected products gain a statutory right to access the data generated by their devices.
- Cloud providers (IaaS, PaaS, SaaS): Providers of cloud and edge services must facilitate seamless switching between providers and gradually eliminate switching fees by January 2027.
- Data holders and recipients: All businesses that provide or receive data in a B2B context are subject to fairness requirements on contractual terms.
- Public sector bodies: In exceptional situations (e.g. emergencies), public sector bodies may request access to business data.
Key Requirements
- Data access for users (Chapter II): Users of connected products have the right to access the data generated by their devices — free of charge, continuously, and in real time, in a comprehensive, structured, and machine-readable format.
- Data sharing with third parties (Chapter III): Users can instruct the data holder to share data with third parties; the data holder must comply without undue delay and on fair terms.
- Protection against unfair contractual terms (Chapter IV): Unilaterally imposed contractual terms in data access agreements between businesses are subject to a fairness test; certain clauses are deemed unfair per se.
- Cloud switching and interoperability (Chapter VI): Cloud providers must technically enable switching within 30 days; switching fees will be fully eliminated from January 2027.
- Data access for public sector bodies (Chapter V): Public sector bodies may in exceptional circumstances (public emergencies, statistics) request access to business data — free of charge in emergencies.
- Protection of trade secrets (Art. 4(6), Art. 5(9)): Data holders may take proportionate measures to protect trade secrets but must not refuse data access on a general basis.
Predecessors
Related Frameworks
Corrections & Errata
The most important date for practical application is 12 September 2025. Additionally, Art. 3(1) (accessibility by design) applies to connected products placed on the market after 12 September 2026.
Full details on the errata page →If the entry states entry into force in 2023, this is incorrect: the Data Act (EU) 2023/2854 was published 22 December 2023 and entered into force on 11 January 2024 (20 days after publication). Main application from 12 September 2025.
Full details on the errata page →