Data Act

Regulation 2023/2854 on harmonised rules on fair access to and use of data

Background and Scope

The EU Data Act establishes rules and standards for data sharing and reuse within the European Union, aiming to ensure that data holders and users benefit from fair and transparent conditions for data access and use in all economic sectors. As part of the broader EU data strategy, the Data Act complements other significant initiatives such as the Data Governance Act, regulating data sharing between individuals and the public sector.

Applying to data generated by Internet of Things (IoT) services – connected products or related services such as vehicles, home appliances and medical devices – the Data Act covers both personal and non-personal data. This means that users have the right to access and further utilize the data created through the use of a connected product.

A central aspect of the Data Act is the regulation of contractual terms for data access and sharing between businesses (B2B) and between businesses and consumers (B2C). As an example, the Data Act prohibits unilaterally imposed unfair contractual terms concerning data access and use. By opening the data reserves of data holders, the regulation allows existing operators to extend their range of services and potentially access new industry sectors.

Digital Omnibus Regulation Proposal

When the Commission presented its proposal for the Digital Omnibus Regulation proposal, several changes were proposed to the Data Act. Among other amendments, the Data Governance Act, Open Data Directive and the Free Flow of Non-Personal Data Regulation was proposed to be withdrawn and integrated into the Data Act. Other key changes include:

• Protection of Trade Secrets: New rule allowing data holders to refuse sharing trade secrets with users when there is a high risk of unlawful use or disclosure to third countries with weaker protections than the EU.
• Business-to-Government Data Sharing: The scope of Chapter V, regulating business-to-government data sharing in case of “exceptional needs”, is narrowed to “public emergencies” only.
• Switching Between Data Processing Services: New exemptions are added to Chapter VI on switching between data processing services. A lighter regime will apply to custom-made services (not off-the-shelf) based on contracts concluded before 12 September 2025. A similar lighter regime applies to services provided by SMEs and SMCs under contracts concluded before that date. These providers may include early-termination penalties in fixed-term contracts.

It should be noted that the Digital Omnibus Regulation remains a proposal from the Commission and has not yet been adapted to law.

Key Obligations

• Access to data generated by connected products: Connected products and related services must be designed to allow both consumers and corporate users free and easy access to data generated by them.
• Prohibition of unfair contractual terms: Businesses are prohibited from unilaterally imposing unfair contractual terms concerning data access and use.
• Public sector access in exceptional circumstances: Public sector bodies are granted rights to access data held by companies when there is an exceptional need.
• Cloud switching and portability: Providers of cloud services and similar data processing services must remove obstacles to effective switching between providers.