📋 What is the Data Act
Regulation (EU) 2023/2854, known as the Data Act, is a European regulation that governs who has access to the data generated by connected devices (IoT) and cloud services. It came into force in September 2025.
The core idea is simple: if you pay for a device, the data it generates belongs to you too. Not just to the manufacturer. This overturns decades of practice where companies kept data exclusively.
💡 Example: You buy a smart thermostat. Until now, the company kept all the heating data. Now you can request it, share it with a third party (e.g., an energy consultant), or use it to switch providers.
🔌 Which devices are affected
The Data Act covers every “connected product” - that is, every device that collects and transmits data. This includes:
📖 Read more: Earthquake Detection: Sensor Networks & Early Alerts
✅ Your new rights
Access to your data
You can request all the data your device generates, in a machine-readable format. The company must provide it free of charge and without undue delay.
Data portability
You can transfer your data to a third-party provider. Want to switch cloud or use a different service? The manufacturer must facilitate it.
Third-party repair
Independent repair shops can access diagnostic data. No more repair monopoly held by manufacturers.
Switching cloud providers
Cloud providers must facilitate the transition. No lock-in, no excessive exit fees, with full data transfer.
📖 Read more: eRecipe: The New Digital Prescriptions
💡 Practical examples
🚗 Case: Car & insurance
Before: The insurer had to request data from the manufacturer (expensive, slow).
After: You can provide your driving data directly to the insurer for
personalized premiums (pay-as-you-drive).
🌾 Case: Farm tractor
Before: The manufacturer kept the crop data. Only authorized workshops for repairs.
After: The farmer can share data with an agronomist, get repairs anywhere,
and use independent management software.
🏠 Case: Smart heating
Before: Locked into one ecosystem. Switching providers = losing historical data.
After: Export consumption history, compare offers with real data,
switch without losses.
🏢 What changes for companies
Manufacturers and service providers now have new obligations:
📝 Design for access
New products must be designed so that data is easily accessible by the user (design for data access).
📖 Read more: EU Cyber Resilience Act: What Changes for Your Devices
⚡ Fast response
Data requests must be answered “without undue delay” - in practice, within days.
💰 Fair pricing
If there is a charge for access (B2B), it must be reasonable and not constitute a barrier.
🚫 No retaliation
Companies are prohibited from punishing users who request their data (e.g., service degradation, warranty cancellation).
⚖️ Penalties for non-compliance
Member states set the penalties, but the EU requires them to be “effective, proportionate and dissuasive”. In practice:
The Data Act is one of the most significant regulations since the GDPR. It gives users real control over the data their devices generate—and this completely changes the rules of the game for manufacturers and service providers.
Your data. Your devices. Now, the rights are yours too.
OnOff Legal & Tech
We analyze the legislation that affects technology and consumer rights.
