On 12 September 2025 the EU Data Act starts to apply. From that moment, every manufacturer of a connected product, every provider of a related service, and every operator of a cloud infrastructure in Europe will carry duties that go further than anything the sector has seen. The Regulation entered into force in January 2024, but the real grip begins in September.
On the surface it looks like a data sharing law. In reality it’s an operational, legal and commercial turning point. It reaches deep into industrial IoT, automotive maintenance, fintech, gaming and healthcare devices. It applies to manufacturers of sensors and connected equipment in ports, energy plants and factories. It affects gaming platforms, payment processors, insurers that rely on telematics, and every cloud or software provider delivering services in the European market.
The principle is simple to state and demanding to execute. If your product or service generates data, the user must be able to obtain it. That means the full set of product data, the related service data, and all data generated in the course of use. Access must be timely, free of charge, in a structured and commonly used machine-readable format, and delivered in real time where technically feasible.
In practice, this will alter everyday transactions and service relationships. If you buy a connected car like a Tesla or a BMW with an onboard app, you will be entitled to the full maintenance logs and driving performance data, not just the curated reports in the manufacturer’s portal. If you rent a flat fitted with a Nest smart thermostat, you can ask for the detailed heating and occupancy data it collects, instead of relying on summaries from the landlord or letting agent. If you play on a platform such as PlayStation Network or Steam, you can request your complete gameplay history, purchase records and chat logs in a format you can actually use or share with a third party of your choice.
The Data Act also brings new precontractual duties. If you sell or lease a connected product you must set out clearly, before the deal is struck, what data it will generate, where it will be stored, how and when it can be accessed, and whether access is continuous or periodic. Providers of related services must do the same for the service side. For many businesses, this level of detail has never been part of the sales process. Meeting the obligation will mean setting up clear protocols for identifying what data is generated, how it is stored, and how it will be made available. Sales and account teams will need training to communicate this information accurately and consistently before contracts are signed.
There are also limits to the obligation. Trade secrets and safety concerns can justify withholding or refusing access, but refusals must be substantiated in writing and notified to the competent authority. There’s a path for complaints or dispute settlement where users challenge a refusal. It will no longer be enough to wave intellectual property around without evidence.
The Act also brings new rights for customers of data processing services. Cloud and software providers must allow customers to port data and workloads to another provider and remove obstacles to switching. From January 2027, switching and data egress charges fall away, with limited exceptions. In industries where uptime is critical and migration risk is high, this is both a compliance duty and a competitive threat.
This is where litigation risk gets serious. Article 82 of the GDPR gives a right to compensation for material and non-material damage caused by an infringement. Guidance and case law recognise loss of control over personal data as a form of non-material harm, although courts still test evidence and causation case by case. Where the data you fail to provide includes personal data, expect claims that combine a Data Act breach with a GDPR claim.
We’ve been here before, and it wasn’t pretty. When PSD2 forced banks to open up payment data, the sector spent years fighting every requirement. Compliance was patchy, legal challenges were constant, and enforcement became a battlefield. The same happened when telcos got data portability mandates and even basic number porting turned into regulatory warfare. And we’ve had data portability rights under GDPR since 2018, yet many companies still make it as difficult as possible or deliver data in formats nobody can use. The Data Act’s scope is broader and its requirements deeper than anything we’ve seen before. If banks and telcos fought this hard over narrower obligations, imagine what’s coming when every connected device manufacturer has to open up.
Another flashpoint is the scope of readily available data. The definition covers product and related service data that the data holder lawfully obtains or can obtain without disproportionate effort. Expect discrepancies and possible disputes about whether operational logs or contextual records fall inside that line. The Commission’s updated answers have refined examples and removed timing language, while specialist analyses point to an economic test for what counts as readily available. Intellectual property lawyers will find that some clauses they once leaned on are void or ineffective where the Act requires fair, reasonable and non-discriminatory terms.
To cope with the first wave of enforcement and potential claims, businesses will need much more than a legal briefing. They will have to build a practical process for receiving and delivering data requests in the right format, keep clear records of the information given to customers before a contract was signed, and develop pricing models for business-to-business data access that meet the Act’s standard of fairness. They will also need a clear procedure for handling exceptions based on trade secrets or safety, and a well-rehearsed approach to data portability and switching that works under real-world pressures, all while ensuring any personal data is managed in full compliance with the GDPR.
This is not entirely new territory. When number portability became mandatory in the telecoms sector, operators had to create new systems, train staff, and put in place procedures to handle requests quickly and accurately. It was not enough to understand the rule on paper. The real challenge was making it work in daily operations. The Data Act will demand the same kind of embedded, repeatable processes if companies want to meet their obligations and maintain customer trust. From 12 September 2025, data compliance moves from back office to public battleground. Users, competitors, regulators and claimant lawyers will all be watching. Member States must have penalties and measures in place by that date, and users will be able to lodge complaints with competent authorities. For industries used to controlling the format and timing of operational data this will feel like a change in gravity.
My view is simple. This is the start of a period where data rights and litigation move hand in hand. The businesses that come through strongest will treat compliance as a source of competitive edge rather than a reluctant duty. When everyone must share, the way you share becomes your differentiator.
Article by Dr Ian Gauci