A Closer Look: Europe’s Data Act and What It Means for Companies in the EU
Blog / Data Act
Europe is done with locked data vaults. With the EU Data Act, the European Union is launching an attack on the data silos of tech giants and establishing new rules of the game for companies. This isn’t just dry legislation—it’s a true paradigm shift: data access rights are designed to ensure that the data we generate benefits us too, not just big corporations hoarding it. It may sound abstract, but it affects nearly everyone, from industrial companies to start-ups. What’s behind it? What obligations do companies face? And why does Europe see this as a path to digital sovereignty? Let’s explore Europe’s new data revolution.
Quick Overview
The Data Act (an official EU regulation) is part of the EU’s broad digital strategy and entered into force in January 2024. It will become binding on September 12, 2025, giving companies a transition period to prepare. Its declared goal is to ensure fairness in the data economy and allow users to extract value from the data they generate—in short, to rebalance the power dynamics around data. Currently, massive amounts of information from connected devices and services flow one-sidedly to manufacturers and platform operators. The EU estimates that around 80% of industrial data remains unused—a treasure trove of potential. The Data Act aims to unlock and make this data more widely usable by clearly regulating who has access to which data.
The law specifically requires companies to give users more access to the data they generate. It complements previous initiatives like the Data Governance Act (which facilitates voluntary data sharing) and aligns with a series of EU regulations (from the GDPR to the Digital Markets Act), all aimed at boosting Europe’s digital sovereignty and reducing dependencies. The Data Act is not a toothless tiger—it carries real weight, including substantial penalties for non-compliance (up to €20 million or 4% of global turnover, similar to the GDPR). In short: break data monopolies, ease data flow, strengthen user rights—that’s the mission.
Data Access Rights: Users Take Control
Imagine buying a fancy electric car filled with sensors. It generates battery data, driving behavior, location info—tons of data every day. Until now, this data mostly ended up with the manufacturer. The Data Act flips the script: any data generated by a connected product must, by default, be accessible to the user. As the owner (or renter/lessee), you gain a legal right to the usage data you generate—and not eventually, but in real-time, directly from the device ("accessibility by design"). Manufacturers must design their devices and software to allow users to access their data without needing to beg support teams.
If real-time access isn't yet available (which will often be the case initially), users have the right to request raw usage data. Companies must provide it—free of charge, in a usable format, and including essential metadata (like timestamps) to make it valuable. That’s not all: users can also instruct that their data be shared with third parties of their choice. Want your car’s data sent to an independent garage or insurance provider? The manufacturer must make it happen. The idea is to give users full control over who benefits from their usage data—enabling maintenance services, analytics start-ups, or other innovations.
Sensitive interests remain protected. Companies are not required to share more than raw usage data. Derived insights (analytics, proprietary algorithms, etc.) are excluded. Business secrets and security risks can justify refusing access—but must be well justified and reported to authorities if necessary. Privacy laws (GDPR) and competition law also apply. And in a dig at Silicon Valley: data cannot be shared with “gatekeeper platforms” like Apple, Google, Amazon (per the Digital Markets Act)—to keep Big Tech from re-consolidating data power.
Data users have obligations too: you or a third party can’t misuse data to create competing products. Meanwhile, manufacturers can’t just freely use the data they collect—you must give contractual permission. A quiet revolution: companies used to treat data as their property; now they must share control with those who generate it through use.
New Duties: What Companies Must Do
For companies—especially connected product manufacturers and digital service providers—the Data Act brings a cultural shift. They must adapt technologies and processes to meet access rights. Key obligations include:
1. Data Access by Design: New connected products released in the EU from September 2026 must allow users to access usage data directly and in real-time. The era of "black box" devices is ending. Devices must include features like app interfaces or APIs to export data. Designers must build this into product development from the start.
2. Data on Demand: For existing products, companies must be ready by September 2025 to provide relevant usage data upon request. This requires reviewing internal data flows: what data is collected, where it's stored, and how it can be extracted and delivered. All of this must be done free of charge—no download fees allowed.
3. Interfaces & Formats: Data must be shared in standard, machine-readable formats to ensure it’s usable. No dumping in obscure formats. Standard APIs and interoperability become competitive advantages—tech creativity is essential here.
4. Transparency and Contracts: Customers must be clearly informed—before purchase—what data is generated and how it can be accessed. No more secrecy: if you sell a smart home device, you must disclose what it logs and stores. Contracts should specify access rights, and unfair terms are banned. The Act prohibits clauses that force small partners into lopsided data sharing agreements.
5. Internal Organization & Security: Companies must create internal processes to handle data requests quickly and securely. That includes workflows, employee training, and perhaps self-service portals. Data security remains critical—access must be authorized and protected. Encryption and audits are encouraged. Cloud and data service providers must implement robust security measures to prevent unauthorized access.
Small businesses are given some leeway, but big players—multinationals and large SMEs—are clearly targeted. The goal: rebalance power. Until now, manufacturers/platforms held all the cards. Now, users and smaller players gain new leverage.
What If Companies Ignore the Rules?
Penalties will be enforced by national authorities—in Germany, this falls to the Federal Network Agency. From autumn 2025, regulators will be watching: which companies refuse to share data? If a company denies access, enforcement can follow, with fines up to 4% of global turnover. Bottom line: the EU is serious. Companies must now prepare—review legacy systems, organize data assets, and build technical infrastructure for data sharing—or face a bumpy road ahead.
Why (Almost) Every Company Is Affected
You might think: "This only concerns tech or IoT companies; my analog business is fine." Think again—data is everywhere, and the Data Act applies across sectors. Reasons why almost all companies are affected:
-
Devices and machines are everywhere: From smart tractors to connected trucks to intelligent ovens—every sector uses connected tech. If you use such devices, you gain rights. If you produce them, you must comply.
-
Cloud and software services: Virtually every business uses cloud services. The Data Act bans vendor lock-in. Cloud providers must remove barriers to switching—no more outrageous “egress” fees. By 2027, data extraction must be free, fast, and frictionless. For customers, this boosts bargaining power. Providers must adapt.
-
B2B data and contracts: The Act mandates fairness in business partnerships. Big firms can no longer dictate unfair data-sharing terms. Start-ups and SMEs may benefit. All companies should review their standard contracts for compliance.
-
Public sector & emergencies: In crises (health emergencies, natural disasters), authorities may access private data if it's urgently needed. Critical infrastructure firms should be ready to provide this data. The Act ensures that data serves the public good in emergencies.
Almost no business can say “this doesn’t affect me.” Data is embedded in nearly every business model. The EU expects the Data Act to unlock a vast pool of unused data and drive innovation—across Industry 4.0, smarter transport, and personalized services. But that only works if companies embrace the rules. Those who resist risk not just penalties, but falling behind. Others will seize the opportunity. European businesses should view the Data Act not just as a compliance hurdle, but as a chance to rethink their data strategies.
Now is the time to ask: What data do we generate—and how can we share it for greater mutual benefit? Where do we consume data—and how can we assert our rights?
Whether the Data Act meets its lofty goals remains to be seen. One thing is clear: Europe is entering uncharted territory. The next few years will be an experiment in reshaping the economy through new rules of data access. Will it be a revolution that breaks open entrenched silos? Or a sobering reminder of regulation’s limits? Either way, the EU has made a bold statement—against data monopolies, for a more sovereign digital future.
The tracks are laid. Now it's up to companies and innovators to get the train moving.
Sources: metrikus.io wsgrdataadvisor.com digital-strategy.ec.europa.eu wissen.linklaters.de mayerbrown.com theregister.com