The European Commission has published the first guidelines clarifying how the obligations of the Data Act apply to connected vehicles. The document provides guidance for manufacturers, providers and users on access to, and use and transmission of, the data generated by vehicles, paving the way to a new stage in automotive data governance and the structure of future business models based on digital mobility.
In the automotive sector, the Regulation on harmonized rules on fair access to and use of data, commonly known as the Data Act, is no longer an abstract concept, following the European Commission’s publication on September 15, 2025, of “Guidance on vehicle data, accompanying the Data Act”. These guidelines explain how to implement the obligations on access to, and the use and transmission of certain types of data generated by connected vehicles and related services. It is the first route map in an area in which the asymmetry of access, technical limitations and contractual clauses have been the norm. For manufacturers, providers and users, this guidance constitutes an operational starting point to adjust their technical and contractual practices and be one step ahead of a structural change that will affect competition, innovation and the new business models in the entire mobility ecosystem.
1. Legal nature of the guidelines and its pointers
This interpretative, non-binding document does not amend the contents of the Data Act nor affect the validity of other specific legislation, as expressly indicated in the guidance itself.
It aims to offer legal certainty in the implementation of Chapter II of the Data Act (articles 3 to 9) in the automotive sector, characterized by an ever-increasing production of data by connected vehicles and electronic systems. Although the legal obligations emanate exclusively from the Data Act, this guidance seeks to provide advice to manufacturers, users, designated third parties and public authorities.
Its publication has arisen from a question that has been reiterated by industry stakeholders: how to apply the new horizontal regime on access to data in an environment in which specific industry rules already exist — such as Regulation 2018/858 on the approval of vehicles — and its Delegated Regulation 2021/1244 on RMI (vehicle repair and maintenance information) as well as the long-standing contractual and technical barriers to access the data, which are still the norm in the industry, as the report requested by Bundesnetzagentur in 2023 revealed, “Studie zur Daten-Governance bei Connected Cars” (available in German).
2. What is a connected vehicle and what is a related service?
According to the Commission's guidance, the difference between a connected vehicle and related service depends on two factors:
(i) the functional connection with the product (vehicle), and
(ii) the existence of a bi-directional data exchange that affects its operation.
A connected vehicle constitutes a “connected product” as defined in article 2.5 of the Data Act: an item whose primary function is not to process data, but which during its use, obtains, generates or collects information on its operation or environment and which is designed to communicate it via an electronic communications service or interface. In the automotive sector this includes, for example, information on speed, battery level, tire pressure or engine behavior. However, it is up to the manufacturer or data holder to assess whether a specific vehicle falls within that definition.
As far as related services are concerned, although the guidance refers to 2.6 of the Data Act, it also specifies that they are digital services (as opposed to an electronic communications service) connected to the vehicle at the time of the purchase, rent or lease, or which are connected subsequently to add to, update or adapt the functions of the connected product. Their main characteristic is that a bi-directional data exchange takes place with the vehicle that affects the vehicle’s operation or behavior.
3. Which data fall within the scope of the Data Act?
Section 2 of the guidance defines which types of data generated by connected vehicles are covered by the access regime regulated in the Data Act. This definition does not introduce a new legal classification but rather interprets articles 2.1(8) and 4 of the act, in particular through practical examples that supplement the criteria already analyzed in Garrigues Digital.
Specifically, the guidance clarifies that the Data Act is applicable to the data generated as a result of the user’s use of the vehicle. Data arising from prior stages (manufacture, delivery) or subsequent stages (scrapyard), as well as those generated by the activities of the manufacturer or third parties that do not involve the user’s use of the product.
One important clarification refers to the data generated by vehicles without a direct interface with the user. The guidelines clarify that this does not exempt data holders from facilitating access, which may be done through remote digital means provided that the user requests this in accordance with articles 4 or 5.
The Commission illustrates the scope of the norm with a series of examples that are relevant to the industry. The data include:
- Batter charging status
- Number of charging cycles
- Frequency of use of the climate control system
- Activation of indicators or lights
- AdBlue tank level
- Safety belt status
However, inferred data are expressly excluded such as:
- Tailored maintenance recommendations
- Driving styles evaluations
- Predictive malfunction reports
- Risk profiles used by insurance companies
4. Data access regime
Section 3 of the guidance “lays down” the legal architecture of data access established in Chapter II of the Data Act in the context of vehicles. The Commission underscores that the right of users to access the data generated by the use of the product and to designate third parties to receive them constitutes the core feature of the new regime. Here lies the key to encourage innovation and competition.
There are two types of access, according to articles 3 and 4 of the act:
- Direct access (article 3.1): manufacturers may design the connected vehicle or product in such a manner that the user can access the product data directly, without the need for additional intervention. However, the Commission adds that this access is only enforceable ‘where relevant and technically feasible’, which gives the vehicle manufacturers margin for discretion as to the design. This nuance is important, because any interpretation of this article that suggests automatic, unrestricted access would be contrary to the spirit of the Data Act.
- Indirect access (art. 4.1): where direct access is not possible or has not been implemented (because there is no direct interface for example), the data holder (usually the manufacturer or operator of the service) must provide indirect access to readily available data, which are defined in article 2.17 as data that the data holder “lawfully obtains or can lawfully obtain from the connected product or related service, without disproportionate effort.”
The guidelines offer relevant examples in the context of the automotive sector. For example, the data generated by a connected vehicle sent to a backend server of the manufacturer under the ‘extended vehicle’ concept are considered readily available data.
It also recognizes that manufacturers can choose not to retrieve certain data for technical reasons (transmission bandwidth, cost, architecture) or commercial reasons. However, if those data can be obtained without disproportionate effort, they may be considered included in the scope of the Data Act. This extends the scope beyond mere datasets that have been effectively processed or stored and is based on a potential, not factual criterion: the relevant aspect is not just what the manufacturer obtains but what it can obtain without disproportionate effort.
If taken to the extreme, in theory, the manufacturer could be under the obligation to provide data that it does not extract at present if it can be proven that it is able to do so without disproportionate technical or economic effort. For example, if the vehicle’s sensors generate tire pressure data, but the manufacturer does not store them for design purposes, it cannot use this omission as justification vis-à-vis users, if it is proven that they would be technically easy to obtain (for example, through a simple CAN consultation or a minor OTA update).
However, the Data Act does not impose a general duty of prior transparency over the data captured, stored or discarded by the manufacturer. Article 4.1 establishes a results-based obligation — to provide access “easily” and “of the same quality as is available to the data holder”— but not an ex ante procedural duty of communication, nor to publish an inventory of accessible data. The guidelines, which are not binding, do not include a mechanism for systematic information or preventive supervision.
The assessment of the lawfulness of the corporate decision to refrain from extracting certain data should be made through the ex post control mechanism envisaged in article 37 of the Data Act, to which point 47 of the guidelines expressly refers. According to this provision, the competent national authorities may examine whether the refusal to retrieve or facilitate certain data is due to reasonable technical or economic reasons or if it is discriminatory with respect to the objectives of the regulation.
However, this power of supervision poses relevant questions from the standpoint of EU law. Its exercise should be brought into line with article 16 of the Charter of Fundamental Rights of the European Union , which guarantees the freedom to exercise an economic or commercial activity. Control that is too extensive, particularly if it is considered that the authorities may require the extraction or technical design of unprocessed data, could involve a substantial interference in business autonomy and in the freedom of the technological configuration of the product, undermining legal certainty and that of investments in innovation.
In relation to technical means of data access, the guidelines clarify that the Data Act is technology-neutral: it does not impose specific formats or tools. Access can be through remote backend solutions, onboard access or data intermediation. The key aspect is that the conditions of articles 3, 4 and 5 be met, particularly to make available data ‘of the same quality as is available to the data holder’, without discriminating between users, subsidiaries or independent third parties.
It is underscored that the data made available to third parties (article 5.1) must also comply with this quality and accessibility criterion. A breach is considered to have taken place if the data made available are less accurate, complete or up-to-date than those used internally by the manufacturer.
The obligation to make data “easily” availably indicated in those articles requires that access must be simple, without technical barriers or procedural hurdles. This means that if, for example, access is through the OBD-II port inside the vehicle, the user cannot be required to purchase a specialized access tool or to have advanced technical skills. The guidance suggests offering these tools at no additional cost, or making the data available via other access means such as a remote backend server.
The section ends by stating that the Data Act only mandates making available data which are designed to be retrievable. This excludes data which are ‘on the edge’ (i.e. inside the vehicle) and immediately deleted, which are not even available to the manufacturer. However, manufacturers are encouraged to include certain key information (i.e. speed, GNSS-based location or odometer) as data that are designed to be retrievable, given that they are essential for aftermarket use-cases.
5. Cost of access and FRAND terms
Section 4 of the guidance (point 46) addresses the matter of the compensation applicable where the data are transferred to third parties designated by the user, in accordance with article 5 of the Data Act.
According to the guidance, data holders are entitled to reasonable compensation for making the data available in this B2B context. This right is based on article 9 of the Data Act, which establishes the conditions under which a charge can be required for access where the data are transferred to third parties. The guidance expressly refers to article 9.5, which envisages the adoption by the Commission in the future of other guidelines on reasonable compensation, which have not yet been published.
The guidance also underscores that the possibility of such a charge has no bearing on other EU law or national legislation on access to data in the automotive industry, including the technical information necessary for road-worthiness testing which is governed by conditions that are independent from the Data Act.
6. Practical relevance for the sector
The guidelines published by the European Commission on September 15, 2025 are not legally binding, but they do entail a turning point in the interpretation of rules that affect automotive connection. In an environment where control over vehicle data has been the subject of technical, contractual and regulatory disputes, the guidance provides an official view that should be applied to the regime for regulated access to data set forth in the Data Act.
Vehicle manufacturers and related service providers are called to revise their technical architecture, design strategies and contractual models in light of this guidance. The exclusion of inferred data does not release them from guaranteeing structured, non-discriminatory and technically viable access to primary, pre-processed data. Specifically, they must justify that it is technically impossible to retrieve certain data or design alternative means — such as remote servers or user interfaces — that ensure that the data defined in 2.17 of the Data Act are «readily available».
Independent repair workshops, fleet operators, insurance companies, aftermarket service providers or mobility platforms can create new business lines motivated by the right to receive data directly — or by designation by the user — under transparent conditions, with the same quality that lies available to the manufacturer. This not only eliminates certain restrictive practices that are still in use (closed interfaces, access subject to payment services, opaque licenses), but rather paves the way to a data-based service market, from predictive maintenance to tailored insurance or intelligent valuation of the used vehicle.
The economic impact will be considerable, but unequal. Free access for users (article 4) and the application of FRAND terms to third parties (articles 8 and 9) will require new monetization models and justified cost structures. Businesses that operate as data “holders” should record structural access costs and avoid abusive or discriminatory conditions, since failure to do so could lead to a lawsuit or surveillance by the authorities.
In any event, the practical effects of the guidelines will depend on three key factors:
- The reception by the competent national authorities, who must actively supervise its application in the Member States and avoid differing interpretations.
- The coordination with existing industry legislation such as Regulation 2018/858 and Delegated Regulation 2021/1244 on RMI (repair and maintenance information).
- Control over contractual blocking strategies, technical degradation or indirect discrimination, which has already been addressed by the CJEU and could increase with the entry into force of the Data Act.
In this context, the guidance not only offers pointers to legal and technical operators, it also acts as a mechanism that anticipates compliance and strategic alignment for the entire automotive ecosystem. It constitutes a first step towards the practical application of the Data Act in a sector that is characterized by strong asymmetries in access to data, but does not answer all the questions on the table. Concepts such as the obligation to provide data "easily" or the determination of reasonable compensation in B2B scenarios, provided for in Article 9 and pending specification in future Commission guidelines, will continue to be debated and adjusted. Their value therefore lies in acting as an initial reference point in order to enable data holders, users and potential recipients of such data to adapt their technical and contractual models, while also anticipating the direction of European policy in connection with the automobile market in the next decade.