The «Regulation on harmonised rules on fair access to and use of data» (EU) 2023/2854 (“Data Act”) becomes applicable on September 12, 2025 and redefines data access, sharing, and portability in the EU. If you manufacture connected products, engage cloud services or participate in data spaces, it will affect you. In this article we summarize what has changed and what to check as of now - IoT, cloud switching and interoperability/smart contracts – and provide a practical checklist for your team. Let’s take a look.
The «Regulation on harmonised rules on fair access to and use of data» (EU) 2023/2854 (“Data Act”) officially takes effect on September 12, 2025. The regulation was approved by the Council of the European Union on November 27, 2023 and came into force on January 11, 2024, but the majority of its obligations are applicable as from today.
It seeks to create a single European market for data that is fair, secure and which favors innovation, kick-starting a market in which, according to Commission estimates, over 80% of industrial data (generated by sensors) is never used.
Despite its scale, it has hardly been mentioned in Spanish public debate or within the business community, as opposed to other countries such as Germany or France. However, it is a key part of the EU’s global data strategy: together with the Data Governance Act (“DGA”), the Digital Markets Act (“DMA”), the Digital Services Act (“DSA”) and the AI Act (“AI Act”), it makes up the architecture of an interoperable digital ecosystem. Its true scope lies not just in what it regulates, but in how it reshapes the rules of play for the access, use, portability and exchange of data in the European market.
Just like the other digital legislation approved over the last few years, the Data Act is also binding on non-EU businesses that operate in the European market.
As to the matters it regulates, the Regulation is an extremely curious and complex piece of legislation. It could be classified as a «smorgasbord», with three main cornerstones.
-
First cornerstone: The internet of things.
The first cornerstone, its core, is the legal regime it establishes for the data generated by connected products and related services. That is, the Internet of Things (“IoT”). All industries, from tourism and agriculture to mobility, construction, health and aerospace will be affected.
Its starting point is not the ownership of the data, but rather the de facto access control to the data by the manufacturers and providers of all connected products and services.
To correct this asymmetry, the regulation combines a positive right of access in favor of users with a limited right of refusal by data holders, with a view to creating a balance that is based on the logic of intellectual property but which is supplemented by contract law, competition and data protection.
Its aim is to unlock the potential of innovation, and at the same time to avoid de facto monopolies in the access to the data. However, as occurs with any newly implemented law, its application will come hand in hand with pros and cons, since numerous interpretation doubts still remain in certain key aspects, which we will address below.
-
Second cornerstone: Cloud portability
The second cornerstone seeks to encourage cloud portability services. To do so, Chapter VI establishes a specific contractual framework that regulates switching between providers. The Regulation imposes certain obligations on providers of these services to reduce the effects of so-called vendor lock-in, which, according to the Commission’s impact studies, are due both to the lack of technical interoperability between systems as well as the high migration costs.
The application of this mandatory regime will, in practice, involve the need to revise existing contracts — particularly early termination clauses — and even to reconsider certain business models.
-
Third cornerstone: Interoperability in European data spaces
The third cornerstone regulated by the Data Act are the interoperability requirements of common European data spaces, including smart contracts, set out in Chapter VIII. It is a technical chapter which seeks to encourage the transferability of data from different sources and the parallel use of data by different services.
The scope of the Regulation is naturally horizontal: it applies to personal and non-personal data in areas ranging from the use of IoT products and services to the mandatory sharing of data between businesses and intermediation services. To do this, it coordinates with the GDPR, the DGA and consumer and intellectual property legislation, expressly excluding areas such as defense or national security. It also anticipates interaction with future European Data Spaces such as the recently approved Regulation (EU) 2025/327 on the European Health Data Space, which will start to be applied in stages as from 2027.
In short, the Data Act does not form a single uniform regime, but rather a series of diverse legal regimes which are added to an already complex regulatory ecosystem, where competition law, contract law, data protection and sectorial laws come into play. It also has its own innovations, such as the regime on unfair terms in B2B contracts (article 13) or the possibility that IoT manufacturers and providers now have of introducing technical protection measures against unauthorized use (article 11).
These difficulties have already been reflected in debates organized by the European Commission over the summer. At those meetings, the participants indicated that the fragmentation in the application of EU provisions and the overlap with digital legislation, create considerable complexity for businesses. Representatives from the industry highlighted problems with data interoperability and quality, as well as the need for greater transparency and a clearer definition of the rights of access to IoT data. They also called for incentives to use existing data intermediation mechanisms and better access to public sector data. Regulatory support instruments and sandboxes, which are particularly useful for companies to be able to navigate such a dense legal framework, were mentioned as possible solutions.
Via the Expert Groups , the European Commission must recommend, before September 12, standard terms and conditions and model contractual clauses, including guidelines on reasonable compensation and the protection of trade secrets and on cloud switching contracts, an obligation that it has not met and which generates even more uncertainty in the application of a regime that is already complex.
In short, the Data Act rolls out different legal regimes according to the subject (from IoT data, the cloud, interoperability, to international data transfers or unfair terms between businesses). It is a regulatory patchwork that combines challenges and opportunities, the complexity of which will constantly require an effort of interpretation and adaptation by businesses, jurists and the authorities. Precisely because of this, it is advisable to follow the regulation closely: apart from the doubts it still generates, it will drive how data are accessed, shared and used to good advantage in Europe and beyond.
Express check-list: aspects to be checked as of now
- Inventory of connected products/services and data flows (which data, who can access, on which legal grounds and if an additional contract is necessary).
- Cloud contracts: portability, termination, egress/exit plan and transition timeline.
- Policies/processes for data access and sharing requests (including safeguards for trade secrets, security, etc.).
- Review of B2B contractual terms to detect and delete unfair terms.
- Preparation for interoperability and participation (or not) in European data spaces.