EU Data Act (part 2): The drive to make data more accessible

On 12 September 2025, the EU Data Act brought in new data access rights for EU based users of connected products and related services with the aim of making data (particularly industrial data) more accessible, usable, and to encourage data-driven innovation. For part one of this EU Data Act series, which looks at new rights to switch cloud services provider of the EU Data Act, click here.

The European Commission’s guidance explains “connected products” are those items that can generate data about their use, performance, or environment and that can communicate this data via a connection, eg, connected cars, fitness trackers, to smart fridges, which are often known as IoT (Internet of Things). “Related services” are digital services that can be linked to the operation of a connected product which affects the functionality of this connected product, eg, an app to adjust the brightness of lights or to regulate the temperature of a fridge.

Does this affect me?

The Act applies to any entity that places connected products or related services on the EU market. The obligation to make data accessible applies to “data holders”. In practice, this often means the organisation that manufactures a connected product (but not necessarily – it could also, for example, be the organisation that provides a related service). Equally, if you are a business with operations in the EU that uses connected products and related services, you now have new rights to obtain and leverage the value of your data.

What do I have to do?

To ensure compliance with the new duties, the Act requires data holders to:

1. Make data directly accessible to users by design, ie, in a manner that allows users to access the data and related service data from 12 September 2026, free of charge (where relevant and technically feasible).
2. Make data accessible to users free of charge (where it is not made accessible directly).
3. Make data available to third parties such as repair services, analytic providers, and even competitors at a user’s request, subject to charging a reasonable fee.

The type of data that can be made available is extensive, but broadly speaking this encompasses product data, related service data, raw and pre-processed data, personal (subject to the GDPR rules) and non-personal data, but not trade secrets which continues to be governed under separate legislation.

Neither the Act nor the EU imposes direct penalties for non-compliance as national authorities have the discretion to lay down their own rules for enforcing the Act, but they must be “effective, proportionate, and dissuasive”. We’re yet to see how each state will interpret enforcement, but we expect similar interpretations to the GDPR. For example, the Dutch authority has indicated that they will implement a fine of €1m Euro or 10% of the annual turnover of the infringing entity.

Practical tips

If you are the organisation sharing data (rather than requesting it), you will need to:

1. Audit the data your users generate and implementing technical measures to enable users to access and share it.
2. Update your terms and conditions to align with the Act’s requirements.

How can we help

Although Mills & Reeve is a UK law firm, we take an active interest in laws beyond our borders where they affect our clients. Our information technology and data lawyers can advise you on the scope of your obligations under the Act and update your standard terms to ensure that you are compliant.