On September 12, 2025, the EU Data Act came into force, marking the most significant piece of data regulation since the General Data Protection Regulation (GDPR). But this isn’t just another layer of privacy law. It’s a fundamental shift in how organisations must manage data from connected devices, digital services and cloud platforms across Europe.

Where the GDPR zeroed in on personal data protection, the Data Act broadens the scope to cover the vast and rapidly expanding world of non-personal, machine-generated data. For businesses, this brings not only new compliance responsibilities but also fresh opportunities to innovate, compete, and create value in Europe’s digital economy.

Data Act vs GDPR

The GDPR and the Data Act are complementary but distinct:

• Scope of data
  • GDPR: Applies only to personal data or any data relating to an identifiable individual.
  • Data Act: Covers both personal and non-personal data generated by connected products and services such as IoT devices, industrial machinery, vehicles, smart appliances and SaaS platforms.
• Regulatory purpose
  • GDPR: Protects fundamental rights of individuals and ensures lawful, fair and transparent processing of personal data.
  • Data Act: Ensures fair access, use and portability of data to prevent monopolisation and boost competition and innovation.
• Rights granted
  • GDPR: Data subjects (individuals) have rights to access, correct, erase and port personal data.
  • Data Act: Users (owners, renters or lessees of connected devices) gain rights to access and share data their products generate including industrial or operational data, not just personal data.
• Impact on businesses
  • GDPR: Mainly affected companies dealing with consumer or employee data.
  • Data Act: Casts a much wider net, impacting manufacturers, SaaS and cloud providers, platform operators, data aggregators, and even non-EU companies placing connected products or services on the EU market.

Why this matters

This regulatory expansion matters for several reasons. First, it closes a critical gap left by the GDPR. While the GDPR transformed personal data protection, it did not regulate machine-generated or industrial data, allowing large tech and industrial players to hoard valuable information. The Data Act corrects this imbalance by giving users and smaller businesses more leverage.

It also creates new economic opportunities. By granting users the right to access and share their data, the Act opens the door to secondary markets and innovation. A clear example is in the automotive sector, where car owners can authorise third parties such as repair shops or insurers to use vehicle data, breaking the monopoly of manufacturers and encouraging competition.

Finally, the Data Act strengthens Europe’s strategic autonomy. It limits unlawful foreign access to EU data and introduces safeguards for trade secrets and confidential information, reinforcing Europe’s commitment to digital sovereignty.

Does the Data Act apply to me?

The Data Act applies broadly across industries and geographies:

• Manufacturers of connected products: From wearables and smart appliances to vehicles and industrial equipment
• Service providers: SaaS, PaaS (Platform as a service), IaaS (Infrastructure as a service) and edge computing providers linked to connected products
• Data holders and recipients: Manufacturers, platforms, aggregators and any party storing or receiving user data
• Non-EU companies: If you place connected products on the EU market or provide data services to EU/EEA users, you are in scope
• Public authorities: May request access to private-sector data during emergencies or for public interest purposes under fair and proportionate conditions

Compliance deadlines

• September 12, 2025: Core obligations take effect, including user access rights and contract fairness rules for new agreements
• September 12, 2026: Interoperability and portability obligations for cloud and edge services come into force
• September 12, 2027: Contract fairness rules extend to pre-existing contracts; full portability standards apply

Key Obligations for Companies

1. User Data Access and Portability
   • Provide users with free, structured, machine-readable access to their device- or service-generated data
   • Enable easy transfer of data to third parties at the user’s request
   • Remove barriers to switching between cloud providers
2. Transparency
   • Clearly explain what data is collected, how it’s used, retention periods and who has access
   • Update pre-contractual disclosures to reflect new requirements
3. Contractual fairness
   • Ban unfair contract terms in B2B agreements that limit data access or shift liability disproportionately
   • Prepare for the staged application of these rules: 2025 for new contracts, 2027 for existing ones.
4. Safeguards
   • Protect trade secrets and confidential data with technical, legal and organisational measures
   • Implement strong IT security to prevent unauthorised access, including from foreign authorities
5. Governance and coordination
   • Separate personal from non-personal data to comply simultaneously with GDPR and the Data Act
   • Align compliance efforts across legal, IT, product and commercial teams

What companies should do now

• Run a gap analysis: Identify which products, services and contracts fall within scope.
• Map your data: Understand what data your devices or services generate and where it flows.
• Update policies and procedures: Build processes for user data access, sharing and portability.
• Review contracts: Check and amend terms with suppliers, partners and customers to meet fairness requirements.
• Enhance Security: Ensure safeguards around trade secrets and non-personal data.

What’s next?

The EU Data Act is set to reshape Europe’s digital economy much like the GDPR did in 2018, though in a broader, more structural way. For organisations, compliance is not optional. Those that fail to prepare risk legal exposure, operational disruption and a loss of market trust.

Yet the Act is not just about obligations; it also creates opportunities. Small and medium-sized enterprises will finally gain protection against unfair contract terms imposed by larger players. Users, meanwhile, will be empowered to unlock the value of their own data, fuelling innovation and enabling better services. And companies that move early by adapting their contracts, processes and systems now, will not only reduce regulatory risk but also reassure customers and strengthen their competitive position in Europe’s rapidly evolving digital marketplace.

GDPR has now been in force for seven years. During that time, EU data protection law continues to evolve and shape enforcement actions across the world. In this webinar, we took a deep dive into recent and significant fines and enforcement actions, examined developments in GDPR case law and explored the new challenges posed by AI. Watch it here.