Launch Q3 2026
BearGuard®
BearGuard®
Governance & AI Guardrails
DE EN
Digital Markets

EU Data Act — Regulation (EU) 2023/2854

The EU Data Act (2023/2854) governs fair access to and use of IoT data, cloud switching, and data sharing for businesses and consumers.

LinkedIn X WhatsApp

Summary

The EU Data Act, Regulation (EU) 2023/2854, is the second key legislative instrument of the European Data Strategy after the Data Governance Act. It establishes harmonised rules on fair access to and use of data generated by connected products and related services.

The regulation addresses a core problem of the data economy: although users of connected devices — from smart home systems to industrial machines — generate substantial volumes of data, it was primarily device manufacturers who could access and commercially exploit this data. The Data Act strengthens users' rights to access their IoT data and share it with third parties.

Furthermore, the Data Act regulates switching between cloud services by gradually eliminating switching and porting fees, and sets rules against unfair contractual terms in data access agreements between businesses. The regulation applies from 12 September 2025, with transitional periods for certain obligations extending to 2027.

History

The Data Act traces back to the European Data Strategy presented in February 2020, which announced a comprehensive framework for the data economy. On 23 February 2022, the European Commission published the Data Act proposal — the second legislative instrument of this strategy after the Data Governance Act.

In June 2023, Parliament and Council reached a provisional political agreement. The European Parliament adopted the regulation on 9 November 2023, and the Council approved it on 27 November 2023. The Data Act was published in the Official Journal on 22 December 2023 and entered into force on 11 January 2024. The majority of provisions apply from 12 September 2025, with transitional periods for device design obligations (September 2026) and certain legacy contracts (September 2027).

Scope

The Data Act affects a broad range of economic actors in the EU and beyond:

  • Manufacturers of connected products: Manufacturers of IoT devices (smart home devices, connected vehicles, industrial machinery, wearables) must design their products to enable users to access the data generated.
  • Providers of related services: Providers of digital services necessary for the functionality of connected products (e.g. companion apps, cloud backends) are subject to data access obligations.
  • Users of connected products: Both consumers and businesses that use or lease connected products gain a statutory right to access the data generated by their devices.
  • Cloud providers (IaaS, PaaS, SaaS): Providers of cloud and edge services must facilitate seamless switching between providers and gradually eliminate switching fees by January 2027.
  • Data holders and recipients: All businesses that provide or receive data in a B2B context are subject to fairness requirements on contractual terms.
  • Public sector bodies: In exceptional situations (e.g. emergencies), public sector bodies may request access to business data.

Key Requirements

  • Data access for users (Chapter II): Users of connected products have the right to access the data generated by their devices — free of charge, continuously, and in real time, in a comprehensive, structured, and machine-readable format.
  • Data sharing with third parties (Chapter III): Users can instruct the data holder to share data with third parties; the data holder must comply without undue delay and on fair terms.
  • Protection against unfair contractual terms (Chapter IV): Unilaterally imposed contractual terms in data access agreements between businesses are subject to a fairness test; certain clauses are deemed unfair per se.
  • Cloud switching and interoperability (Chapter VI): Cloud providers must technically enable switching within 30 days; switching fees will be fully eliminated from January 2027.
  • Data access for public sector bodies (Chapter V): Public sector bodies may in exceptional circumstances (public emergencies, statistics) request access to business data — free of charge in emergencies.
  • Protection of trade secrets (Art. 4(6), Art. 5(9)): Data holders may take proportionate measures to protect trade secrets but must not refuse data access on a general basis.

Predecessors

DGA

Related Frameworks

DGA

Corrections & Errata

2026-QA-268 Update 29 May 2026
Main application date 12 September 2025 should be a central key_date

The most important date for practical application is 12 September 2025. Additionally, Art. 3(1) (accessibility by design) applies to connected products placed on the market after 12 September 2026.

Full details on the errata page →
2026-QA-267 Correction 29 May 2026
Verify entry-into-force date: 11 January 2024, not 2023

If the entry states entry into force in 2023, this is incorrect: the Data Act (EU) 2023/2854 was published 22 December 2023 and entered into force on 11 January 2024 (20 days after publication). Main application from 12 September 2025.

Full details on the errata page →

Content last reviewed: 29 May 2026. Found an error or need an update? [email protected]