EuroComply
Zarejestruj się

Data Act for Connected-Product Manufacturers

The Data Act creates user access and portability rights for the data generated by connected products. Manufacturers must design products and related services so that data is, by default, accessible to the user — easily, securely, free of charge, in a comprehensive, structured, commonly used, and machine-readable format (Article 3).

Does Data Act apply to connected-product manufacturers?

Yes if the product is a connected product placed on the EU market, or a related service offered to users in the EU. The duty applies regardless of where the manufacturer is established.

  • Article 3: design connected products so data is accessible to the user 'by default, easily, securely, free of charge' and in a structured machine-readable format
  • Article 4: where data is not directly accessible from the product, the data holder must make it available on request, free of charge, to the user
  • Article 5: users have the right to share data with third parties — but trade-secret protection (Article 4(6)) and contractual safeguards apply
  • Information-duty timing: pre-contract information under Article 3(2) must be provided before the user is bound by any contract for the connected product
Source: Regulation (EU) 2023/2854 — EUR-LexReviewed:

Who does Data Act apply to?

The Data Act applies to manufacturers and providers of connected products and related services made available in the EU, to data holders providing data to recipients in the EU, to data processing service providers (cloud and edge) serving EU customers, and to public-sector bodies of EU member states.

  • Manufacturers of connected products placed on the EU market and providers of related services
  • Data holders required to make data available to users or third parties
  • Recipients of data made available under the Act
  • Providers of data processing services (cloud/edge) offering services in the EU
  • Public-sector bodies requesting data in cases of exceptional need
Source: Regulation (EU) 2023/2854 — EUR-Lex — Article 1 (Subject matter and scope)Reviewed:

What are the penalties for Data Act non-compliance?

Member states set penalties for breaches of the Data Act, including periodic penalty payments. For breaches of the personal-data provisions, the GDPR penalty regime applies in parallel.

Maximum fineWhere personal data is involved: GDPR Article 83 rates apply (€20M / 4%). Other breaches: set by member states.
Source: Regulation (EU) 2023/2854 — EUR-Lex — Article 40 (Penalties)Reviewed:

When does Data Act apply?

The Data Act entered into force on 11 January 2024. Most provisions apply from 12 September 2025. The cloud-switching pricing rules phase in: pre-existing 'switching charges' must be removed by 12 January 2027.

  • 2024-01-11 — Entry into force
  • 2025-09-12 — Most provisions apply
  • 2027-01-12 — Cloud switching charges (over and above costs incurred) must be removed
Source: Regulation (EU) 2023/2854 — EUR-Lex — Article 50 (Entry into force and application)Reviewed:
12 January 2027

Date by which providers of data processing services must remove all 'switching charges' (charges over and above costs incurred) that obstruct EU customers from moving to another provider.

Regulation (EU) 2023/2854, Article 29 and Article 50

Next step — classify

Read the Data Act compliance guide

Targeted next step for connected-product manufacturers based on Data Act scope.

Read the Data Act compliance guide

Full Data Act compliance guide for all sectors and personas.

Data Act guide

For informational purposes only. This is not legal advice — consult qualified legal counsel.

Last reviewed: · Editorial policy