The recently enacted Data Act will become applicable in September 2025, but businesses will soon want to start preparing for this critical, wide-ranging piece of legislation which sets the new EU rules for the use and access of data, particularly within the Internet of Things (IoT) technologies.

Who does it apply to?

The adoption of rapidly developing technologies by consumers and businesses will significantly increase the amount of data created and used worldwide. Europe has already witnessed a growth in the number of deals involving data centres in 2023, and is building the infrastructure needed for the upcoming floods of data.

Despite the already vast amount of data generated annually the majority remains unused, which in turn hinders the growth of data hungry enterprises developing highly innovative data-driven products and services. 

To tackle this issue, the EU Data Act imposes new obligations on those providing “connected products” (i.e. IoT devices) and related services. The obligations generally relate to “product data” (which is data intended to be retrieved from the connected product) and “service data”. Those most affected by the regulation will be: 

  • Providers of IoT devices
  • Third parties wanting to access IoT data
  • Those licensing data on standard form terms

Users’ rights to IoT data

Smart, high-tech IoT technologies are now being used in once thought more conservative, low-tech industries.  The construction industry, for example, is tapping into the wave of technological innovation and making use of Artificial Intelligence, cloud computing and IoT to transition into Construction 4.0. 

The Data Act will allow users of IoT products and related services in the construction industry to access product and service data in a comprehensive, structured, commonly-used and machine-readable format or, if technically not feasible, such data should be provided on request. This means that construction companies will be able to analyse the data of IoT devices on construction equipment to improve performance or plan preventive maintenance. 

Users can ask, to the extent readily available, that this data is made directly available to a third party, where feasible, continuously and in real time which has the possibility to greatly optimise supply chain management in the construction sector.  

Additional disclosure obligations will apply to providers of connected devices, and related services. These providers should inform users of the data collected and data made available to the user prior to entering into a contract.

Providers and users of cloud services 

The Data Act is not limited to providers of IoT devices and related services. Cloud providers will be subject to a range of obligations to assist their customers to switch providers. 

This includes new provisions that must be contained in cloud contracts and controls on charges for switching services. There are also restrictions on cloud providers providing unlawful access to non-personal data to third country governments.

What next 

The Data Act entered into force on 11 January 2024 and will become applicable on 12 September 2025. However, some of the provisions will apply after September 2025. These include:

  • Obligations concerning the accessibility of product data and related service data by design and by default (Article 3(a)) will apply products and the services related to them placed on the market after 12 September 2026
  • Provisions relating to the unfair contractual terms on data access and use between enterprises (Chapter IV) will apply from 12 September 2027 to contracts concluded on or before 12 September 2025 provided that they are: (a) of indefinite duration; or (b) due to expire at least 10 years from 11 January 2024.

Finally, providers will not apply switching charges on the customer for the switching process from 12 January 2027.

Read more in our recent DigiLinks blogpost: EU – The “Data Act”: New rules on switching cloud services and IoT data