What is the Data Act and why is it important?
In a rapidly evolving digital environment, data is becoming a key competitive advantage and a strategic resource for numerous industries. Regulation (EU) 2023/2854 on harmonised rules on fair access to and use of data (Data Act) is a new European regulation that will fundamentally change the rules governing the management of data from IoT devices. The regulation addresses the recognized issue that data generated by connected devices is not being fully utilized, primarily due to access restrictions. The aim of the Data Act is to enable harmonized, easier, and fairer access to data generated by connected devices and services, and to encourage their broader use. For companies, this regulation brings significant obligations and opportunities that require timely action.
Key provisions of the Data Act
User access to data (B2C)
The Data Act introduces a shift in the right of access to data. Currently, access to data is often limited to the service provider, with users only accessing data through the use of the service. The new regulation changes this by introducing the right of users to access data generated by devices in their use.
End users will have the right to access data generated by their devices. This data must be made directly available to users free of charge, in a structured, commonly used, and machine-readable format. This eliminates the longstanding practice where data remained locked with manufacturers or service providers.
In addition to user access to their own data, the Data Act also introduces obligations for data sharing between companies (B2B) and access by public authorities to data in specific circumstances (B2G).
Data holders will be required, upon user request, to enable data sharing with third parties under fair, reasonable, and non-discriminatory terms. A reasonable fee may be charged for making data available between companies, but sharing must be free of charge for the end user. This exchange of data between companies forms the core of the Data Act, as it will create new business opportunities.
Data sharing with public authorities will be possible if a public authority requests data in cases of exceptional circumstances, such as extreme weather events, and demonstrates an exceptional need for the use of such data. The public authority may further share this data with research organizations or statistical bodies.
Compliance, security, and data protection
The Data Act contains numerous provisions to ensure the secure, efficient, and fair exchange of data:
- Any company that collects, shares, or processes data will be required to comply with strict security standards.
- Data must be shared without undue delay and with the same quality as is available to the data holder. Interoperability must be ensured for data exchange.
- The regulation specifies which contractual terms regarding data access are considered unfair and therefore invalid.
- Smart contracts are envisaged for automated and secure data exchange.
- A formalized procedure and authority for dispute resolution between entities is established.
It is important to emphasize that the Data Act does not repeal or replace existing data protection regulations. GDPR and the ePrivacy Directive remain in force, meaning that companies must continue to process personal data in accordance with the GDPR and ensure the confidentiality of electronic communications in line with the ePrivacy Directive.
Implementation deadlines and entry into force
The Data Act will enter into force on 12 September 2025. By this date, companies must ensure compliance with the new regulation by meeting its technical and legal requirements.
Who will be affected by the Data Act
The Data Act will impact a wide range of entities, and will be particularly relevant for:
- Manufacturers of IoT devices and connected services that collect data from these devices
- Platform and service providers that process data from IoT devices
- Third-party service providers whose business models rely on access to data
- Users of IoT devices
- Providers of data infrastructure
Benefits for companies
The Data Act brings numerous opportunities for businesses:
- Improved access to data, enabling the development of new innovative services
- Greater interoperability between devices from different manufacturers
- Resource optimization and enhanced efficiency
- A more transparent data market
- The possibility to monetize data through new business models
Challenges for companies
Implementing the Data Act will also present certain challenges:
- Establishing technical solutions for data sharing
- Adapting contractual relationships with data holders, processors, and end users
- Ensuring data security during sharing
- Aligning operations with the Data Act and existing data protection regulations (GDPR)
To effectively prepare for the Data Act, companies should first analyse whether and which data from IoT devices they collect and how they currently manage it. Based on such analysis, companies should consider how to achieve technical and legal compliance with the Data Act. On the other hand, companies that do not currently collect and manage data from IoT devices may develop new products or services based on the processing of such data.
It is not advisable to leave preparations until the last minute. A key difference in implementing the Data Act compared to the GDPR is that third-party service providers whose business models rely on data access are likely to actively assert their rights immediately after the regulation enters into force. Companies can therefore expect pressure for data access as soon as the regulation is implemented.
Summary
The Data Act represents a turning point in the management of data from IoT devices. It emphasizes the right of users to data and the obligation of fair data sharing. Companies that prepare for the new regulation in a timely manner will gain a crucial competitive advantage. Data will undoubtedly become the new fuel of the future – the only question is who will make the best use of it.
A successful implementation of the Data Act will require a multidisciplinary approach, combining legal and technical expertise. Companies that establish appropriate technical solutions and legal frameworks in a timely manner will not only ensure compliance with the new requirements but also seize new opportunities arising from broader data access.
Jadek & Pensa’s leading role in legal challenges of new technologies
Due to the complexity of the Data Act and the interplay of legal and technical requirements, collaboration between lawyers and engineers is becoming essential. The law firm Jadek & Pensa is actively involved in shaping the future of data management. We have partnered with the company 3fs to develop a platform that will enable data holders to share data with users and third-party service providers in a simple and Data Act-compliant manner. Our goal is to offer a comprehensive solution that ensures both technical and legal compliance with the new regulation. Through this project, we are strengthening our leading role in the field of new technology law, combining in-depth legal knowledge with technical understanding of the digital challenges of modern business.
*This article provides only a brief summary of attorney Aljaž Jadek’s lecture at the Energy Days conference on 14 April 2025 and does not cover all provisions and obligations introduced by the Data Act. For comprehensive information and professional advice, please contact our attorneys.
