Give users access to connected-product data, share data on fair terms, remove unfair contractual clauses and enable cloud switching — the Data Act obligations, tracked in one workspace.
In force since
Applies since 12 September 2025
Who must comply
Connected-product manufacturers, data holders, and cloud and edge service providers
Penalties
Set by each Member State — effective, proportionate, dissuasive (Art. 40)
The Data Act governs access to and use of data from connected products and related services, and switching between data processing services. Microenterprises and small enterprises are largely exempt from the data-access obligations. This is guidance, not legal advice.
The Data Act rebalances who can access and use the data that connected products and cloud services generate:
Design connected products and related services so the data they generate is accessible to the user by default, and let users share it with third parties.
Where data must be made available, do so on fair, reasonable, non-discriminatory and transparent (FRAND) terms, for reasonable compensation.
Data-access and data-use terms unilaterally imposed on a smaller business are not binding where they are unfair.
Remove the contractual, commercial and technical obstacles to switching between data processing services, and phase out switching charges.
Turn the Data Act's chapters into tracked workflows and evidence — across connected-product data, contracts and cloud switching.
Map the data your connected products and related services generate, and the access and sharing requests against it (Chapter II).
Track the contractual and technical steps to remove switching obstacles and meet the Chapter VI portability obligations.
Review data-sharing contracts against the unfair-terms test (Article 13) and the FRAND and compensation rules (Chapter III).
Reuse Data Act controls alongside GDPR, NIS2 and the EU AI Act through the framework-mapping engine.
It applies to manufacturers of connected products and providers of related services placed on the EU market, to the users of those products, to data holders that make data available, to data recipients, and to providers of data processing services such as cloud and edge. Microenterprises and small enterprises are largely exempt from the data-access obligations.
The Data Act entered into force in January 2024 and applies from 12 September 2025, with some provisions phased — for example, the connected-product design obligation applies to products placed on the market from 12 September 2026.
A connected product is an item that obtains, generates or collects data about its use or environment and can communicate that data — an IoT device — together with the related services that make it work. The data they generate is the focus of the Chapter II access rights.
Chapter VI requires providers of data processing services to remove the contractual, commercial and technical obstacles that stop customers switching to another provider or to on-premises infrastructure, and to phase out switching charges.
Penalties are set by each Member State and must be effective, proportionate and dissuasive (Article 40); there is no single EU-wide cap. Where an infringement concerns personal data, the GDPR penalty regime — up to €20 million or 4% of worldwide turnover — can apply.
Take the free self-assessment to map your Data Act readiness in a few minutes — no account required.