[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article_59584":3},{"tableOfContents":4,"markDownContent":5,"htmlContent":6,"metaTitle":7,"metaDescription":8,"wordCount":9,"readTime":10,"title":7,"nbDownloads":11,"excerpt":12,"lang":13,"url":14,"intro":8,"featured":4,"state":15,"author":16,"authorId":17,"datePublication":22,"dateCreation":23,"dateUpdate":24,"mainCategory":25,"categories":41,"metaDatas":89,"imageUrl":90,"imageThumbUrls":91,"id":99},false,"On **September 12th 2025**,[ the EU **Data Act** (Regulation (EU) 2023/2854) ](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng)officially goes live. After entering into force in January 2024, the regulation now becomes operational. It creates new rules on who can access and use industrial data generated by connected products in the EU across all economic sectors.\r\n\r\n{% button href=\"https://ec.europa.eu/commission/presscorner/detail/en/ip_25_2078\" text=\"Read today’s statement from the European Commission on this topic\" target=\"\\_blank\" role=\"button\" class=\"btn btn-primary\" %}\r\n\r\nThe Data Act is a cornerstone of the **European Data Strategy** and the **Digital Decade 2030**. Its central aim is to unlock **the value of industrial and IoT data, ensuring it is accessible, reusable, and portable by eliminationg all barriers to the free flow of data with the Union.**\r\n\r\n> *\"A key objective of the Data Act is to **create fairness in the data economy** and **empower users** to reap value from the data they generate using the connected products that they own, rent or lease\"* ([Data Act explained, European Commission](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained)).\r\n\r\n---\r\n\r\n### Scope of application: who and what falls under the Data Act?\r\n\r\n\u003Ctable style=\"min-width: 75px\">\r\n\u003Ccolgroup>\u003Ccol style=\"min-width: 25px\">\u003Ccol style=\"min-width: 25px\">\u003Ccol style=\"min-width: 25px\">\u003C/colgroup>\u003Ctbody>\u003Ctr>\u003Cth colspan=\"1\" rowspan=\"1\">\u003Cp>Category\u003C/p>\u003C/th>\u003Cth colspan=\"1\" rowspan=\"1\">\u003Cp>Coverage under the Data Act&nbsp;\u003C/p>\u003C/th>\u003Cth colspan=\"1\" rowspan=\"1\">\u003Cp>Comments/Examples\u003C/p>\u003C/th>\u003C/tr>\u003Ctr>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>\u003Cstrong>Items\u003C/strong>\u003C/p>\u003C/td>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cul class=\"tight\" data-tight=\"true\">\u003Cli>\u003Cp>\u003Cstrong>Connected products\u003C/strong>: physical items that generate, collect or obtain data concerning its use or environment &amp; can communicate it via a connection (WiFi, Bluetooth, USB, etc.), on-device access, or via an electronic communications service (Article 2.5)\u003Cbr>\u003C/p>\u003Cp>\u003C/p>\u003C/li>\u003Cli>\u003Cp>A \u003Cstrong>related service\u003C/strong> is installed on the product, and can be connected with the product at the time of the purchase, rent or lease or by the manufacturer (Article 2.6)\u003C/p>\u003C/li>\u003C/ul>\u003C/td>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cul class=\"tight\" data-tight=\"true\">\u003Cli>\u003Cp>\u003Cstrong>Examples of connected products\u003C/strong> include smart vehicles, wearable health trackers, MRI scanners, industrial robots, household appliances like smart refrigerators or washing machines, and connected energy meters.\u003C/p>\u003Cp>\u003C/p>\u003C/li>\u003Cli>\u003Cp>\u003Cstrong>Related services\u003C/strong> are those that allow the product to operate in a specific way or enhance its functionality — for instance, a mobile app to control home lighting, software that adjusts irrigation levels in smart farming equipment, or a platform that monitors and optimizes the performance of wind turbines.\u003C/p>\u003C/li>\u003C/ul>\u003C/td>\u003C/tr>\u003Ctr>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>\u003Cstrong>Operators involved\u003C/strong>\u003C/p>\u003C/td>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>Manufacturers of connected product, provider of a related service and every operator of a cloud infrastructure in Europe.\u003C/p>\u003Cp>\u003Cbr>Providers of data processing providers globally, excluding conventional hosting services.\u003C/p>\u003Cp>\u003C/p>\u003Cp>A data holder is typically the company that makes the connected product or that provides a related service.\u003C/p>\u003C/td>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>Example of providers of data processing: Cloud IaaS, PaaS, Saas, Storage, Data, Edge\u003C/p>\u003C/td>\u003C/tr>\u003Ctr>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>\u003Cstrong>Users &amp; Recipients\u003C/strong>\u003C/p>\u003C/td>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>Users and data recipients must be in the EU. \u003Cbr>\u003C/p>\u003Cp>Public bodies when relevant.\u003C/p>\u003C/td>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>A user can be both a natural person or a legal person.\u003C/p>\u003C/td>\u003C/tr>\u003Ctr>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>\u003Cstrong>Sectors\u003C/strong>\u003C/p>\u003C/td>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>Across all sectors. \u003Cbr>\u003Cbr>Includes public sector bodies.\u003C/p>\u003C/td>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>Industrial IoT, automotive, fintech, healthcare devices, energy, logistics, gaming platforms, insurance services relying on telematics, and cloud computing.\u003C/p>\u003C/td>\u003C/tr>\u003Ctr>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>\u003Cstrong>Data in scope\u003C/strong>\u003C/p>\u003C/td>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>\u003Cstrong>All raw and pre-processed data generated from the use of a connected product or a related service that is readily available to the data holder.\u003C/strong>\u003C/p>\u003Cp>\u003Cbr>Readily available data means that the data holder actually has, or can obtain without disproportionate effort.\u003C/p>\u003Cp>\u003C/p>\u003Cp>Personal and non-personal data (e.g machine readings) including relevant meta data. this includes:\u003C/p>\u003Cul class=\"tight\" data-tight=\"true\">\u003Cli>\u003Cp>Data resulting from the use of a connected product\u003C/p>\u003C/li>\u003Cli>\u003Cp>Data that must be shared legally\u003C/p>\u003C/li>\u003Cli>\u003Cp>Data that can be shared under contractual obligation\u003C/p>\u003C/li>\u003Cli>\u003Cp>Data via data processing services\u003C/p>\u003C/li>\u003C/ul>\u003C/td>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>The Data Act’s definition of data is broad: data is any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recordings.\u003C/p>\u003Cp>\u003C/p>\u003Cp>Everything generated by connected products is included, like simple status indicators, user interactions data and malfunction reports.\u003C/p>\u003C/td>\u003C/tr>\u003C/tbody>\r\n\u003C/table>\r\n\r\n### New access right to data generated by connected products or related services\r\n\r\n\u003Ctable style=\"min-width: 75px\">\r\n\u003Ccolgroup>\u003Ccol style=\"min-width: 25px\">\u003Ccol style=\"min-width: 25px\">\u003Ccol style=\"min-width: 25px\">\u003C/colgroup>\u003Ctbody>\u003Ctr>\u003Cth colspan=\"1\" rowspan=\"1\">\u003Cp>Category\u003C/p>\u003C/th>\u003Cth colspan=\"1\" rowspan=\"1\">\u003Cp>Coverage under the Data Act\u003C/p>\u003C/th>\u003Cth colspan=\"1\" rowspan=\"1\">\u003Cp>Comments/examples\u003C/p>\u003C/th>\u003C/tr>\u003Ctr>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>\u003Cstrong>Data portability &amp; access to data\u003C/strong>\u003C/p>\u003C/td>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>\u003Cstrong>The principle is simple: if a connected product or related services generates data, the user (natural or legal person) must be able to access it. \u003C/strong>That means:\u003C/p>\u003Cul>\u003Cli>\u003Cp>\u003Cstrong>Full product and service data\u003C/strong> must be made available, not curated extracts.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Access must be \u003Cstrong>timely, free of charge\u003C/strong>, in a \u003Cstrong>structured, machine-readable format\u003C/strong>, and \u003Cstrong>real time\u003C/strong> where feasible.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Users may share data with \u003Cstrong>third parties of their choice\u003C/strong> directly or can ask the data holder to do so.\u003C/p>\u003C/li>\u003C/ul>\u003Cp>With only limited compensation allowed for substantial investments in a B2B setting.\u003C/p>\u003C/td>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>A car owner gains access to all maintenance logs, not only summaries. \u003Cbr>\u003Cbr>A tenant can request detailed smart home data.\u003C/p>\u003C/td>\u003C/tr>\u003Ctr>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>\u003Cstrong>Limits and safeguards\u003C/strong>\u003C/p>\u003C/td>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>Not all data must be shared. The Act applies\u003Cstrong> only to readily accessible data\u003C/strong>, \u003Cstrong>that doesn't invovle disproportionnate effort. I\u003C/strong>nferred or derived data and content (e.g. highly enriched data, audiovisual material) are out of scope.\u003C/p>\u003Cp>\u003Cbr>Access may be withheld when disclosure would compromise \u003Cstrong>trade secrets or safety\u003C/strong>, but such refusals must be \u003Cstrong>justified in writing\u003C/strong> and are subject to oversight and dispute resolution.\u003C/p>\u003Cp>\u003C/p>\u003Cp>Platforms designated as \u003Cstrong>gatekeepers \u003C/strong>under the meaning of the Digital Markets Act, do not benefit from the rights.\u003C/p>\u003Cp>\u003C/p>\u003Cp>\u003Cstrong>Micro and SMEs \u003C/strong>are not subject to the same duties imposed on larger companies, in particular regarding mandatory data sharing.\u003C/p>\u003Cp>\u003C/p>\u003Cp>The data obtained cannot be used to develop a \u003Cstrong>competing connected product\u003C/strong>.\u003C/p>\u003C/td>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>Blanket refusals invoking intellectual property rights or trade secrets will no longer suffice. \u003Cbr>\u003C/p>\u003Cp>The data holder may only refuse to share data where it can demonstrate that it is highly likely to suffer serious economic damage from the disclosure of trade secrets.\u003C/p>\u003C/td>\u003C/tr>\u003Ctr>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>\u003Cstrong>Precontractual duties\u003C/strong>\u003C/p>\u003C/td>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>The Act also reshapes the sales process. \u003Cstrong>Before selling or leasing a connected product or service, \u003C/strong>businesses must inform users about:\u003C/p>\u003Cul>\u003Cli>\u003Cp>What data will be generated;\u003C/p>\u003C/li>\u003Cli>\u003Cp>Where and how it will be stored;\u003C/p>\u003C/li>\u003Cli>\u003Cp>How and when it can be accessed;\u003C/p>\u003C/li>\u003Cli>\u003Cp>Whether access is continuous or periodic.\u003C/p>\u003C/li>\u003C/ul>\u003C/td>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>This requires businesses to set up clear protocols and train sales teams who will have to communicate this information before contracts are signed.\u003C/p>\u003C/td>\u003C/tr>\u003C/tbody>\r\n\u003C/table>\r\n\r\n### \r\n\r\n---\r\n\r\n### Mandatory Business-to-Business data sharing\r\n\r\nThe Data Act’s Chapter III sets out rules for cases where a **business is legally obliged under EU or national law to make data available to another business (“data recipient”)**, including in the IoT context. Such data-sharing must always take place on fair, reasonable and non-discriminatory terms.\r\n\r\nThe rules cover all types of data, both personal and non-personal, including situations already addressed in Chapter II on user access rights. In practice, data holders can charge for the costs incurred in making data available, such as extraction, dissemination and storage. However, micro-enterprises, SMEs and non-profit research organisations can only be charged cost-based fees, with no additional margin.\r\n\r\nTo protect data holders, the Act also introduces remedies in cases of unlawful access or misuse of data. Possible measures include requiring the infringing party to stop producing the product concerned, to destroy unlawfully obtained data, or to provide compensation.\r\n\r\n---\r\n\r\n### Fairness in contracts: no more unbalanced terms\r\n\r\nA **data holder** is required to enter into a contract with the user — for example, a sales, rental, or related service agreement — which must define the user’s rights concerning the **access, use, and sharing of data** generated by the connected product or related service.Where the Data Act governs the relationship between the manufacturer of a connected product (or provider of a related service) and the end-user, it introduces specific contractual obligations. In this context, EU consumer protection law continues to apply, in particular **Directive 93/13/EEC on unfair terms in consumer contracts** and **Directive 2005/29/EC on unfair commercial practices**, ensuring that users are protected against unfair contractual provisions.\r\n\r\n---\r\n\r\n### No more vendor lock-in: switching between data processing providers made easy\r\n\r\nTo promote a **competitive digital market within the EU**, customers of data processing services, including cloud and edge computing, must be able to **switch providers seamlessly**. At present, such switching is often hindered by significant obstacles, such as **excessive egress fees, lengthy and complex procedures, and insufficient interoperability** between providers, which can lead to the loss of data or applications.\r\n\r\nThe **Data Act** addresses these issues.\r\n\r\n\u003Ctable style=\"min-width: 50px\">\r\n\u003Ccolgroup>\u003Ccol style=\"min-width: 25px\">\u003Ccol style=\"min-width: 25px\">\u003C/colgroup>\u003Ctbody>\u003Ctr>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>\u003Cstrong>Scope\u003C/strong>\u003C/p>\u003C/td>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>Providers of IaaS, PaaS, SaaS, and other models. E.g: Google Cloud, OVH Cloud, Azure...\u003Cbr>\u003Cbr>Assess whether your services fall within the scope of Chapter VI of the Data Act.\u003C/p>\u003C/td>\u003C/tr>\u003Ctr>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>\u003Cstrong>Objective\u003C/strong>\u003C/p>\u003C/td>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>In Commission words: \"Promote competition and choice on the market while preventing vendor lock-in.\"\u003Cbr>\u003Cbr>By requiring that switching be \u003Cstrong>free of charge, efficient, and technically smooth\u003C/strong>, the framework strengthens customer choice by enabling them to select the services that best meet their needs, while also fostering competition by expanding the potential customer base available to providers.\u003C/p>\u003C/td>\u003C/tr>\u003Ctr>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>\u003Cstrong>Concrete obligations\u003C/strong>\u003C/p>\u003C/td>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cul>\u003Cli>\u003Cp>Must \u003Cstrong>remove obstacles to switching to another provider or to an on-premise infrastructure\u003C/strong>, including technical and contractual barriers.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Contracts must include \u003Cstrong>switching rights\u003C/strong>, short \u003Cstrong>notice periods\u003C/strong> (max. two months), \u003Cstrong>data portability conditions\u003C/strong> &amp; data transfer methods.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Set up\u003Cstrong> technical infrastructure for data transfer\u003C/strong> and ensure compatibility with interoperability standards.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Support \u003Cstrong>migration\u003C/strong>, maintain \u003Cstrong>businesss continuity,\u003C/strong> functional \u003Cstrong>equivalence \u003C/strong>and secure data transfers within 30 days. Data retrieval under 30 days.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Phase out \u003Cstrong>exit fees \u003C/strong>by January 2027, after which only cost-based charges remain.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Implement \u003Cstrong>transparency measures \u003C/strong>such as making available information on the switching procedure.\u003C/p>\u003C/li>\u003C/ul>\u003C/td>\u003C/tr>\u003C/tbody>\r\n\u003C/table>\r\n\r\n### \r\n\r\n### What about B2G, Business-to-government data sharing?\r\n\r\nChapter V of the Data Act establishes a framework for **business-to-government (B2G) data sharing** in situations of **exceptional need**, where data held by private entities is necessary for public authorities to carry **out tasks in the public interest.**\r\n\r\nExceptional need covers both **public emergencies** — such as natural disasters, pandemics, or cybersecurity incidents — and **non-emergency situations**, such as improving traffic management through aggregated, anonymised GPS data.\r\n\r\n- In emergency scenarios, public authorities may request access to data, which must be provided swiftly, securely and free of charge, unless justified costs are involved. While the default focus is on non-personal data, personal data may also be requested if strictly necessary, with anonymisation applied wherever possible.\r\n- For **non-emergency public interest purposes**, authorities may only request non-personal data, and data holders are entitled to **fair compensation** for the costs of preparing and transmitting it.\r\n\r\nRequests must always be specific, proportionate and transparent, and must not impose an undue administrative burden on companies.Entities entitled to request data include **national public sector bodies, EU institutions, agencies and certain research organisations**. Data holders are typically private companies, but may also include public undertakings.\r\n\r\n---\r\n\r\n### How companies must handle international requests\r\n\r\nThe Data Act introduces specific safeguards to prevent **unlawful access or transfer of non-personal data held in the EU** by governments of third countries (i.e., non-EU states). These provisions respond to the growing concern that foreign authorities may issue decisions or judgments compelling companies to disclose or transfer data stored in the EU, even when such requests conflict with EU law, the protection of fundamental rights, national security interests, or the confidentiality of sensitive commercial information.\r\n\r\nBuilding on the approach of the [**Data Governance Act**](https://digital-strategy.ec.europa.eu/en/policies/data-governance-act), the Data Act reinforces transparency and legal certainty by clearly setting out the conditions under which non-personal data may be accessed by foreign authorities.\r\n\r\nFor businesses — including **cloud providers, data intermediaries and companies offering digital products and services** — the rules impose new obligations. They must **carefully assess whether a foreign government’s request complies with EU law and, where necessary, challenge unlawful demands.** Any transfer of non-personal data to a third country must meet **strict safeguards,** which may include judicial authorization and respect for EU fundamental rights standards.\r\n\r\n---\r\n\r\n## Challenges & enforcement risks\r\n\r\nFrom 12 September, **Member States** must adopt their own national enforcement regimes by **12 September 2025**, ensuring penalties are *effective, proportionate, and dissuasive*. These may include **financial fines**, **orders to comply**, **warnings**, or even **suspension of processing activities.**\r\n\r\nCompanies must comply simulatneously with the GDPR since many data sets include personal data. In some cases, the Data Act will complement the GDPR such as the case of real-time portability of data from IoT objects. Sometimes, it restricts the re-use of data by third parties as provided by Article 6 of the Data Act. \r\n\r\nFailure to properly distinguish between personal and non-personal data could trigger **parallel investigations** by both data protection authorities and sectoral regulators. In cases concerning personal data, the Data Protection Authorities (DPA) are also responsible for monitoring the application of the Data Act as provided by Article 37(3) of the Data Act. \r\n\r\nAll obligations under the **GDPR** (legal basis, minimization, anonymization, data subject rights) remain in force. Failures to provide data that includes personal information may trigger **combined Data Act and GDPR claims**, with damages sought under **Article 82 GDPR**.\r\n\r\nHowever, in the event of a conflict between the GDPR and the Data Act, the GDPR rules on the protection of personal data prevail (cf. Article 1(5) of the Data Act).\r\n\r\nBusinesses and users harmed by a refusal to share data, or by anti-competitive conditions, can **bring disputes before courts or dispute settlement bodies**. Expect **collective actions** (consumer or SME associations) in Member States where this is allowed.\r\n\r\nIncomplete or misleading **pre-contractual disclosures** on data usage and access rights will expose companies to **consumer law claims** under Directives 93/13/EEC and 2005/29/EC.\r\n\r\n---\r\n\r\n## What businesses should do now\r\n\r\n> According to the [Commission's statement released today](https://ec.europa.eu/commission/presscorner/detail/en/ip_25_2078), it will support Data Act implementation by launching a **Legal Helpdesk** to assist companies, issuing **guidance on trade secrets protection**, and publishing **model terms for data sharing** as well as **standard clauses for cloud contracts** to ease compliance.\r\n\r\nBut until then, here are some necessary practical steps:\r\n\r\n- **Map your data flows and use cases**: identify all data generated by connected products and related services, classify it as personal/non-personal, identify their origin, and document lawful bases. Identifiy whether it is protected by sector-specific rules or not.\r\n\r\n- **Adapt your systems for interoperability:** Ensure technical readiness to deliver data in structured, standardized, and machine-readable formats. Upgrade or implement APIs and sharing mechanisms that support accessibility, portability, and interoperability in line with the Act’s requirements.\r\n\r\n- **Document exceptions**: establish a process for refusing access based on trade secrets or safety, with justification.\r\n\r\n- **Strengthen governance**: Analyze who controls the access to data. Review existing data-sharing arrangements, particularly in B2B contexts.\r\n\r\n- **Update contracts**: include mandatory transparency clauses and prepare for cloud switching obligations.\r\n\r\n- **Establish internal policies:** Develop and document clear internal data-sharing policies aligned with transparency and fairness obligations. Specify what data can be shared, on what terms, with whom, and for which purposes, and ensure this is communicated consistently to users and partners.\r\n\r\n- **Ensure GDPR alignment:** Map and reconcile overlaps between the Data Act and the GDPR. Document the legal basis for processing personal data, and ensure compliance is reflected in privacy notices, consent mechanisms, and records of processing activities.\r\n\r\n- **Manage international transfers:** Implement protocols to assess and, where necessary, restrict transfers of non-personal data to non-EU authorities. Establish internal processes for evaluating legality, notifying users, and complying with EU restrictions.\r\n\r\n> For more details, consult the FAQ of the European Commission [here](https://digital-strategy.ec.europa.eu/en/library/commission-publishes-frequently-asked-questions-about-data-act)","\u003Cp>On \u003Cstrong>September 12th 2025\u003C/strong>,\u003Ca href=\"https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng\" rel=\"nofollow\"> the EU \u003Cstrong>Data Act\u003C/strong> (Regulation (EU) 2023/2854) \u003C/a>officially goes live. After entering into force in January 2024, the regulation now becomes operational. It creates new rules on who can access and use industrial data generated by connected products in the EU across all economic sectors.\u003C/p>\r\n\u003Cdiv class=\"content-btn-container\">\u003Ca href=\"https://ec.europa.eu/commission/presscorner/detail/en/ip_25_2078\" target=\"_blank\" role=\"button\" class=\"btn btn-primary\" rel=\"nofollow\">Read today’s statement from the European Commission on this topic\u003C/a>\u003C/div>\r\n\u003Cp>The Data Act is a cornerstone of the \u003Cstrong>European Data Strategy\u003C/strong> and the \u003Cstrong>Digital Decade 2030\u003C/strong>. Its central aim is to unlock \u003Cstrong>the value of industrial and IoT data, ensuring it is accessible, reusable, and portable by eliminationg all barriers to the free flow of data with the Union.\u003C/strong>\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>\u003Cem>\"A key objective of the Data Act is to \u003Cstrong>create fairness in the data economy\u003C/strong> and \u003Cstrong>empower users\u003C/strong> to reap value from the data they generate using the connected products that they own, rent or lease\"\u003C/em> (\u003Ca href=\"https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained\" rel=\"nofollow\">Data Act explained, European Commission\u003C/a>).\u003C/p>\r\n\u003C/blockquote>\r\n\u003Chr />\r\n\u003Ch3 id=\"scope-of-application-who-and-what-falls-under-the-data-act\">Scope of application: who and what falls under the Data Act?\u003C/h3>\r\n\u003Ctable style=\"min-width: 75px\">\r\n\u003Ccolgroup>\u003Ccol style=\"min-width: 25px\">\u003Ccol style=\"min-width: 25px\">\u003Ccol style=\"min-width: 25px\">\u003C/colgroup>\u003Ctbody>\u003Ctr>\u003Cth colspan=\"1\" rowspan=\"1\">\u003Cp>Category\u003C/p>\u003C/th>\u003Cth colspan=\"1\" rowspan=\"1\">\u003Cp>Coverage under the Data Act&nbsp;\u003C/p>\u003C/th>\u003Cth colspan=\"1\" rowspan=\"1\">\u003Cp>Comments/Examples\u003C/p>\u003C/th>\u003C/tr>\u003Ctr>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>\u003Cstrong>Items\u003C/strong>\u003C/p>\u003C/td>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cul class=\"tight\" data-tight=\"true\">\u003Cli>\u003Cp>\u003Cstrong>Connected products\u003C/strong>: physical items that generate, collect or obtain data concerning its use or environment &amp; can communicate it via a connection (WiFi, Bluetooth, USB, etc.), on-device access, or via an electronic communications service (Article 2.5)\u003Cbr>\u003C/p>\u003Cp>\u003C/p>\u003C/li>\u003Cli>\u003Cp>A \u003Cstrong>related service\u003C/strong> is installed on the product, and can be connected with the product at the time of the purchase, rent or lease or by the manufacturer (Article 2.6)\u003C/p>\u003C/li>\u003C/ul>\u003C/td>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cul class=\"tight\" data-tight=\"true\">\u003Cli>\u003Cp>\u003Cstrong>Examples of connected products\u003C/strong> include smart vehicles, wearable health trackers, MRI scanners, industrial robots, household appliances like smart refrigerators or washing machines, and connected energy meters.\u003C/p>\u003Cp>\u003C/p>\u003C/li>\u003Cli>\u003Cp>\u003Cstrong>Related services\u003C/strong> are those that allow the product to operate in a specific way or enhance its functionality — for instance, a mobile app to control home lighting, software that adjusts irrigation levels in smart farming equipment, or a platform that monitors and optimizes the performance of wind turbines.\u003C/p>\u003C/li>\u003C/ul>\u003C/td>\u003C/tr>\u003Ctr>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>\u003Cstrong>Operators involved\u003C/strong>\u003C/p>\u003C/td>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>Manufacturers of connected product, provider of a related service and every operator of a cloud infrastructure in Europe.\u003C/p>\u003Cp>\u003Cbr>Providers of data processing providers globally, excluding conventional hosting services.\u003C/p>\u003Cp>\u003C/p>\u003Cp>A data holder is typically the company that makes the connected product or that provides a related service.\u003C/p>\u003C/td>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>Example of providers of data processing: Cloud IaaS, PaaS, Saas, Storage, Data, Edge\u003C/p>\u003C/td>\u003C/tr>\u003Ctr>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>\u003Cstrong>Users &amp; Recipients\u003C/strong>\u003C/p>\u003C/td>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>Users and data recipients must be in the EU. \u003Cbr>\u003C/p>\u003Cp>Public bodies when relevant.\u003C/p>\u003C/td>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>A user can be both a natural person or a legal person.\u003C/p>\u003C/td>\u003C/tr>\u003Ctr>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>\u003Cstrong>Sectors\u003C/strong>\u003C/p>\u003C/td>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>Across all sectors. \u003Cbr>\u003Cbr>Includes public sector bodies.\u003C/p>\u003C/td>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>Industrial IoT, automotive, fintech, healthcare devices, energy, logistics, gaming platforms, insurance services relying on telematics, and cloud computing.\u003C/p>\u003C/td>\u003C/tr>\u003Ctr>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>\u003Cstrong>Data in scope\u003C/strong>\u003C/p>\u003C/td>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>\u003Cstrong>All raw and pre-processed data generated from the use of a connected product or a related service that is readily available to the data holder.\u003C/strong>\u003C/p>\u003Cp>\u003Cbr>Readily available data means that the data holder actually has, or can obtain without disproportionate effort.\u003C/p>\u003Cp>\u003C/p>\u003Cp>Personal and non-personal data (e.g machine readings) including relevant meta data. this includes:\u003C/p>\u003Cul class=\"tight\" data-tight=\"true\">\u003Cli>\u003Cp>Data resulting from the use of a connected product\u003C/p>\u003C/li>\u003Cli>\u003Cp>Data that must be shared legally\u003C/p>\u003C/li>\u003Cli>\u003Cp>Data that can be shared under contractual obligation\u003C/p>\u003C/li>\u003Cli>\u003Cp>Data via data processing services\u003C/p>\u003C/li>\u003C/ul>\u003C/td>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>The Data Act’s definition of data is broad: data is any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recordings.\u003C/p>\u003Cp>\u003C/p>\u003Cp>Everything generated by connected products is included, like simple status indicators, user interactions data and malfunction reports.\u003C/p>\u003C/td>\u003C/tr>\u003C/tbody>\r\n\u003C/table>\r\n\u003Ch3 id=\"new-access-right-to-data-generated-by-connected-products-or-related-services\">New access right to data generated by connected products or related services\u003C/h3>\r\n\u003Ctable style=\"min-width: 75px\">\r\n\u003Ccolgroup>\u003Ccol style=\"min-width: 25px\">\u003Ccol style=\"min-width: 25px\">\u003Ccol style=\"min-width: 25px\">\u003C/colgroup>\u003Ctbody>\u003Ctr>\u003Cth colspan=\"1\" rowspan=\"1\">\u003Cp>Category\u003C/p>\u003C/th>\u003Cth colspan=\"1\" rowspan=\"1\">\u003Cp>Coverage under the Data Act\u003C/p>\u003C/th>\u003Cth colspan=\"1\" rowspan=\"1\">\u003Cp>Comments/examples\u003C/p>\u003C/th>\u003C/tr>\u003Ctr>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>\u003Cstrong>Data portability &amp; access to data\u003C/strong>\u003C/p>\u003C/td>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>\u003Cstrong>The principle is simple: if a connected product or related services generates data, the user (natural or legal person) must be able to access it. \u003C/strong>That means:\u003C/p>\u003Cul>\u003Cli>\u003Cp>\u003Cstrong>Full product and service data\u003C/strong> must be made available, not curated extracts.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Access must be \u003Cstrong>timely, free of charge\u003C/strong>, in a \u003Cstrong>structured, machine-readable format\u003C/strong>, and \u003Cstrong>real time\u003C/strong> where feasible.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Users may share data with \u003Cstrong>third parties of their choice\u003C/strong> directly or can ask the data holder to do so.\u003C/p>\u003C/li>\u003C/ul>\u003Cp>With only limited compensation allowed for substantial investments in a B2B setting.\u003C/p>\u003C/td>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>A car owner gains access to all maintenance logs, not only summaries. \u003Cbr>\u003Cbr>A tenant can request detailed smart home data.\u003C/p>\u003C/td>\u003C/tr>\u003Ctr>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>\u003Cstrong>Limits and safeguards\u003C/strong>\u003C/p>\u003C/td>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>Not all data must be shared. The Act applies\u003Cstrong> only to readily accessible data\u003C/strong>, \u003Cstrong>that doesn't invovle disproportionnate effort. I\u003C/strong>nferred or derived data and content (e.g. highly enriched data, audiovisual material) are out of scope.\u003C/p>\u003Cp>\u003Cbr>Access may be withheld when disclosure would compromise \u003Cstrong>trade secrets or safety\u003C/strong>, but such refusals must be \u003Cstrong>justified in writing\u003C/strong> and are subject to oversight and dispute resolution.\u003C/p>\u003Cp>\u003C/p>\u003Cp>Platforms designated as \u003Cstrong>gatekeepers \u003C/strong>under the meaning of the Digital Markets Act, do not benefit from the rights.\u003C/p>\u003Cp>\u003C/p>\u003Cp>\u003Cstrong>Micro and SMEs \u003C/strong>are not subject to the same duties imposed on larger companies, in particular regarding mandatory data sharing.\u003C/p>\u003Cp>\u003C/p>\u003Cp>The data obtained cannot be used to develop a \u003Cstrong>competing connected product\u003C/strong>.\u003C/p>\u003C/td>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>Blanket refusals invoking intellectual property rights or trade secrets will no longer suffice. \u003Cbr>\u003C/p>\u003Cp>The data holder may only refuse to share data where it can demonstrate that it is highly likely to suffer serious economic damage from the disclosure of trade secrets.\u003C/p>\u003C/td>\u003C/tr>\u003Ctr>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>\u003Cstrong>Precontractual duties\u003C/strong>\u003C/p>\u003C/td>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>The Act also reshapes the sales process. \u003Cstrong>Before selling or leasing a connected product or service, \u003C/strong>businesses must inform users about:\u003C/p>\u003Cul>\u003Cli>\u003Cp>What data will be generated;\u003C/p>\u003C/li>\u003Cli>\u003Cp>Where and how it will be stored;\u003C/p>\u003C/li>\u003Cli>\u003Cp>How and when it can be accessed;\u003C/p>\u003C/li>\u003Cli>\u003Cp>Whether access is continuous or periodic.\u003C/p>\u003C/li>\u003C/ul>\u003C/td>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>This requires businesses to set up clear protocols and train sales teams who will have to communicate this information before contracts are signed.\u003C/p>\u003C/td>\u003C/tr>\u003C/tbody>\r\n\u003C/table>\r\n\u003Ch3 id=\"section\">\u003C/h3>\r\n\u003Chr />\r\n\u003Ch3 id=\"mandatory-business-to-business-data-sharing\">Mandatory Business-to-Business data sharing\u003C/h3>\r\n\u003Cp>The Data Act’s Chapter III sets out rules for cases where a \u003Cstrong>business is legally obliged under EU or national law to make data available to another business (“data recipient”)\u003C/strong>, including in the IoT context. Such data-sharing must always take place on fair, reasonable and non-discriminatory terms.\u003C/p>\r\n\u003Cp>The rules cover all types of data, both personal and non-personal, including situations already addressed in Chapter II on user access rights. In practice, data holders can charge for the costs incurred in making data available, such as extraction, dissemination and storage. However, micro-enterprises, SMEs and non-profit research organisations can only be charged cost-based fees, with no additional margin.\u003C/p>\r\n\u003Cp>To protect data holders, the Act also introduces remedies in cases of unlawful access or misuse of data. Possible measures include requiring the infringing party to stop producing the product concerned, to destroy unlawfully obtained data, or to provide compensation.\u003C/p>\r\n\u003Chr />\r\n\u003Ch3 id=\"fairness-in-contracts-no-more-unbalanced-terms\">Fairness in contracts: no more unbalanced terms\u003C/h3>\r\n\u003Cp>\u003Cbr />\r\nA \u003Cstrong>data holder\u003C/strong> is required to enter into a contract with the user — for example, a sales, rental, or related service agreement — which must define the user’s rights concerning the \u003Cstrong>access, use, and sharing of data\u003C/strong> generated by the connected product or related service.\u003Cbr />\r\n\u003Cbr />\r\nWhere the Data Act governs the relationship between the manufacturer of a connected product (or provider of a related service) and the end-user, it introduces specific contractual obligations. In this context, EU consumer protection law continues to apply, in particular \u003Cstrong>Directive 93/13/EEC on unfair terms in consumer contracts\u003C/strong> and \u003Cstrong>Directive 2005/29/EC on unfair commercial practices\u003C/strong>, ensuring that users are protected against unfair contractual provisions.\u003C/p>\r\n\u003Chr />\r\n\u003Ch3 id=\"no-more-vendor-lock-in-switching-between-data-processing-providers-made-easy\">No more vendor lock-in: switching between data processing providers made easy\u003C/h3>\r\n\u003Cp>To promote a \u003Cstrong>competitive digital market within the EU\u003C/strong>, customers of data processing services, including cloud and edge computing, must be able to \u003Cstrong>switch providers seamlessly\u003C/strong>. At present, such switching is often hindered by significant obstacles, such as \u003Cstrong>excessive egress fees, lengthy and complex procedures, and insufficient interoperability\u003C/strong> between providers, which can lead to the loss of data or applications.\u003C/p>\r\n\u003Cp>The \u003Cstrong>Data Act\u003C/strong> addresses these issues.\u003C/p>\r\n\u003Ctable style=\"min-width: 50px\">\r\n\u003Ccolgroup>\u003Ccol style=\"min-width: 25px\">\u003Ccol style=\"min-width: 25px\">\u003C/colgroup>\u003Ctbody>\u003Ctr>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>\u003Cstrong>Scope\u003C/strong>\u003C/p>\u003C/td>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>Providers of IaaS, PaaS, SaaS, and other models. E.g: Google Cloud, OVH Cloud, Azure...\u003Cbr>\u003Cbr>Assess whether your services fall within the scope of Chapter VI of the Data Act.\u003C/p>\u003C/td>\u003C/tr>\u003Ctr>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>\u003Cstrong>Objective\u003C/strong>\u003C/p>\u003C/td>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>In Commission words: \"Promote competition and choice on the market while preventing vendor lock-in.\"\u003Cbr>\u003Cbr>By requiring that switching be \u003Cstrong>free of charge, efficient, and technically smooth\u003C/strong>, the framework strengthens customer choice by enabling them to select the services that best meet their needs, while also fostering competition by expanding the potential customer base available to providers.\u003C/p>\u003C/td>\u003C/tr>\u003Ctr>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cp>\u003Cstrong>Concrete obligations\u003C/strong>\u003C/p>\u003C/td>\u003Ctd colspan=\"1\" rowspan=\"1\">\u003Cul>\u003Cli>\u003Cp>Must \u003Cstrong>remove obstacles to switching to another provider or to an on-premise infrastructure\u003C/strong>, including technical and contractual barriers.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Contracts must include \u003Cstrong>switching rights\u003C/strong>, short \u003Cstrong>notice periods\u003C/strong> (max. two months), \u003Cstrong>data portability conditions\u003C/strong> &amp; data transfer methods.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Set up\u003Cstrong> technical infrastructure for data transfer\u003C/strong> and ensure compatibility with interoperability standards.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Support \u003Cstrong>migration\u003C/strong>, maintain \u003Cstrong>businesss continuity,\u003C/strong> functional \u003Cstrong>equivalence \u003C/strong>and secure data transfers within 30 days. Data retrieval under 30 days.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Phase out \u003Cstrong>exit fees \u003C/strong>by January 2027, after which only cost-based charges remain.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Implement \u003Cstrong>transparency measures \u003C/strong>such as making available information on the switching procedure.\u003C/p>\u003C/li>\u003C/ul>\u003C/td>\u003C/tr>\u003C/tbody>\r\n\u003C/table>\r\n\u003Ch3 id=\"section-1\">\u003C/h3>\r\n\u003Ch3 id=\"what-about-b2g-business-to-government-data-sharing\">What about B2G, Business-to-government data sharing?\u003C/h3>\r\n\u003Cp>\u003Cbr />\r\nChapter V of the Data Act establishes a framework for \u003Cstrong>business-to-government (B2G) data sharing\u003C/strong> in situations of \u003Cstrong>exceptional need\u003C/strong>, where data held by private entities is necessary for public authorities to carry \u003Cstrong>out tasks in the public interest.\u003C/strong>\u003C/p>\r\n\u003Cp>Exceptional need covers both \u003Cstrong>public emergencies\u003C/strong> — such as natural disasters, pandemics, or cybersecurity incidents — and \u003Cstrong>non-emergency situations\u003C/strong>, such as improving traffic management through aggregated, anonymised GPS data.\u003C/p>\r\n\u003Cul>\r\n\u003Cli>In emergency scenarios, public authorities may request access to data, which must be provided swiftly, securely and free of charge, unless justified costs are involved. While the default focus is on non-personal data, personal data may also be requested if strictly necessary, with anonymisation applied wherever possible.\u003C/li>\r\n\u003Cli>For \u003Cstrong>non-emergency public interest purposes\u003C/strong>, authorities may only request non-personal data, and data holders are entitled to \u003Cstrong>fair compensation\u003C/strong> for the costs of preparing and transmitting it.\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>Requests must always be specific, proportionate and transparent, and must not impose an undue administrative burden on companies.\u003Cbr />\r\n\u003Cbr />\r\nEntities entitled to request data include \u003Cstrong>national public sector bodies, EU institutions, agencies and certain research organisations\u003C/strong>. Data holders are typically private companies, but may also include public undertakings.\u003C/p>\r\n\u003Chr />\r\n\u003Ch3 id=\"how-companies-must-handle-international-requests\">How companies must handle international requests\u003C/h3>\r\n\u003Cp>The Data Act introduces specific safeguards to prevent \u003Cstrong>unlawful access or transfer of non-personal data held in the EU\u003C/strong> by governments of third countries (i.e., non-EU states). \u003Cbr />\r\n\u003Cbr />\r\nThese provisions respond to the growing concern that foreign authorities may issue decisions or judgments compelling companies to disclose or transfer data stored in the EU, even when such requests conflict with EU law, the protection of fundamental rights, national security interests, or the confidentiality of sensitive commercial information.\u003C/p>\r\n\u003Cp>Building on the approach of the \u003Ca href=\"https://digital-strategy.ec.europa.eu/en/policies/data-governance-act\" rel=\"nofollow\">\u003Cstrong>Data Governance Act\u003C/strong>\u003C/a>, the Data Act reinforces transparency and legal certainty by clearly setting out the conditions under which non-personal data may be accessed by foreign authorities.\u003C/p>\r\n\u003Cp>For businesses — including \u003Cstrong>cloud providers, data intermediaries and companies offering digital products and services\u003C/strong> — the rules impose new obligations. They must \u003Cstrong>carefully assess whether a foreign government’s request complies with EU law and, where necessary, challenge unlawful demands.\u003C/strong> Any transfer of non-personal data to a third country must meet \u003Cstrong>strict safeguards,\u003C/strong> which may include judicial authorization and respect for EU fundamental rights standards.\u003C/p>\r\n\u003Chr />\r\n\u003Ch2 id=\"challenges-enforcement-risks\">Challenges &amp; enforcement risks\u003C/h2>\r\n\u003Cp>From 12 September, \u003Cstrong>Member States\u003C/strong> must adopt their own national enforcement regimes by \u003Cstrong>12 September 2025\u003C/strong>, ensuring penalties are \u003Cem>effective, proportionate, and dissuasive\u003C/em>. These may include \u003Cstrong>financial fines\u003C/strong>, \u003Cstrong>orders to comply\u003C/strong>, \u003Cstrong>warnings\u003C/strong>, or even \u003Cstrong>suspension of processing activities.\u003C/strong>\u003C/p>\r\n\u003Cp>Companies must comply simulatneously with the GDPR since many data sets include personal data. In some cases, the Data Act will complement the GDPR such as the case of real-time portability of data from IoT objects. Sometimes, it restricts the re-use of data by third parties as provided by Article 6 of the Data Act.\u003C/p>\r\n\u003Cp>Failure to properly distinguish between personal and non-personal data could trigger \u003Cstrong>parallel investigations\u003C/strong> by both data protection authorities and sectoral regulators. In cases concerning personal data, the Data Protection Authorities (DPA) are also responsible for monitoring the application of the Data Act as provided by Article 37(3) of the Data Act.\u003C/p>\r\n\u003Cp>All obligations under the \u003Cstrong>GDPR\u003C/strong> (legal basis, minimization, anonymization, data subject rights) remain in force. Failures to provide data that includes personal information may trigger \u003Cstrong>combined Data Act and GDPR claims\u003C/strong>, with damages sought under \u003Cstrong>Article 82 GDPR\u003C/strong>.\u003C/p>\r\n\u003Cp>However, in the event of a conflict between the GDPR and the Data Act, the GDPR rules on the protection of personal data prevail (cf. Article 1(5) of the Data Act).\u003C/p>\r\n\u003Cp>Businesses and users harmed by a refusal to share data, or by anti-competitive conditions, can \u003Cstrong>bring disputes before courts or dispute settlement bodies\u003C/strong>. Expect \u003Cstrong>collective actions\u003C/strong> (consumer or SME associations) in Member States where this is allowed.\u003C/p>\r\n\u003Cp>Incomplete or misleading \u003Cstrong>pre-contractual disclosures\u003C/strong> on data usage and access rights will expose companies to \u003Cstrong>consumer law claims\u003C/strong> under Directives 93/13/EEC and 2005/29/EC.\u003C/p>\r\n\u003Chr />\r\n\u003Ch2 id=\"what-businesses-should-do-now\">What businesses should do now\u003C/h2>\r\n\u003Cblockquote>\r\n\u003Cp>According to the \u003Ca href=\"https://ec.europa.eu/commission/presscorner/detail/en/ip_25_2078\" rel=\"nofollow\">Commission's statement released today\u003C/a>, it will support Data Act implementation by launching a \u003Cstrong>Legal Helpdesk\u003C/strong> to assist companies, issuing \u003Cstrong>guidance on trade secrets protection\u003C/strong>, and publishing \u003Cstrong>model terms for data sharing\u003C/strong> as well as \u003Cstrong>standard clauses for cloud contracts\u003C/strong> to ease compliance.\u003C/p>\r\n\u003C/blockquote>\r\n\u003Cp>But until then, here are some necessary practical steps:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>\u003Cstrong>Map your data flows and use cases\u003C/strong>: identify all data generated by connected products and related services, classify it as personal/non-personal, identify their origin, and document lawful bases. Identifiy whether it is protected by sector-specific rules or not.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Adapt your systems for interoperability:\u003C/strong> Ensure technical readiness to deliver data in structured, standardized, and machine-readable formats. Upgrade or implement APIs and sharing mechanisms that support accessibility, portability, and interoperability in line with the Act’s requirements.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Document exceptions\u003C/strong>: establish a process for refusing access based on trade secrets or safety, with justification.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Strengthen governance\u003C/strong>: Analyze who controls the access to data. Review existing data-sharing arrangements, particularly in B2B contexts.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Update contracts\u003C/strong>: include mandatory transparency clauses and prepare for cloud switching obligations.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Establish internal policies:\u003C/strong> Develop and document clear internal data-sharing policies aligned with transparency and fairness obligations. Specify what data can be shared, on what terms, with whom, and for which purposes, and ensure this is communicated consistently to users and partners.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Ensure GDPR alignment:\u003C/strong> Map and reconcile overlaps between the Data Act and the GDPR. Document the legal basis for processing personal data, and ensure compliance is reflected in privacy notices, consent mechanisms, and records of processing activities.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Manage international transfers:\u003C/strong> Implement protocols to assess and, where necessary, restrict transfers of non-personal data to non-EU authorities. Establish internal processes for evaluating legality, notifying users, and complying with EU restrictions.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cblockquote>\r\n\u003Cp>For more details, consult the FAQ of the European Commission \u003Ca href=\"https://digital-strategy.ec.europa.eu/en/library/commission-publishes-frequently-asked-questions-about-data-act\" rel=\"nofollow\">here\u003C/a>\u003C/p>\r\n\u003C/blockquote>\r\n","The Data Act goes live: what now? ","From 12 Sept 2025, the Data Act sets strict rules on access, portability, and cloud switching. Learn what companies must prepare.",3112,17,0,"","en","the-data-act-goes-live-what-now","Published",{"id":17,"displayName":18,"avatarUrl":19,"bio":20,"blogUrl":20,"color":20,"userId":17,"creationDate":21},20352,"Leïla Sayssa","https://static.dastra.eu/tenant-3/avatar/20352/TDYeY3C8Rz1lLE/dpo-avatar-h01-150.png",null,"2025-03-03T11:08:22","2025-09-12T09:05:00","2025-09-11T12:05:02.9743304","2025-10-10T10:32:41.7336879",{"id":26,"name":27,"description":28,"url":29,"color":30,"parentId":20,"count":20,"imageUrl":20,"parent":20,"order":11,"translations":31},2,"Blog","A list of curated articles provided by the community","article","#28449a",[32,35,38],{"lang":33,"name":27,"description":34},"fr","Une liste d'articles rédigés par la communauté",{"lang":36,"name":27,"description":37},"es","Una lista de artículos escritos por la comunidad",{"lang":39,"name":27,"description":40},"de","Eine Liste von Artikeln, die von der Community verfasst wurden",[42,47,68],{"id":26,"name":27,"description":28,"url":29,"color":30,"parentId":20,"count":20,"imageUrl":20,"parent":20,"order":11,"translations":43},[44,45,46],{"lang":33,"name":27,"description":34},{"lang":36,"name":27,"description":37},{"lang":39,"name":27,"description":40},{"id":48,"name":49,"description":50,"url":51,"color":52,"parentId":26,"count":20,"imageUrl":20,"parent":53,"order":11,"translations":58},9,"News","Stay up to date with the latest news from data protection authorities: decisions, fines, guidelines, and regulatory trends in GDPR and privacy.","news","#1676ca",{"id":26,"name":27,"description":28,"url":29,"color":30,"parentId":20,"count":20,"imageUrl":20,"parent":20,"order":11,"translations":54},[55,56,57],{"lang":33,"name":27,"description":34},{"lang":36,"name":27,"description":37},{"lang":39,"name":27,"description":40},[59,62,65],{"lang":33,"name":60,"description":61},"Actualités","Suivez les dernières actualités des autorités de protection des données (CNIL, EDPS, etc.) : décisions, sanctions, lignes directrices et tendances réglementaires en matière de RGPD et de privacy.",{"lang":36,"name":63,"description":64},"Actualidad","Todos los artículos relativos a las autoridades de protección de datos",{"lang":39,"name":66,"description":67},"Nachrichten","Alle Artikel mit Bezug zu Datenschutzbehörden",{"id":69,"name":70,"description":71,"url":72,"color":73,"parentId":26,"count":20,"imageUrl":20,"parent":74,"order":79,"translations":80},69,"Expertise","Gain insights from our experts on GDPR compliance, data protection, and privacy challenges. In-depth articles, professional analysis, and real-world best practices.","indepth","#000000",{"id":26,"name":27,"description":28,"url":29,"color":30,"parentId":20,"count":20,"imageUrl":20,"parent":20,"order":11,"translations":75},[76,77,78],{"lang":33,"name":27,"description":34},{"lang":36,"name":27,"description":37},{"lang":39,"name":27,"description":40},5,[81,83,86],{"lang":33,"name":70,"description":82},"Bénéficiez des conseils de nos experts sur la conformité RGPD, la protection des données et les enjeux privacy. Articles de fond, analyses et retours d’expérience métier.",{"lang":39,"name":84,"description":85},"Fachwissen","Entdecken Sie die Artikel unserer DSGVO-Experten",{"lang":36,"name":87,"description":88},"Experiencia","Descubre los artículos de nuestros expertos en Privacy",[],"https://static.dastra.eu/content/87318bf5-a688-4613-ae7a-6d72365ad487/visuel-article-original.png",[92,93,94,95,96,97,98],"https://static.dastra.eu/content/87318bf5-a688-4613-ae7a-6d72365ad487/visuel-article-1000.webp","https://static.dastra.eu/content/87318bf5-a688-4613-ae7a-6d72365ad487/visuel-article.webp","https://static.dastra.eu/content/87318bf5-a688-4613-ae7a-6d72365ad487/visuel-article-1500.webp","https://static.dastra.eu/content/87318bf5-a688-4613-ae7a-6d72365ad487/visuel-article-800.webp","https://static.dastra.eu/content/87318bf5-a688-4613-ae7a-6d72365ad487/visuel-article-600.webp","https://static.dastra.eu/content/87318bf5-a688-4613-ae7a-6d72365ad487/visuel-article-300.webp","https://static.dastra.eu/content/87318bf5-a688-4613-ae7a-6d72365ad487/visuel-article-100.webp",59584]