Skip to content

What is the EU Data Act and what data access does it enable?

The Data Act (EU Regulation 2023/2854) is intended to enable access to data gathered by IoT devices1 from their surroundings. The regulation specifically addresses connected products and related services.

Data access can be achieved in two ways: Access by Design or by a data access right, either for users or on their behalf for third parties.

The basic idea is: The Data Act simplifies access to data from IoT devices, either through direct access or via a statutory right to an API. However, there are certain exemptions.

The EU Data Act will come into force in September 2025.

Covered data

The Data Act only covers certain data types and the associated metadata.

Data

The Act covers only raw data. Derived data and data obtained through “sensor fusion” are excluded because they represent an independent value-added process (e.g. the applied algorithm). Likewise, data about “content”, i.e. information that is copyright-protected, is not covered. Note that most data is not legally protected (→ see Data Rights).

Data that has been processed is covered as long as the processing does not involve a substantial investment by the data holder.

Metadata

All data access rights in the Data Act also capture the metadata associated with the data. These are data that describe the content or usage of other data (Art. 2 Nr. 2 DA) and are necessary to use or interpret the data.

They also include information that explains what a particular datum or value represents.

Data access

Access by Design

The Data Act focuses on direct and immediate access to data on the device (Art. 3 DA). Only when this is not available do the rights for data access apply.

When purchasing a connected product or a connected service, users must be informed about the data the device generates.

Data Access for users and third parties

If direct access to the device’s data is not possible, the user has a statutory right to access the data (Art. 4 § 1 DA).

This right is more limited than direct access. Data can be refused for three general reasons:

  • Protection of trade secrets
  • Data protection
  • Security interests

However, data access cannot be refused purely for these reasons. For example, a refusal based on trade secrets is only allowed if no other protective measures (e.g. safeguards by the user) are feasible (Art. 4 §§ 6-8 DA).

Additional circumstances may lead to refusal or restriction of data access:

  • The data holder is a small or medium-sized enterprise (Art. 7 § 1 DA)
  • Data exchange would violate the antitrust prohibition of Art. 101 TFEU, Recital 116 DA
  • The data recipient is a gatekeeper as defined by the DMA (Art. 5 § 3 DA), e.g. Google or Amazon

The user is the entity that either uses or owns the connected product or uses the related service. Because connected products focus on usage, temporary usage (e.g. rental) is also covered, which is reflected in the information obligations in Art. 3 § 2 DA that explicitly reference rental or leasing.

Under similar conditions, the transfer of data to third parties (e.g. research institutions) can be required. This is subject to the same restrictions. Additionally, the data holder may demand compensation from the third party when data is transferred within a commercial relationship between companies (Art. 8 § 1 DA).

Contributors

Constantin Breß ORCID icon

(Last Update: 2025-09-25)

How to cite this page?

Breß, C. (2025). EU Data Act. FARagro Knowledge Base. https://knowledgebase.fairagro.net/en/legal/access. Unter: CC BY 4.0.

CC BY Logo

  1. IoT stands for Internet of Things. It refers to the network of physical devices equipped with sensors and software that can communicate with each other via the internet.