The Data Act made simple: implications and obligations

Digital data forms the backbone of many business models. However, with the rise of connected devices and data-driven services, the need for regulatory oversight is growing. This is where the European Union’s Data Act comes into play: it aims to establish a binding framework for the fair access to and use of data across the EU.

In contrast to the current norm where massive amounts of data generated by digital products and services are typically controlled solely by manufacturers or service providers the Data Act mandates broader accessibility. Non-personal data, in particular, should also be available to users, third parties, and public authorities.

But what exactly does this mean for service providers, and what specific changes will they face? This article provides an in-depth look at the key aspects.

Content of the article:
• What is the Data Act?
• What are the objectives of the Data Act?
• When will the Data Act come into effect?
• What does the Data Act mean for organizations?
• What obligations do affected organizations have?
• Conclusion: Rethinking how we handle data

What is the Data Act?

The Data Act is a regulation introduced by the European Union to govern access to and the use of non-personal data. Its primary goal is to enhance the economic value of data while creating fairer competition conditions.

Together with the Data Governance Act (in force since September 2023), the Data Act aims to ensure secure and reliable data access. Both regulations are designed to promote a more equitable distribution of data value across the economy.

In practical terms, this means that connected products and digital services must be designed to allow not only manufacturers, but also users and authorized third parties (such as public bodies), to access and use the generated data. Importantly, the Data Act does not override existing laws such as the GDPR. It is instead intended to complement and align with them.

What are the objectives of the Data Act?

The Data Act aims to make data access fairer, safer, and more transparent. At its core is the idea that data can deliver greater societal and economic value when made available under clearly defined rules. The EU Commission has outlined five key measures:

1.) Creating legal clarity for data usage:
The Data Act defines under what conditions data, especially from connected devices, can be accessed and used. Until now, it was often unclear who could use such data, under what circumstances, or what rights users had.

The Data Act introduces clear rules for companies and consumers alike. It specifies, for instance, that users and authorized third parties must have access to relevant data. At the same time, it ensures that incentives to invest in high-quality data collection remain intact.

2.) Reducing imbalances in data contracts:
Large providers often dominate the market and impose one-sided contract terms. The Data Act aims to counter these unfair practices and foster fair competition by evening the playing field.

3.) Enabling public sector access to data:
In certain situations, such as crises or natural disasters, authorities are intended to be able to access relevant, non-personal data from the private sector more easily. This provision is intended to help public bodies with a more swift and effective response to emergencies, without placing undue burdens on businesses.

4.) Making cloud switching easier:
Customers of data processing services should be able to switch providers more easily. To that end, the Data Act seeks to remove technical and contractual barriers.

This will not only strengthen user autonomy but also stimulate a more competitive European cloud market. Additionally, it introduces interoperability standards, ensuring smooth data exchange between different systems.

5.) Clarifying database protection rules:
The Data Act also revises aspects of the current Database Directive. Many modern databases contain data that is automatically generated and collected by connected systems. The current "sui generis" database protection has been legally ambiguous.

The Data Act clarifies when this protection applies and when it does not. Its goal is to strike a transparent balance between the interests of those who manage databases and those who seek to use them—aligned with broader EU data policy objectives.

When will the Data Act come into effect?

The Data Act was officially published in the Official Journal of the EU on June 22, 2023, and formally entered into force on January 11, 2024. After a transitional period, the regulation will become fully binding across all EU Member States starting September 12, 2025.

What does the Data Act mean for organizations?

Organizations that offer or use cloud solutions, connected devices, or digital services are directly affected by the Data Act—particularly those in industrial sectors. It is irrelevant whether they generate the data themselves or merely process it.

Key impacts include:

• Manufacturers of connected devices or digital products must ensure access to non-personal data generated by users.
• Data holders must make certain data available to third parties such as official authorities when a legitimate interest exists.
• Cloud service providers must implement mechanisms to facilitate seamless switching between cloud platforms.
• Public authorities must be granted access to data under specific circumstances, such as during emergencies or crises. Organizations are required to comply with such requests.

As a general rule, all organizations are subject to the Data Act. The only exception applies to micro and small enterprises with fewer than 50 employees and an annual turnover below ten million euro, provided they are not subsidiaries of larger companies or acting as subcontractors (see the official EU Regulation, Recital 41).

What obligations do affected organizations have?

• Assess relevance: Evaluate whether your own products or services fall within the scope of the Data Act. This includes offerings like connected devices, data-based services or data processing services (e.g. cloud providers).
• Create a data inventory: Identify what types of non-personal data are generated through the use of your products or services, how this data is stored, and who has access. A structured inventory also reveals which data might be valuable for different business units.
• Exclude personal data: Since the Data Act focuses on non-personal data, it is essential to clearly separate personal from non-personal data. In cases of mixed datasets, where individual identification might be possible, it must be evaluated whether GDPR or other data protection laws apply.
• Define sensitive data: Not all data must be shared freely. Organizations must determine which types of information are considered particularly sensitive, such as trade secrets or security-relevant data.
  Attention: This sensitivity must be objectively justified.
• Implement technical interfaces: Systems must be able to provide data in a structured, machine-readable, and secure format, whether for users, third parties or cloud-to-cloud migration scenarios.
• Adapt contractual frameworks: All contractual agreements involving data usage must be aligned with the Data Act. It is advisable to prepare standardized contract templates, including those covering consent management if required.

Conclusion: Rethinking how we handle data

The Data Act represents a turning point in how data is handled within the EU. Organizations are not only subject to new responsibilities, but also gain opportunities in the evolving data economy.

By introducing a legally binding framework, the EU aims to make data usage fairer, more transparent, and more accessible. For many companies, this will require strategic and structural adjustments.

Ultimately, the Data Act reflects a shift in European data policy: data is no longer to be locked away. Instead, non-sensitive data is supposed to be shared responsibly and fairly.