Data Sharing in a Connected World: Does the EU Data Act Call for New Business Models?

The EU Data Act (the Act), entered into force on January 11, 2024 but most of its provisions will apply from September 12, 2025. For any organization that designs, manufactures, or uses connected products, provides related services, or utilizes or provides cloud platform services within the EU, the Act is a strategic game-changer. It transforms data ‘owners’ into data holders. The Act gives users and others access to data that was, so far, unknown or unavailable to them and hence unexploited. This shift brought about by the Act tests business models, and impacts product design and governance. It is one requiring board level attention.

This alert provides key practical considerations for organizations preparing for compliance with the Act. It also discusses why, taking the UK and the US as examples, the question of ownership and sharing of connected product data is critical for many industries. Indeed, the EU is not the only region regulating in this space, leading to complex compliance challenges for global organizations.

Backdrop to the EU data act

The EU is often perceived as the regional block that is concerned, more than most other territories, with protecting the sharing of data. While this might arguably be the case in relation to personal data, the European data strategy came with one D-regulation seeking to liberalize rather than restrict the sharing of data; the EU Data Act. The Act is a landmark, cross-sectoral regulation that deals with, amongst other aspects, the Internet of Things (IoT) generated data¹. The Act aims to foster innovation and competition by establishing harmonized rules on who can access and use data generated within the European single market.

From a policy point of view, it stems from the idea that unlocking connected product data should stimulate a competitive (data) market and be an accelerator for growth. Brussels seeks (again) extraterritorial reach so that non-EU-based businesses interacting with the EU market will need to be familiar with the Act’s obligations.

EU Data Act Rollout: From September 2025 to September 2026, and Ultimately September 2027

September 12, 2025 is an important deadline that most organizations familiar with the Act had in mind. But the Act has a phased approach meaning that its full deployment will be spread over the next three years in accordance with the following milestones:

• except as described below, all obligations kick in from September 12, 2025;
• the obligations related to the design and manufacturing of connected products and related services (for accessibility of data), and statutory data sharing obligations will apply from September 12, 2026; and
• the provisions concerning unfair contractual terms: (i) apply immediately, to contracts concluded from September 12, 2025, and (ii) will apply from September 12, 2027 in respect of contracts concluded on or before September 12, 2025 with an indefinite duration or that are due to expire in at least ten years from January 11, 2024.

Unlocking Industrial Data Potential Is a Vast Undertaking, from IoT to Cloud

Rules surrounding the sharing of data are at the core of the Act. But the Act which is arguably the most comprehensive framework on this subject globally, spans from IoT data sharing to rebalancing contractual bargains and easing data portability. If you are not familiar with the Act, the key provisions, as well as why it complements existing regimes, such as competition laws, are set below:

• Data Sharing for IoT: The Act empowers, amongst others, users (both consumers and businesses) of connected products and services, from smart home devices and wearables to industrial equipment, to access the data generated by these connected products and services. If data cannot be accessed directly, the data holder needs to make it available to the user or a third party designated by the user without undue delay, securely, in a machine-readable format. This is primarily intended to stimulate competition in aftermarket services like repair and maintenance.
• Fairness in Mandatory Data Sharing: Where a legal obligation to share data exists, the terms must be fair, reasonable, and non-discriminatory (also referred to as ‘FRAND’). The principle of fairness in mandatory data sharing is closely tied to competition law objectives, particularly in preventing data-driven market’ concentration and ensuring a level playing field. It is designed to prevent dominant undertakings from using access conditions to entrench their market power, in line with Article 102 TFUE (abuse of dominance). Data holders can request ‘reasonable compensation’ from data recipients, which can cover the costs of making the data available. However, charges to SMEs and non-profits are capped at the direct costs incurred. This requirement reflects a competition-sensitive approach, aiming to lower barriers to entry for smaller players. It should also foster, according to policymakers, innovation across the digital economy. By embedding these safeguards, the Act complements EU competition law by promoting data accessibility without distorting market dynamics.
• Curbing Unfair Contractual Terms: To support SMEs, the Act introduces an ‘unfairness test’ for non-negotiable, take-it-or-leave-it contractual clauses related to data access. It provides a list of terms that are always considered unfair and others that are presumed unfair, shifting the burden of proof for fairness on to the party that imposed the term.
• Data for the Public Good (B2G Sharing): In situations of exceptional need, such as public emergencies (e.g., pandemics and natural disasters) or for specific public interest tasks, public bodies can request access to data held by private companies. These requests are subject to strict conditions, must be proportionate, and require protection for trade secrets.
• Unlocking the Cloud Market: The Act seeks, rather ambitiously, to remove barriers that lock customers into specific cloud and data processing services. In practice, it sets new rules to make switching between providers free, fast, and seamless, banning switching charges entirely after a three-year transitional period.
• Guarding Against Foreign Government Access: The Act provides safeguards to protect data from unlawful access requests by third-country governments, ensuring that EU protection travels with the data. Any transfer of non-personal data to a third country must meet strict conditions, with companies needing to assess whether such requests are valid under applicable EU and Member State law. This is yet another consideration for global organizations to bear in mind in an already prescriptive international data transfer ecosystem.
• Promoting Interoperability: To ensure data can flow seamlessly within and between industries, the Act lays down essential requirements for participants in ‘Common European Data Spaces’ (sector specific frameworks for facilitating data access and reuse) and for the interoperability of data processing services.
• Specific Enforcement Scheme: Although the Act (as an EU regulation) is directly applicable in all Member States, as individual Member States are responsible for its enforcement in their respective jurisdictions, national implementing laws are still required, and these will set the level of national administrative fines. Fines levels must be finalized by September 12, 2025 and must be “effective, proportionate, and dissuasive,” taking into consideration the recommendations of the European Data Innovation Board (EDIB). Despite this, a national fine regime rather than an EU-wide regime means fines could vary significantly between countries for identical offences²
  
  For breaches of the various data sharing obligations under the Act (applicable to connected products), authorities may issue fines that could reach the level of those under GDPR (up to €20m or 4% of global annual turnover, whichever is higher).

• Complement to Competition Law: The Act constitutes an important complement to EU competition law for fostering innovation and a competitive data market in Europe. The Act's mandatory sharing requirements are intended to prevent data-driven foreclosure and align with the principles of fair, reasonable and non-discriminatory access under Article 102 TFEU. However, the Act also places limits as to with whom and how data must be shared, for example, to protect trade secrets, cybersecurity, or consumer privacy. If these limits are applied selectively or strategically, dominant firms could use them to deny access to rivals or impose disproportionate technical and contractual hurdles, raising concerns of discriminatory treatment or exclusionary conduct. Conversely, overly broad sharing obligations could also risk facilitating collusion under Article 101 TFEU if competitors use access to coordinate commercially sensitive information. Ensuring that the Act's obligations are applied in a proportionate and transparent way is therefore essential to avoid unintended antitrust risks and to safeguard the pro-competitive objectives of the Act.

Practical Challenges – The EU Data Act Is Testing Existing Practices

• Translating Principles into Practice: Some of the Act’s requirements, such as enabling ‘access by design’, are technically and operationally complex to implement, i.e., how does an organization comply with a requirement to share data without exposing its trade secrets, or what does machine-readable mean in some specific cases? The fact there is still a lack of binding standards or best practices at this stage means organizations are left to their own devices when understanding their obligations under the Act..
  
  The job of in-house legal teams that are adding the Act to the portfolio of digital laws they are responsible for is even more challenging as the operationalization of the Act cannot be approached using GDPR as reference point. Unlike GDPR, which centers on protecting individual privacy, the Act is, according to the policymakers, about unlocking economic value and ensuring fairness in B2B, B2C and B2G data sharing. Data is seen by policymakers as a shared asset; this is fundamentally different from the philosophy of the EU’s privacy regime.

• Lack of Clarity: The legal text of the Act, while comprehensive, is often vague, open-ended, especially in relation to scope, definitions, and the interplay between parties (i.e., who qualifies as a ‘data holder’ versus a ‘data user’ or a ‘data recipient’). Those practical challenges led the European Commission (EC) to publish a set of Frequently Asked Questions (FAQs) in February. While the FAQs are helpful, they still leave many questions unanswered. This requires businesses, individually or collectively through sectoral initiatives, to position themselves and take a stance. This is not an easy task, considering the magnitude of the paradigm shift the Act entails.
  
  Furthermore, the EC is developing (i) non-binding model contractual terms for data sharing agreements, and (ii) standard contractual clauses (SCCs) for cloud contracts to help organizations draft fair and balanced data sharing contracts that include terms on reasonable compensation and the protection of trade secrets. The EC Expert Group on B2B data sharing and cloud computing contracts published their final report (dated April 2, 2025) with templates for various data sharing scenarios. The report is expected to be formally recommended to the EC by autumn 2025. While non-binding, these templates can prove as a useful benchmark against organizations’ own templates. Whether they will gain popularity and be widely endorsed remains to be seen. As many stakeholders still face uncertainty, further guidance will likely be needed.

• Overlapping Regulatory Regimes: Another sticking point is the interaction with other legal frameworks, as compliance with the Act often overlaps with product safety, cybersecurity and industry-specific regulation. This is particularly important for manufacturers of connected industrial products, where requirements relating to ‘access by design’ may clash with existing product regulatory compliance obligations. As the threshold for what constitutes personal data under the GDPR is relatively low (i.e., the definition is broad), the Act’s intersection with EU privacy law should not be forgotten. The challenges raised by the Act are not unique on that front, but overlapping requirements always lead to challenges for global businesses. How to take a reasonable approach but one that still mitigates risk exposure often means walking a tightrope.
• M&A Due Diligence: The Act is already making waves in transactional contexts. In M&A and corporate due diligence, we increasingly see questions raised about the target’s preparedness for compliance with the Act, including requests of evidence of the target’s data access policies, governance structure, and contractual arrangements. Companies lacking a clear roadmap for compliance with the Act risk facing negotiations for valuation discounts, delayed closings, and heightened buyer scrutiny.
• Another Patched Enforcement Ecosystem: Compliance with the Act will be monitored by one or more competent authorities designated by each Member State, with a ‘data coordinator’ acting as a single point of contact in countries with multiple authorities. The actual designations face delays across most Member States. As a result, the ability of Member States to enforce the Act is also likely to be delayed. The EDIB has been tasked to help ensure consistent application of the Act across the EU and facilitate cooperation between competent national authorities. It remains to be seen whether a consistent approach will be developed amongst Member States.

The Challenges Go Global – How to Comply with Multiple (and Different) Data Sharing Requirements in the UK and US (and the Impact on Products Design)

One of the challenges for global data-driven organizations is that the Act creates yet another regime for data management beyond the GDPR that is unique to the EU. And it overlaps or conflicts with some other approaches taken regionally. Without any ambitions to be exhaustive, we illustrate the difference in approaches in the UK and in the US in that area.

The UK Landscape: Ambitious Goals, Work In Progress

In the UK, rules applicable to the sharing of data and particularly non-personal and industrial data remain in development. While personal data is comprehensively governed primarily by the UK GDPR and Data Protection Act 2018 (each amended by the Data (Use and Access) Act 2025 (DUA Act), the legal framework for non-personal data is less defined and, for now at least, relies on a patchwork of intellectual property and competition rules as well as contract law principles.

Nonetheless, rooted in the success of the UK’s Open Banking scheme, which allows for financial data to be shared between banks and third-party service providers, the DUA Act has established powers for the UK government to create a framework for what are termed ‘Smart Data schemes’; part of the UK government’s Industrial Strategy (published in June 2025) to establish the UK as a leader in data-based innovation. These schemes are designed to enable consumers and organizations to share data securely with authorized third parties to foster innovation and competition in industries, such as finance, energy, transport, retail, homebuying services, and telecommunications. Further regulations are necessary to formalize these schemes but, in the meantime, the UK government has opened a public ‘call for evidence’ until September 15, 2025, to obtain stakeholders’ feedback on how to set up Smart Data schemes and address questions such as: what key design features does a Smart Data scheme need to support intended use cases?

The US Patchwork: From States’ Actions to Right to Repairs

In the United States, ‘ownership’ and ‘custodians’ of data has been a controversial issue but has largely been resolved on a case-by-case or industry-by-industry basis.

Unlike Europe, the United States typically regulates non-personal information, and its use, through fair trade regulations, contract law, and, at times, statutes related to computer trespass. Data tends to live ubiquitously in computer systems and finding a path to unified treatment of data within organizations may create even greater challenges in the management of large sets of non-personal user data across multiple borders. Companies should be mindful, and flexible, in their management of data to ensure compliance across the multiple regulatory regimes.

To add to the complexity, US regulation of non-personal data is evolving and is currently subject to government regulations, undefined case law, and a hodge podge of state regulations. For example, the United States is currently handling lawsuits, state and local laws, and Federal Trade Commission related activities for what is called ‘right to repair laws’. These laws are primarily directed at automobile data which is valuable to drivers because they can be used in after or related markets. Automobiles track considerable data about driving habits, car health, repair history, and even what music is popular. Right to repair regulation is centered on making data related to driving habits and car health available to independent repair shops. Similarly, insurance companies seek access to this valuable information to more accurately provide car insurance rates.

In other cases, aggregated data about video viewing and music listening habits is subject to multiple forms of regulations. Aggregated non-personal data about what streaming shows are popular to facilitate better and more accurate advertising or renewal of shows or popularity of types of shows are all valuable and subject to different regulatory schemes throughout the United States.

Finally, the absence of protection of commercially valuable data creates further confusion. Data scraping of publicly available information can be subject to regulation, state and federal laws. Data in the travel industry, website services, property services, social media, and even online grocery store settings are often collected in mass quantities for analytics purposes. While greater clarity is evolving in the United States around the legal protection of such data, considerable uncertainty continues to exist.

What’s next? Your Connected Products’ Compliance To-Do List

A proactive global approach is the best strategy. Here are some steps organizations are taking that could be incorporated into your own to-do list:

1. Map Your Data: Conduct a comprehensive audit to identify and classify the data you hold, particularly data generated by connected products and services. Determine what falls under the scope of the Act. In doing so, be mindful of geography. Know whether your data will virtually touch upon jurisdictions outside of the EU to ensure compliance across borders.
2. Review and Redesign: Assess your products and services to ensure they comply with the ‘access by design’ principle. Plan any necessary technical changes (and build multi-stakeholder governance to do so) to facilitate data portability.
3. Update Your Contracts: Review all data-related contracts, including standard terms and conditions and supplier agreements, for unfair terms and to ensure that the use of any data shared under the Act is carefully scoped (e.g. as necessary to provide the services or the products, or improve the functioning of a connected product or related service) and the appropriate licensing terms or contractual restrictions, as the case may be, are in place to govern any further use of such data. Use the forthcoming model clauses from the EC to benchmark against your existing practices and set a base position to use as a reference going forwards.
4. Establish Governance and Procedures: Develop and implement internal processes for managing and responding to data access and portability requests from users and third parties in a timely manner.
5. Safeguard Trade Secrets: Identify your trade secrets and implement robust technical and contractual measures to protect them before entering into data-sharing agreements.
6. Enhance Transparency: Prepare clear and comprehensive information for your users about the data generated by your products, how it can be accessed, and their rights under the Act (and for cloud services, any switching charges).
7. Train Your Teams: Educate, at a minimum, your legal, compliance, IT, and product development teams on the requirements of the Act to ensure organization-wide awareness and readiness.

As we move towards the September 2025’ milestone, challenges around the sharing of connected product data will become even more apparent, as will the knock-on effects for manufacturers of connected devices, cloud service providers and data-driven businesses. The Act is intended to help the EU ecosystem to capitalize on a data-driven world. It represents a strategic opportunity for users to gain access to data. It tests existing business models and products design. Whether it will deliver on its promises remains to be seen; it is for sure disrupting organizations now and going forward.

1. IoT refers to any product that has software, sensors or other connectivity technologies embedded in it capable of collecting and exchanging with other products or systems.
2. By way of example, the initial draft bill of the German implementing legislation (Data Act-Durchführungsgesetz-Entwurf – draft
   DA-DG) sets fines for certain violations at the higher of €5m or 4% of global annual turnover.