Back to blogs

Blog | SEP 21, 2025

Understanding the EU Data Act: What It Means for IoT Data Compliance and Sharing in 2025

EU Data ActEmbedded IoT

The EU Data Act is now fully applicable as of September 2025, and it's not just another compliance hurdle, it's a turning point for the future of IoT. As data rights shift toward users, manufacturers and service providers must rethink how they design, communicate, and compete. Learn what this means for data-sharing ecosystems and why strategic adaptation now could lead to long-term business advantage.

The European Union’s Data Act 2023/2854, which entered into force in January 2024 and became enforceable across all EU member states in September 2025, represents a bold step toward democratizing access to data in the EU's rapidly expanding digital economy. It is not just another regulatory formality, it redefines how connected device data is owned, accessed, and shared in a connected world.

The EU Data Act, a regulation designed to shape the future of IoT and cloud data governance, was created with consumers in mind, specifically, their right to safely and easily access the data generated by the devices they own, rent, or lease. But the implications of the regulation go much further. It offers a unique opportunity for IoT device manufacturers and data-driven businesses to stand out in a competitive market. By embracing transparency, interoperability, and user empowerment, manufacturers can position themselves as the most connected, secure, and data-centric technology providers in the industry.

According to the regulation, users must be able to access their IoT-generated data easily, at no additional cost. This includes not only the raw data itself but also clear pre-sale information from the seller. Before a purchase, lease, or rental agreement is made, users must be informed about what types of data the product generates, how they’ll be able to access it (such as through an API, SDK, or data platform), the expected data volume, and the format in which it will be delivered. This information must be presented in a way that is both comprehensible and storable for future reference, introducing a new layer of transparency into the buyer's decision-making process.

Why Was the Regulation Created?

Before the Data Act, the data landscape was fragmented. Companies often withheld data from users, there was widespread uncertainty around data ownership rights, and accessing one's own data often required complex and expensive technical setups. Data was locked in incompatible systems and silos, and even when it was technically accessible, poor metadata and a lack of standard practices made it difficult to use meaningfully. Interoperability was the exception rather than the norm, and switching between service providers, especially cloud platforms, was anything but simple.

The EU Data Act addresses these challenges by introducing common standards, clear rights, and obligations. It aims to make industrial data sharing more efficient, secure, and user-friendly. Among its key goals are unlocking the value of non-personal IoT data, making it easier to switch between cloud infrastructure providers, and establishing fair conditions for data access and use. The legislation also promotes the development of a more competitive digital ecosystem by reducing dependency on dominant tech players and promoting SME access to essential IoT data.

So first, let’s dive into the regulation itself and then explore what it means for the various stakeholders in the digital ecosystem, especially manufacturers of connected products and IoT systems.

Timeline

The regulation entered into force in January 2024, and became enforceable across all EU member states in September 2025, excluding a few exceptions mentioned in the timeline. The transition period has now ended, and organizations are expected to be fully compliant.

Data Act Timeline

The Scope of the Data Act: Who Does It Affect?

The EU Data Act applies broadly across the data economy. It affects individuals and businesses who generate data through connected products, but also places significant obligations on those who control access to that data, particularly IoT product manufacturers, service providers, and digital infrastructure companies. Public sector bodies are given defined rights to access data during emergencies, while data intermediaries are tasked with facilitating trusted and compliant data exchanges.

Importantly, the regulation covers both personal and non-personal data. Personal data remains under the domain of GDPR, while the Data Act focuses heavily on sensor-generated data, operational performance metrics, and usage data, often originating from IoT and industrial systems.

Delegated acts are expected to adopt the specifications of the Data Act or draft harmonized standards that meet essential regulatory requirements. Future Commission Implementing Acts aim to establish common specifications that will enhance interoperability and ensure compliance with smart contract usage. Furthermore, the Commission intends to adopt delegated acts that introduce a monitoring mechanism for switching charges in the market of data processing service providers.

With the EU Data Act now fully applicable and the CRA entering into force soon, as an IoT manufacturer you might face overlapping compliance demands, it’s time to align both compliance paths. Read how Tributech’s IoT Middleware helps you get there from Two Regulations, One Middleware.

What Are the Chapters of the EU Data Act and Why Do They Matter?

The regulation is divided into eleven chapters, each addressing different dimensions of data access, sharing, and governance. Below is a summarized outline of Regulation (EU) 2023/2854 to clarify its legal framework.

  • Chapter I – General Provisions: Establishes the scope: applies to data from connected products and related services; ensures fair access, use, and sharing of such data.

  • Chapter II – Rights and Obligations Regarding Access to Data: Grants users the right to access and share data they generate; obliges data holders to provide it in usable formats while protecting trade secrets and IP.

  • Chapter III – Obligations to Make Data Available to Public Sector Bodies: Allows authorities to request data in emergencies or public interest tasks, with safeguards and compensation for data holders.

  • Chapter IV – Unfair Terms Related to Data Access and Use: Prohibits exploitative contract terms imposed on SMEs; shifts the burden to prove fairness onto larger parties.

  • Chapter V – Making Data Available in Exceptional Need: Defines the legal basis and process for public bodies to access private data in urgent cases, under strict necessity and proportionality.

  • Chapter VI – Switching Between Data Processing Services: Mandates cloud and service providers to enable easy, fee-free switching by 2027; promotes interoperability.

  • Chapter VII – International Access and Transfer of Non-Personal Data: Restricts non-EU access to EU-stored non-personal data; requires safeguards and transparency on foreign government requests.

  • Chapter VIII – Interoperability Requirements: Requires open technical standards and APIs to ensure systems and services can exchange and use data seamlessly.

  • Chapter IX – Implementation and Enforcement: Member States must designate authorities to enforce rules; supports dispute resolution and cross-border cooperation.

  • Chapter X – Sui Generis Database Right: Prevents database rights from being used to block access to connected product/service data.

  • Chapter XI – Final Provisions: Confirms full applicability as of September 2025, allows technical rules by the Commission, and aligns with other EU digital laws.

What happens if you don't comply with the EU Data Act?

Failure to comply with the EU Data Act can result in significant fines for organizations operating within the European Union or providing services to EU citizens. While the act does not specify fines at the EU level, it requires each member state to establish its own enforcement rules, including penalties that are effective, proportionate, and dissuasive. Depending on the country, an organization may face administrative fines similar to those under the GDPR, which can reach up to €20 million or 4% of annual global turnover.

Beyond financial penalties, companies that do not comply may face legal liability. This can involve lawsuits from individuals or organizations harmed by the failure to provide or share data as required by the act. Businesses may also face contractual disputes if they prevent partners from exercising their rights to use or receive data.

What Does the Data Act Mean for IoT Device Manufacturers?

Why IoT Device Manufacturers Are in the Spotlight

Among all affected parties, IoT product developers and connected device manufacturers are perhaps the most significantly impacted. Their devices generate vast amounts of real-time, actionable data, and until now, much of that data remained locked within proprietary platforms. The Data Act changes that dynamic by making data access a right of the user and placing manufacturers under clear legal obligations.

Under the regulation, users must be granted access to the data their devices generate, whether they own, lease, or rent the product. Beyond that, they are empowered to authorize third parties, such as independent repair shops, analytics firms, or even competitors, to access this data on their behalf. These third parties, however, must respect strict usage boundaries and cannot exploit the data for unintended purposes.

One of the most impactful shifts is the requirement that data be shared in a structured, machine-readable format. This eliminates the use of vendor-specific formats that have long served as barriers to portability. Enabling data portability across services supports one of the Data Act’s key goals: simplifying the process of moving from one cloud provider to another.

Data Act Data Ecosystem

Data Accessibility, Transparency, and Protection

Manufacturers must now design their products and services with accessibility in mind. Data must be made available through user-friendly mechanisms, ideally via automated interfaces. Furthermore, before a sale or lease is finalized, manufacturers must disclose what kind of data will be generated, how it can be accessed, the format it will take, and how much of it to expect.

These pre-contractual obligations elevate data access into a critical product differentiator. Manufacturers who provide clear and flexible data access mechanisms, such as structured APIs or SDK integrations, will likely be favored by increasingly data-conscious buyers.

The regulation includes provisions to protect manufacturers’ intellectual property and trade secrets. However, these protections cannot be used to unjustifiably block access to data. Manufacturers must show clear and serious economic harm to withhold access. Any sharing of personal data must adhere to GDPR standards, which means implementing consent mechanisms and ensuring anonymization where applicable.

The regulation also includes anti-competition safeguards that prevent third parties from using shared data to develop competing products, protecting manufacturers' innovation while still enabling healthy data flows.

Challenges for Manufacturers

Meeting these obligations will require significant investments in IoT data infrastructure, cybersecurity, and compliance systems. Smart device manufacturers will need to develop robust consent management tools, ensure end-to-end data integrity, and implement standardized APIs or SDKs for compliant access.

Another challenge lies in ensuring that third parties do not misuse the data. Manufacturers must create contracts that clearly define what data can be used for, how it can be accessed, and what protections are in place to prevent competitive exploitation.

Finally, while there is no general obligation to improve the quality of shared data, manufacturers must ensure that the data they provide is as complete, accurate, and reliable as what they use internally.

Turning Compliance into a Competitive Edge

While the EU Data Act introduces a host of new obligations, it also offers forward-looking manufacturers a powerful opportunity to stand out. Companies that prioritize transparency, design for data access, and embrace secure interoperability will not only comply with the regulation but will also earn the trust and loyalty of increasingly data-conscious consumers.

A unique selling point now lies in transparency: showing customers how their data is generated, accessed, and formatted even before a sale is made. By leading in areas like IoT data transparency, access reliability, and user empowerment, manufacturers can differentiate themselves in a market where data practices are becoming a key purchasing factor.

The EU Data Act is not the only regulation reshaping connected products in Europe, discover The 4 EU Regulations Are Redefining IoT and OT Products: Navigating CRA, ESPR, Data Act, and AI Act.

How Tributech Can Help

At Tributech, we understand that meeting the EU Data Act requirements is both a technical and strategic challenge. We provide a foundational data and digital twin infrastructure platform for secure, interoperable IoT/OT environments, helping organizations not only comply with regulations but also gain a competitive edge through trust and transparency.

Beyond the EU Data Act, Tributech supports companies in addressing broader challenges like the Cyber Resilience Act by delivering the middleware, data infrastructure, and access controls needed for secure, compliant, and future-proof IoT solutions. We empower organizations to build trusted and resilient IoT ecosystems that are ready for both today’s and tomorrow’s regulatory and operational demands.

Get in touch with Tributech to discover how our IoT & OT data middleware platform can help you build a secure, future-ready data ecosystem.

Download Whitepaper

An in-depth compliance strategy guide to the CRA, ESPR, Data Act, and AI Act, covering their impact on connected products and unified compliance.