The Data Act 1/2 – Foundations, User Rights, and IoT Data Sharing

Regulation (EU) 2023/2854 of 13 December 2023 on harmonised rules on fair access to and use of data.

Entered into force on 12 September 2025, Regulation (EU) 2023/2854, known as the Data Act, is one of the cornerstones of the European data governance framework. Designed as a continuation of the Data Governance Act (DGA), it aims to establish a legal environment in which access to, use of, and sharing of data are encouraged, while respecting principles of transparency, fairness, and security.

The Data Act comprises several complementary sections:

  • Rights of access and sharing for users of connected products and associated services (Chapter II);
  • Obligations of mandatory sharing between companies and protection against contractual imbalances (Chapters III and IV);
  • Sharing with the public sector in cases of exceptional need (Chapter V);
  • As well as, in its subsequent chapters, portability and interoperability of data processing services (Chapter VI), protection against unlawful transfers to third countries (Chapter VII), and cooperation between competent authorities (Chapter IX).

The text applies to all economic actors, whether established in the Union or not, as soon as they place connected products or associated services on the European market or provide their data processing services to clients located in the EU. It is based on a horizontal approach, covering both personal and non-personal data.

This first article presents the main provisions of Chapters I to V relating to rights of access and sharing of data from connected products and their related services, contractual mechanisms, and the regulated opening of data to the public sector.

Chapter II – Access and Sharing of Internet of Things Data

1. An Effective Right of Access to Generated Data

Chapter II of the Data Act (Articles 3 to 7) establishes a right of access to data generated by connected products and related services. The objective is to allow the user – whether a consumer or a business – to benefit from the data they help produce, without being solely dependent on the manufacturer.

Manufacturers must therefore design their products and related services so that the generated data is accessible, free of charge, in a structured and secure format (Article 3, paragraph 1). However, this design obligation applies only to products placed on the market after 12 September 2026. Products marketed before this date are not retroactively subject to this requirement.

Before concluding a contract, the manufacturer must inform the user, in a clear and understandable manner, of the type, volume, format, and retention period of the generated data and how to access it (Article 3, paragraph 2).

Access may be: (i) direct, when the user can extract the data themselves via an interface or integrated application; or (ii) indirect, at the user’s request, when the product’s technical configuration does not allow immediate access. In this case, the data holder (often the manufacturer or service provider) must provide the data without undue delay and in a machine-readable format (Article 4).

The covered data includes raw or pre-processed data – those resulting directly from use – excluding derived or inferred data, which remain the intellectual property of the manufacturer.

2. Data Sharing with Third Parties

Users may request the data holder to share the data with a third party of their choice, free of charge, in an interoperable format (Article 5). The third-party recipients may use the data to provide a service to the user or create a new one (if the user consents), provided they do not develop a competing product (Article 4, paragraph 10).

For example, a company operating connected industrial machines can transmit the generated data to an independent maintenance provider, without needing the manufacturer’s authorisation. Similarly, an individual owner of a connected vehicle can authorise a third-party garage to access their vehicle’s data.

This sharing must be free for the user, in an interoperable format and, where technically possible, continuous and in real time. However, the regulation excludes certain actors from this mechanism: large platforms designated as “gatekeepers” under the Digital Markets Act cannot receive these data (Article 5, paragraph 3).

This third-party sharing mechanism complements the right to portability provided for in Article 20 of the GDPR. While the GDPR only concerns the portability of personal data, the Data Act extends this right to all data generated by the use of a connected product, whether personal or not, and ensures technical portability in real time. In case of conflict, the GDPR prevails: the sharing of personal data is only lawful in compliance with the legal bases provided for in Article 6 of the GDPR.

3. The Provided Limits

Micro and small enterprises are exempt from the sharing obligations imposed by Chapter II (Article 7, paragraph 1).

Furthermore, access to and sharing of data are governed by several safeguards, including:

  • Protection of trade secrets, via a “handbrake” mechanism allowing suspension of sharing likely to cause serious economic harm;
  • Protection of product safety and the health or safety of individuals, justifying restrictions on access or transfer.

Chapter III – Mandatory Sharing Between Companies

Chapter III (Articles 8 to 12) governs situations where a company is legally required to share data with another entity. This sharing must be carried out under fair, reasonable, and non-discriminatory (FRAND) conditions, within a transparent contractual framework.

The holder may receive proportionate compensation, covering the direct costs related to making the data available. However, the regulation allows a reasonable margin beyond the direct cost, except when the recipient is an SME or a non-profit research organisation, in which case compensation is strictly limited to direct costs (Article 9, paragraph 4).

Chapter IV – Prevention of Abusive Contractual Clauses

Chapter IV protects businesses—especially SMEs—against abusive clauses unilaterally imposed in data sharing contracts (Article 13). Clauses excluding all liability of the holder, imposing a waiver of recourse, or excessively limiting the use of data are notably deemed unwritten.

The application of these rules is deferred in certain situations: they only concern ongoing contracts from 12 September 2027 when they are of indefinite duration or exceed ten years. The European Commission may develop standard clauses to harmonise practices and encourage balanced sharing models.

Chapter V – Public Sector Access in Case of Exceptional Need

Chapter V establishes a mechanism for making data available to public bodies in cases of exceptional need (Articles 14 to 21). This is a right of access limited to specific situations, such as a natural disaster, a health crisis, or the performance of a public interest mission. Micro and small enterprises are exempt from this obligation when it is not an emergency (Article 14, paragraph 3). Sharing must be proportionate, limited to the intended purpose, and accompanied by confidentiality and security guarantees.

* * *

These provisions of the Data Act require significant actions:

  • For manufacturers, the redesign of technical architectures and the compliance of products and related services by September 2026;
  • For companies, the revision of B2B contracts and the implementation of internal access and sharing policies that comply with security, fairness, and proportionality requirements.

In a second article, we will address the rules relating to portability and interoperability of data processing services, protection against unlawful transfers to third countries, and cooperation between competent authorities.