Adopted on 23 February 2022, Regulation (EU) 2023/2854, known as the Data Act, will gradually take effect starting from 12 September 2025. This text marks a turning point in European data regulation, establishing a comprehensive legal framework dedicated to the access, sharing and use of industrial data.

While the GDPR (General Data Protection Regulation) focuses on the protection of personal data, the Data Act complements this framework by addressing industrial data, i.e. data generated by connected objects and their related services. This includes data obtained, generated, collected or stored by these products or related services, hereinafter referred to as "IoT data").

The European legislator has two primary objectives:

• to facilitate access to IoT data for users and businesses, and
• to promote fair competition by preventing the concentration of IoT data among a few dominant players.

The two regulations may apply concurrently.

Indeed, many situations involve a combination of these two data types. For example, a connected vehicle generates technical performance data, such as data related to engine operation (non-personal), and location data linked to the user (personal). In this case, sharing this IoT data with third parties must comply with both the Data Act and the GDPR. It is also possible that the two regulations may conflict on specific issues, in which case the GDPR takes precedence over the Data Act.

I. Scope and involved stakeholders

Many stakeholders are affected by the Data Act. Specifically, it applies to the following entities and individuals:

• Data holders: the entity that has the right or obligation to use and share IoT data (Article 2.13). These are most often manufacturers of connected devices, but may also include related service providers.

These data holders include:

• Manufacturers of connected products, such as smart home appliances and objects linked by electronic communication services (Recital 14).
• Providers of services related to a connected product (Recital 17).
• Users: individuals or businesses that use these products or services (Recital 5).
• Recipients: third parties (professionals, external service providers) (Article 2.14). These recipients may only use the data for the purposes agreed with the user and must not use it to develop a competing product (Article 6.2.e).
• Public entities that access data for public interest purposes (Recital 69).

This broad scope demonstrates the ambition of the regulation: to establish a genuine single market for IoT data in Europe.

II. Gradual implementation

The regulation will be implemented gradually, in accordance with the mechanism set out in Article 50:

Starting 12 September 2025:

• The obligations related to new data-sharing contracts (Chapter IV, which prohibits unfair contract terms) become mandatory for contracts entered into after that date.
• The general rules on data availability (Chapter III) will start to apply to national legislation adopted after that date.

From 12 September 2026:

• The obligation under Article 3.1 to make data related to products and services accessible to users will apply to products and services placed on the market after that date. Products already available on the market will not be subject to this requirement.

Starting 12 September 2027:

• The contractual rules in Chapter IV will also apply to contracts signed before 2025, but only if they are of indefinite duration or extend beyond 2034.

III. Users' rights and data holders’ obligations

The Data Act grants new rights to users:

• Right of access: users of connected products and related services have the right to access, free of charge, the data they co-create when using connected products or related services (Article 4).

For example, a user buys a washing machine and installs an app that measures the environmental impact of the wash cycle using sensor data from inside the machine and adjusts the cycle accordingly. This feature would be considered a related service. The user will therefore be able to access the data from this related service.

• Right to portability: users also have the right to have their data transferred directly to a third party of their choice at no cost (Article 5).

For example, a smart electricity meter user can view their energy consumption history and request that this data be sent to a competing supplier to get a personalized offer.

These rights should not be confused with those provided for in the GDPR:

• The GDPR grants a right of access (Article 15 of the GDPR) only to individuals, and only to their personal data.
• The Data Act extends this right to industrial data and information generated by the use of connected devices or related services, whether personal or not.

Data holders, including manufacturers of connected devices and providers of related services, will have to establish technical interfaces (APIs, secure platforms) to enable access and sharing in a transparent manner, without excessive costs or technical barriers.

IV. Sanctions and the role of national authorities

There will be close monitoring of compliance with these new obligations. Article 33 of the Data Act states that the supervisory authorities appointed by each Member State—such as the CNIL in France and possibly other sector-specific authorities—will have the authority to impose administrative penalties.

These penalties are comparable to those provided for in the GDPR: fines of up to €20 million or 4% of the company's annual global revenue, whichever is higher (Article 40 of the Data Act, which refers to Article 83(5) of the GDPR).

Companies that hold industrial data will therefore need to prepare for this new framework by adapting their contractual documentation and information systems to avoid significant financial and reputational risks.