Compliance
Updated January 28, 2026
15 min read
The EU Data Act introduces sweeping obligations for manufacturers of connected products and IoT devices. Effective September 12, 2025, the regulation mandates user data access, data sharing with third parties, and strict security requirements. This guide covers everything manufacturers and data providers need to achieve compliance.
The EU Data Act (Regulation 2023/2854) establishes rules on who can access and use data generated by connected products and IoT devices. It addresses data access rights, data sharing obligations, switching between cloud services, and safeguards against unlawful data access by government authorities. The regulation aims to unlock the value of industrial data while protecting trade secrets and ensuring fair competition.
The Data Act applies to manufacturers of connected products placed on the EU market, providers of related services, data holders, data recipients, and cloud service providers. A "connected product" is any physical item capable of obtaining, generating, or collecting data about its use or environment and communicating that data via electronic communications services, physical connection, or on-device access. This includes industrial machinery, smart home devices, connected vehicles, agricultural equipment, medical devices, and consumer electronics.
Article 4 grants users comprehensive rights to access data generated by their connected products. Manufacturers must provide data "free of charge, in an easily accessible, structured, commonly used and machine-readable format, continuously and in real-time where technically feasible, or where not feasible, without delay." Users can access data directly from the product or through interfaces provided by the manufacturer. The format requirement typically means JSON or XML for structured data.
Where technically feasible, manufacturers must provide continuous real-time data access. Technical feasibility considers the product's computational capacity, connectivity limitations, and battery constraints. For products with limited connectivity (e.g., intermittent cellular coverage), batch synchronization may be acceptable.
Manufacturers must retain data for reasonable periods enabling user access. While the regulation doesn't specify exact retention periods, manufacturers should retain data for the product's functional life or longer if technically feasible. Users have the right to access historical data generated during their ownership.
Article 5 requires manufacturers to enable users to share their product data with third parties of their choice. This includes sharing with authorized repair services, maintenance providers, alternative service providers, and data analytics platforms. Manufacturers must provide secure mechanisms for third-party data access, verify recipient credentials, and log all data sharing activities. The manufacturer cannot impose unreasonable conditions on third-party access.
Article 6 allows manufacturers to refuse data access requests that would disclose trade secrets. However, protection is limited: manufacturers can only withhold data that would directly disclose trade secrets, must provide as much data as possible without revealing secrets, and cannot use trade secret protection to prevent competition. Technical data like calibration algorithms may be protected, but operational data generated by products generally cannot be withheld on trade secret grounds.
Manufacturers must implement "data by design" for products placed on the market after September 12, 2026. This means building data access capabilities into the product from inception. Required technical measures include: secure data access APIs, user authentication mechanisms, consent management systems, data format standardization (JSON preferred), API documentation, third-party recipient onboarding processes, access logging and audit trails, and data transmission encryption.
Users must be able to grant, modify, and revoke consent for data sharing at any time. Consent interfaces must be clear, easy to use, and allow granular control over data types and recipients. Manufacturers must implement dashboards showing active data sharing arrangements, recipients accessing data, data types shared, and consent expiry dates. Consent withdrawal must take effect immediately (or with reasonable delay for technical implementation).
Key deadlines for EU Data Act compliance: September 12, 2025 - Main obligations apply (Articles 4, 5, 6 on data access and sharing). September 12, 2026 - Data by design requirements apply to new products. September 12, 2027 - Cloud switching provisions and contractual clause requirements fully apply. Manufacturers should begin compliance projects immediately, as implementation typically requires 8-18 months for complex IoT products.
The Data Act applies to connected products placed on the EU market and data processing activities related to users in the EU, regardless of where the manufacturer is located. Products sold exclusively outside the EU are not subject to the regulation.
Member states must establish penalties that are "effective, proportionate and dissuasive." While specific amounts vary by country, penalties can reach €20 million or 4% of annual global turnover, whichever is higher, similar to GDPR enforcement levels.
No, Article 4 explicitly requires that data access be provided "free of charge" to users. Manufacturers cannot impose fees, subscriptions, or other charges for users to access their own product data.
The Data Act and GDPR operate in parallel. Data Act obligations apply to all product-generated data (including non-personal data), while GDPR applies when data constitutes personal information. Manufacturers must comply with both regulations, and GDPR's stricter requirements prevail when regulations conflict.
The Data Act requires data in "a structured, commonly used and machine-readable format." While not mandating specific formats, JSON and XML are widely accepted. Manufacturers should avoid proprietary formats and provide API documentation for data access.
Products already on the market before September 12, 2025 must comply with Articles 4 and 5 (user access and third-party sharing), though enforcement may be proportional to technical feasibility. Only "data by design" requirements (Article 3) apply exclusively to new products from September 12, 2026.
Yes, manufacturers can require third-party data recipients to agree to reasonable terms covering data security, lawful use, and confidentiality. However, these terms cannot be used to unreasonably restrict competition or prevent users from exercising their data sharing rights.
Explore our APIs and start building secure, compliant financial data integrations today.
Products
© Fiskil 2026. All rights reserved.