What the Data Act Is and Why It Matters
On 12 September 2024, most provisions of Regulation (EU) 2024/2854 – the “Data Act” – entered into force.
This new regulation is a cornerstone of the EU’s data strategy and aims to strengthen Europe’s data economy by making information, particularly industrial data, more accessible and shareable among businesses, users, and public authorities.
In recent years, with the growth of connected products such as smartwatches, smart TVs, and connected vehicles, the amount of data generated has increased exponentially. The Data Act seeks to turn these data into value, while giving users greater control and setting clear rules for those who collect, use, or share them.
Who It Applies To
One of the most notable aspects of the Data Act is its much broader scope than the GDPR.
It applies not only to personal data but also to:
- Metadata – information describing other data (e.g., the creation date or size of a digital file).
- Readily available data – information that can be accessed without complex processing.
- Product data – data generated by connected devices (IoT), not by individuals.
The regulation also introduces new legal definitions:
- The user – a natural or legal person owning a connected product.
- The data holder – any person or entity with the right or obligation to use or make data available, including non-personal data.
Connected Products and Related Services
The Data Act specifically regulates connected products – goods that generate or collect data and can transmit them through a digital or physical connection – and related services, which are necessary for those products to function.
Examples include:
- a car collecting driving behavior data;
- a smart appliance communicating energy consumption;
- a digital service enabling remote maintenance.
Key Obligations for Businesses and Manufacturers
The Data Act introduces new obligations on transparency, portability, and data sharing.
Transparency
Manufacturers and sellers must inform users about:
- the type, format, and volume of data collected;
- the purposes and duration of storage;
- how users can access and download their data.
Portability
Users must be able to:
- switch between cloud providers easily;
- use services from multiple providers simultaneously;
- access and reuse data generated by their devices, including for repair, maintenance, or developing new services.
Data Sharing
Businesses, for example in manufacturing or agriculture, will gain access to data on equipment performance, improving efficiency and productivity.
The regulation also prohibits contracts or clauses that unfairly restrict data sharing.
How to Prepare
The Data Act forms part of an increasingly complex regulatory ecosystem alongside the GDPR, NIS 2 Directive, and AI Act.
Businesses should adopt an integrated approach to compliance, reviewing internal policies, contractual frameworks, and data management processes.
Implementation Timeline and Risks of Non-Compliance
The main provisions of the Data Act will apply from 12 September 2025. It is important to remember that an EU Regulation is directly applicable in all Member States, meaning it automatically becomes part of national law without the need for local implementation measures.
Companies therefore have one year to:
- review their data flows;
- update IT infrastructures;
- and revise contracts, policies, and privacy notices in line with the new requirements.
Failing to comply may result in:
- financial penalties imposed by national authorities;
- operational restrictions for non-compliant products or services;
- reputational risks linked to lack of transparency or poor data governance;
- lost business opportunities in an environment where compliance builds digital trust.
Preparing in advance allows businesses not only to avoid sanctions but also to turn compliance into a competitive advantage, strengthening their data governance and market credibility.
SCAI Legal: Supporting Businesses Through Change
In a constantly evolving regulatory landscape, SCAI Legal assists companies in assessing risks and aligning with new EU data obligations.
From the GDPR to the Data Act, we guide our clients in building secure, sustainable, and compliant data governance frameworks.
Would you like to understand how the Data Act will impact your business?