The digital economy runs on data, yet much of this data remains locked in silos, fragmented across sectors, and inaccessible to those who could generate value from it. The European Union (“EU”) Data Act aims to change that. By creating a common framework for fair access to and use of data, it promises to transform the way individuals, businesses, and public bodies share and benefit from one of today’s most valuable resources. This addresses the existing challenges and barriers to data sharing within the EU internal market.
This cross-sectoral regulation harmonises rules on data access and use across all Member States. It is designed to empower users—both consumers and businesses—by giving them greater control over data generated through connected devices or related services. It also clarifies who can use what data (including industrial data) and under which conditions. Furthermore, it promises a step change in data portability.
The Data Act pursues threemain goals:
1. to make data more accessible and usable for businesses and consumers;
2. to mitigate the abuse of contractual imbalances that impede equitable data sharing; and
3. to enhance the interoperability of data, as well as data-sharing mechanisms and services in the EU.
This regulation complements other cornerstone EU instruments, such as the Data Governance Act and the GDPR, positioning Europe as a leader in designing a trusted and competitive data ecosystem.
II. Who does the Data Act apply to?
The Data Act’s scope is deliberately broad. It covers both personal and non-personal data and captures a wide spectrum of actors, reflecting the complexity of today’s data economy and affecting nearly all participants in the data value chain. These include:
– Manufacturers of connected products (e.g., smart appliances, vehicles, industrial machinery);
– Service providers connected to those products, such as predictive maintenance or monitoring platforms;
– Data holders and recipients, including businesses requesting access to another entity’s data;
– Providers of data processing services, especially cloud providers tasked with ensuring interoperability and switching freedom;
– Public sector bodies, which may obtain data from companies under certain conditions (e.g., public emergencies);
Vendors and persons deploying smart contracts (e.g., developers) to ensure trustworthy, automated data sharing.
III. From Law in the Books to Law in Action
Following a transition period of almost two years, the Data Act came into effect on 12 September 2025, introducing several new rights and obligations. This means both consumers and businesses must ensure compliance and understand what opportunities the new framework may bring.
However, the question remains: will the Data Act achieve its purpose of creating a fair, innovative, and competitive European data economy?
Although the Data Act is not one of the EU’s lengthiest regulations, with 119 recitals and 50 articles, its technical density and interlinked provisions make its implementation far from straightforward.
Even with a transitional period, many aspects of the diploma remain uncertain and will only become clearer once it becomes law in action.
Two main issues are expected to be further clarified in the future:
1. How will the Data Act interact with other legal frameworks?
As a horizontal framework, the Data Act overlaps with existing laws governing privacy, trade secrets and sectoral data rules. Questions will arise when harmonising the different applicable rules in the specific case.
(a) Relationship with the GDPR
The Data Act clearly states that, in case of conflict, the GDPR prevails where personal data is involved. While this rule is simple on paper, its application in casu raises practical dilemmas: how can businesses easily distinguish between personal and non-personal data derived from connected products and related services? In many cases, the distinction is blurred, especially when datasets combine information on both human behaviour and automated system performance, for example.
Therefore, to stay compliant, organisations must build robust mechanisms to differentiate and segregate data categories, ensuring that personal data continues to be processed in line with the GDPR principles of lawfulness, transparency, and purpose limitation.
(b) Relationship with Trade Secrets Law
Another layer of complexity lies in the overlap with the protection of trade secrets, (e.g., Directive (EU) 2016/943). The Data Act requires data holders to share certain data with users or third parties chosen by the user, even when such data qualifies as a trade secret.This sharing must take place under conditions that preserve their confidentiality.
However, there are a few exceptions: data holders may refuse access if there is no agreement on the necessary measures to be put in place, if the user fails to implement the agreed measures, or if the data holders can demonstrate that disclosure is likely to cause serious economic damage to the business. Therefore, the challenge is operational: how can this framework be implemented in practice? To what extent will businesses be able to rely on the existing exceptions, or will the general rule apply in most cases, potentially resulting in real risks or financial damages to their business?
The answer will depend on how supervisory authorities and courts interpret the balance between openness and the protection of legitimate economic interests over the coming years.
2. How will several of the obligations under the Data Act apply in practice?
A second major concern lies in the practical implementation of the Data Act’s obligations, many of which involve complex technical and organisational requirements. The Act itself contains numerous technical and abstract terms, as well as new concepts with specific definitions (e.g., a “data recipient”, for the purposes of the Data Act, is a distinct term from “consumer”). Not all implications of these rules are immediately clear upon reading. Additionally, many complementary acts have yet to be adopted, even though several obligations have been applicable since 12 September 2025, with others becoming applicable by 2027.
(a) Designing Products for Data Accessibility
As of 12 September 2026, connected products and related services must be designed, manufactured and provided in such a manner that product data and related service data (including metadata) is easily and securely accessible to the user by default, free of charge, and in a structured, commonly used, and machine-readable format.
In practical terms, this means a connected device, such as a smart car, must allow users, or service providers chosen by them, to access its data. This enables competition and innovation, for instance, by allowing independent repairers to develop new services for that car model.
This could be achieved through a simple request process, whereby the user cannot access the data directly. However, the provision introduces an open-ended clause: manufacturers must ensure direct accessibility to the user “where relevant and technically feasible”.
What implications does this have for manufacturers of connected products and providers of related services? The absence of clear criteria for assessing technical feasibility or defining “direct access” creates significant uncertainty. Will regulators require proactive design changes, or will demonstrating “best efforts” be sufficient? Guidance and delegated acts are expected to provide clarification on these obligations.
(b) Switching Cloud and Data Processing Services
Another operationally sensitive obligation concerns data switching. From 12 January 2027, providers of data processing services (such as cloud providers) will be prohibited from charging customers switching fees for the switching process. These fees typically include costs related to data transfer (data egress charges) or specific support services during migration. While the abolition of such fees aims to prevent customer lock-in, it raises a fundamental question: who will absorb these costs? If cloud providers pass them on indirectly to end users, the objective of promoting fair competition could be compromised. The Commission is empowered to adopt delegated acts establishing mechanisms to monitor switching costs; however, these rules remain pending.
These examples reflect a broader truth: while the regulation aspires to simplify data access, it introduces significant compliance engineering challenges for manufacturers, service providers, and cloud operators alike.
The EU Commission recognises these challenges and has proposed the Digital Omnibus Regulation to address them. This proposal seeks to create a unified data framework by integrating the Free Flow on Non-Personal Data Regulation, the Data Governance Act and Open Data Directive into the Data Act. It also proposes amendments to the Data Act itself, notably regarding key concerns on the implementation of the above-mentioned rules on trade secret protection and cloud switching, among others. Whether yet another legislation will achieve the desired simplification, optimisation and competitiveness of the digital acquis is yet to be known.
IV. What Comes Next?
The Data Act represents a bold step in the EU’s digital strategy, but its impact will depend on how stakeholders, regulators, and courts interpret its provisions and on how forthcoming delegated acts by the Commission fill the remaining gaps.
In the coming years:
– Businesses must map data flows and realign contracts to reflect new data-sharing rights and obligations;
– Product designers and engineers should integrate data accessibility from the earliest design stages;
– Cloud and data service providers will need to plan for switching-cost transparency and service portability;
– Supervisory authorities and the European Commission must coordinate enforcement efforts to avoid inconsistent interpretations across Member States;
– Stakeholders should closely monitor the Digital Omnibus Regulation Proposal, as it may introduce further changes to the data economy framework.
The regulation’s success will ultimately depend on the EU’s ability to strike a careful equilibrium: fostering a dynamic, open data economy without undermining competitiveness, privacy, or innovation incentives.
In essence, the Data Act is both ambitious and necessary. By turning the principle of “data fairness” into practice, it challenges all stakeholders to approach compliance with both legal rigour and strategic vision.
