The Data Act: Compliance Challenge or Growth Opportunity?
Is your organization ready to turn data regulation into competitive advantage? The EU Data Act is not just about meeting new legal obligations – it opens the door to smarter services, stronger customer relationships, and scalable data-driven business models. For forward-thinking companies, it’s a strategic opportunity to lead the market through transparency, trust, and innovation.
As the regulation reshapes how companies access, share, and control data – especially from IoT products and services – those who prepare early can position themselves ahead of the curve. The Data Act is your chance to transform data access obligations into value-creating assets.
In this article, we outline what the Data Act means in practice, what obligations it brings, and how your business can prepare – not just to comply, but to grow.
The Data Act brings new obligations and opportunities for companies
The EU Data Act introduces significant changes in how companies’ access, share, and use data, particularly focusing on data generated through the use of IoT products and services. Primarily, the regulation targets manufacturers of connected products (IoT devices), who will be obligated to ensure users have access to the data generated by their devices and services. Additionally, the regulation impacts providers of related services.
An area not frequently discussed but equally critical involves the responsibilities of cloud and data processing service providers, such as SaaS companies. The Data Act mandates data portability and simplifies the process of switching between data processing service providers, emphasizing user autonomy and market flexibility.
The Data Act becomes applicable from September 12, 2025. Companies are advised to begin preparations early, viewing the changes not merely as compliance requirements but also as strategic opportunities to receive data, enhance transparency, foster customer trust, and develop innovative data-driven business models.
What does the Data Act mean in practice?
The core principle of the Data Act is straightforward: users should have the right to access and utilize data generated by their use of connected products or related digital services.
Practically, this involves:
- Manufacturers of connected devices (IoT) must ensure that users have easy and direct access to data generated by the devices, even if used outside the manufacturer’s ecosystem.
- Providers of data processing services (including SaaS) must ensure data portability, enabling users to seamlessly transfer their data to other providers without facing undue barriers, additional costs, or artificial technical obstacles.
Contractual considerations and general terms under special scrutiny
The Data Act specifically emphasizes contractual fairness and transparency regarding data use and sharing. Under the Data Act, terms and conditions that unfairly restrict or complicate user rights to access, use, or transfer data could become unenforceable.
Crucially, Data holders must now explicitly agree with users on how data may be used; without such agreements, the data holder may no longer be authorized to use the data after September 12, 2025. This significantly shifts the current practice, where data holders often utilize data without separate user agreements.
As a result, companies must conduct a thorough review and clearly define data usage rights, assign explicit processing responsibilities, and comprehensively address the management of intellectual property rights (IPR), trade secrets, and personal data. Aligning general terms and conditions with the requirements of the Data Act is essential to safeguard fairness and transparency, particularly to protect small and medium-sized enterprises (SMEs).
Preparing for the Data Act in practice
To effectively comply with the Data Act’s requirements, companies should:
- Conduct a data inventory: Clearly identify and categorize data assets, distinguishing between personal data, non-personal data, trade secrets, and other IPR.
- Ensure technical interoperability: Assess and adapt IT systems and infrastructure to support seamless data portability and interoperability as required by the Data Act.
- Update contracts and general terms: Review and amend contracts to ensure compliance with Data Act principles, removing any clauses that unjustifiably limit data portability or usage.
Ultimately, the Data Act offers a valuable opportunity for companies to innovate and build trust. Companies that proactively embrace and prepare for these changes will position themselves advantageously in a market increasingly defined by transparency, data empowerment, and customer trust.
We are pleased to assist with any questions or challenges related to the Data Act and to support your organization in effectively preparing for these new obligations.
Key contacts
Otto Michelsen
Otto Michelsen is an expert in ICT contracts, data protection, and the legal aspects of emerging technologies. He is particularly skilled at guiding clients through data protection compliance, handling authority inquiries, and managing data-related disputes. Otto actively monitors the evolving EU data regulatory landscape and advises international organizations on how upcoming regulations impact their operations. He also supports companies in establishing effective data governance practices.
In addition, Otto has hands-on experience in building compliance programs and navigating complex scenarios involving sanctions legislation.
He holds the CIPP/E and CIPM certifications in data protection, awarded by the International Association of Privacy Professionals (IAPP).
