EU Data Act Enters into Force Mandating IoT Data Sharing

The European Union's Data Act (Regulation 2023/2854) was published in the Official Journal on October 24, 2023, entering into force 20 days later on November 13, 2023. The regulation applies from September 12, 2025, establishing rules for accessing and sharing data generated by connected products and services. The Data Act addresses data asymmetries where manufacturers control IoT device data, preventing users from accessing information about their own devices. The regulation mandates data portability, enables third-party data sharing, and regulates cloud service switching.

Core Data Sharing Obligations

The Data Act requires manufacturers and service providers make data generated by connected products available to users on request. Covered products include industrial IoT devices, consumer smart appliances, connected vehicles, wearables, and infrastructure sensors generating data through use. Users gain rights to access real-time and historical data, share data with third-party service providers, and request manufacturers provide data directly to third parties.

Data must be provided in structured, commonly used, machine-readable formats enabling interoperability and reuse. Manufacturers cannot charge unreasonable fees for data access—costs must reflect direct costs of making data available. The regulation prohibits contractual terms preventing or limiting user data access rights. Manufacturers must implement technical measures enabling continuous real-time data access for users or their designated third parties.

Business-to-Business Data Sharing

The Data Act establishes framework for businesses to request data from other businesses when necessary for providing services or optimizing products. B2B data sharing requests must be proportionate, limited to necessary data, respect trade secrets, and comply with fair compensation principles. Data holders can refuse requests that are disproportionate, conflict with trade secret protection, or impose unreasonable technical burdens.

The regulation mandates fair, reasonable, and non-discriminatory (FRAND) terms for B2B data sharing, with compensation reflecting costs of making data available plus reasonable margin. Contractual clauses imposing unfair terms on SMEs are prohibited, addressing imbalances where large technology platforms dictate data sharing terms. Dispute resolution mechanisms enable parties to resolve disagreements on data access, compensation, and technical implementation.

Cloud Switching and Interoperability

The Data Act regulates cloud service providers to facilitate customer switching and reduce lock-in. Providers must enable data export in structured machine-readable formats, support service portability through APIs and standard protocols, and eliminate technical obstacles to switching. Contractual restrictions preventing or penalizing switching are prohibited, including egress fees for data transfer when customers migrate to competitors.

Cloud providers must offer switching services including data transfer assistance, functional equivalence mapping identifying alternative services, and technical support during migration. Large cloud providers (designated under Data Act criteria) face additional obligations including functional testing support for migrating applications and 30-day parallel operation capability. The regulation establishes maximum transition periods: customers can terminate contracts with notice periods not exceeding 30 days for contractual termination and 5 working days for switching assistance.

Trade Secret Protection

While mandating data sharing, the Data Act protects legitimate trade secrets through technical, contractual, and organizational measures. Data holders can redact, aggregate, or apply other techniques protecting confidential information before sharing. Recipients of shared data must implement appropriate security measures, use data only for agreed purposes, and not reverse engineer products or services using provided data.

The regulation defines circumstances where trade secret protection justifies refusing data sharing requests, establishing balancing test between innovation protection and data access benefits. Data holders cannot claim trade secret protection for raw data generated by products' use—protection applies to proprietary algorithms, designs, and methodologies not observable through normal product use. Dispute resolution procedures address disagreements on trade secret applicability and appropriate protection measures.

Public Sector Data Access

The Data Act grants public bodies emergency access to privately held data when public emergencies require urgent action. Qualifying emergencies include natural disasters, public health crises, major cybersecurity incidents, and threats to public security. Public authorities can request data necessary for emergency response from businesses holding relevant IoT data, including manufacturers, service providers, and cloud operators.

Emergency data requests must be proportionate, time-limited, and subject to procedural safeguards including written justification and oversight. Compensation provisions ensure businesses receive fair remuneration for emergency data provision costs. Data recipients must delete data when emergencies end and implement appropriate security and confidentiality measures. The emergency provisions aim to address gaps demonstrated during COVID-19 pandemic when public authorities lacked access to private sector data needed for crisis response.

Implementation Timeline and Compliance

The Data Act applies from September 12, 2025, allowing 20 months for organizations to implement compliance measures. Products placed on market before September 12, 2025 become subject to data sharing obligations from September 12, 2027, providing extended transition period for existing devices. Cloud switching provisions apply from September 12, 2027, recognizing technical complexity of implementing interoperability standards.

The European Commission must develop implementing acts specifying technical modalities for data access, standardized formats for different IoT sectors, and essential requirements for interoperability. Standardization organizations (CEN, CENELEC, ETSI) will develop standards supporting Data Act implementation. Member states must designate competent authorities for enforcement and establish penalties for non-compliance including fines up to 1% of global annual turnover.

Interaction with Other EU Data Regulations

The Data Act complements existing EU data regulations including GDPR (personal data protection), Data Governance Act (data intermediaries and altruism), and sector-specific regulations. GDPR takes precedence for personal data—Data Act provisions cannot undermine GDPR rights and obligations. Organizations must implement layered compliance addressing both GDPR privacy requirements and Data Act sharing obligations.

The Database Directive's sui generis database rights remain applicable but cannot prevent Data Act data sharing obligations. Copyright and trade secret protections persist but cannot be used to circumvent data sharing requirements. The interplay between regulations creates complex compliance landscape requiring legal and technical expertise navigating overlapping obligations while respecting intellectual property and privacy rights.

Global Implications and Convergence

The Data Act establishes global precedent for IoT data access regulation, likely influencing policy development in other jurisdictions. The regulation applies extraterritorially to providers offering connected products or cloud services to EU users, creating Brussels Effect similar to GDPR. U.S. tech companies manufacturing IoT devices or providing cloud services face compliance obligations when serving European markets.

Countries including Japan, South Korea, and Australia consider similar IoT data access frameworks. Industry associations advocate for international harmonization avoiding fragmented regulatory requirements. The Data Act's emphasis on interoperability, portability, and competition may inform emerging global norms for data sharing in digital economy. Technology standards developed for Data Act compliance may be adopted globally, creating de facto international standards.

Strategic Considerations for CTIOs

CTIOs in IoT manufacturing, cloud services, or industries using connected devices must assess Data Act compliance gaps and develop implementation roadmaps. Technical requirements include implementing data access APIs, developing machine-readable data export formats, and establishing authentication/authorization mechanisms for user-designated third parties. Organizations should inventory connected products, map data flows, and identify technical architecture changes required for compliance.

Cloud service providers must evaluate switching cost implications, develop migration tooling, and establish customer success programs supporting transitions. IoT manufacturers should engage with industry associations developing sector-specific standards and coordinate with platform providers ensuring ecosystem interoperability. CTIOs should establish data governance frameworks addressing Data Act obligations while protecting trade secrets and complying with GDPR. Early compliance investment positions organizations competitively as data sharing becomes market expectation beyond regulatory requirement.

Related briefings

Curated signals from the same pillar or overlapping topics.

Data Strategy · Credibility 91/100 · February 23, 2022

Data Strategy Briefing — February 23, 2022

European Commission proposes Data Act creating rights to access IoT-generated data, mandating interoperability standards, and regulating cloud service switching.

Data Strategy · Credibility 90/100 · February 23, 2022

Data Strategy Briefing — February 23, 2022

EU proposes Data Act for IoT data access.

Data Strategy · Credibility 90/100 · February 23, 2022

Data Strategy Briefing — February 23, 2022

European Commission proposes Data Act creating rights to access IoT data, mandating interoperability, and regulating cloud switching.

Data Strategy · Credibility 40/100 · December 14, 2021

Data Strategy Briefing — OECD Recommendation on Enhanced Access to and Sharing of Data

On 14 December 2021 the OECD adopted the Recommendation on Enhancing Access to and Sharing of Data, setting common governance, interoperability, and trust safeguards that data-space programs must align with to…

Data Strategy · Credibility 86/100 · September 12, 2025

Data infrastructure alert — EU Data Act smart contract safeguards go live

Article 30 of the EU Data Act takes effect on 12 September 2025, forcing organisations that automate data sharing through smart contracts to implement safe termination, logging, and access controls across their…