New EU rules on who can access and share data from connected products and cloud services are now live, with major implications for UK firms selling into the bloc.
What Is the EU Data Act?
The EU Data Act is a sweeping piece of digital legislation designed to reshape how data is accessed, shared, and transferred across the European Union. Proposed in February 2022 and adopted in late 2023, it formally came into force on 11 January 2024. Its main provisions, however, only became applicable from 12 September 2025, marking a major shift in Europe’s digital policy landscape.
The Focus
The law’s focus is on non-personal data, particularly that generated by connected devices, such as smart fridges, cars, factory machinery, wearable tech (and suchlike), and the digital services linked to them. It aims to ensure that users, whether individuals or businesses, can access the data generated by their devices and services, and share it with third parties, if they choose.
Its introduction forms part of the EU’s wider strategy to build a fair, innovative, and competitive data economy. It also addresses longstanding concerns over vendor lock-in, contractual imbalances, and a lack of transparency, especially in the cloud computing market.
Why the EU Introduced It
The European Commission has made clear its ambition to create a “single market for data.” With the rapid expansion of the Internet of Things (IoT), vast volumes of data are being produced but often remain locked within platforms controlled by manufacturers or service providers.
EU Commissioner Thierry Breton described the regulation as “a landmark in Europe’s digital decade,” saying it would ensure that “data is fairly shared, stored, and used, and that users have access to the value they help create.”
According to Commission estimates, the volume of industrial data in the EU is expected to increase fivefold between 2018 and 2030. The aim is to open up this data to support innovation across sectors, particularly for small businesses and the public sector.
Who It Applies To and Why UK Businesses Should Pay Attention
Although the Data Act is EU legislation, it has extraterritorial effect, i.e. UK companies can still fall within its scope if they:
– Sell connected products or provide related digital services to users in the EU.
– Offer cloud, edge, or data processing services (such as SaaS, PaaS, or IaaS) to EU-based customers.
– Hold or process non-personal data generated by EU users.
In short, any UK business that interacts with EU clients through connected products or cloud services may need to comply.
Which Are Affected Sectors?
The affected sectors are broad and include:
– Manufacturing (especially smart machinery and industrial equipment).
– Agriculture (IoT-enabled farming tools).
– Transport and logistics (connected vehicles, telematics/vehicle data tracking).
– Consumer tech (smart home devices, wearables).
– Cloud and SaaS providers.
– Facility and building management (smart meters, BMS systems).
What Just Came into Force on 12 September 2025?
From 12 September, many of the Act’s central provisions are now legally applicable across the EU, including:
– The right to access data. Users of connected devices, whether consumers or businesses, can request access to the data those products generate, free of charge and in a usable format.
– The right to share data. Users can also request that their data be shared with a third party of their choice, such as an independent repair provider or external analytics service.
– Fair contract rules. Contracts involving data access or sharing must not include unfair terms. The burden of proof lies with the data holder, who must demonstrate that the terms are fair and non-discriminatory.
– Cloud switching rights. Providers of data processing services must allow customers to switch to another provider more easily. This includes setting out clear porting terms and providing transparency around fees and procedures.
More Dates to Watch
While 12 September 2025 marks the beginning of formal obligations, businesses should also take note of two other key upcoming milestones:
– 12 September 2026. All new connected products placed on the EU market from this date must be designed to enable user access to the data they generate. This introduces a new “data access by design” requirement.
– 12 January 2027. Cloud providers will generally be banned from charging switching or data extraction (egress) fees, unless they can justify those charges objectively. This is likely to reshape the EU cloud market, which has faced repeated criticism over anti-competitive fee structures.
What UK Businesses Should Do Now
UK businesses that are affected need to take the following steps to comply:
– Assess applicability. First, determine whether the business sells connected products or offers relevant digital services within the EU. It is also vital to understand whether the data processed meets the definition of non-personal data generated through usage.
– Map data flows. A clear inventory of data flows is essential, i.e. what data is generated, who generates it, where it is stored, and how it is used or shared. This includes understanding which parties hold what rights over the data.
– Review contracts. Data sharing agreements and cloud service contracts must be updated to reflect new user rights. Any clauses that could be considered unfair, restrictive, or non-transparent may need to be removed or revised to ensure compliance.
– Build access infrastructure. Technical systems must allow users and authorised third parties to access data securely, quickly, and in machine-readable formats. Businesses should also start planning now for September 2026, when connected products must be built with user access in mind.
– Clarify cloud terms. Cloud providers must publish clear switching procedures, exit timelines, and any related fees. Some have already acted. Google Cloud, for example, announced it would waive egress fees to support compliance with the new rules.
– Protect trade secrets. Where businesses have a legitimate reason (e.g. the protection of trade secrets or user safety), they may refuse to share certain data. However, such refusals must be properly justified, and documented procedures should be in place.
– Penalties and Enforcement. Each EU member state is required to appoint a national regulator to enforce the rules. These authorities will have the power to investigate and impose penalties on businesses that fail to comply. The exact penalty levels vary by country, but the Act specifies that enforcement must be “effective, proportionate and dissuasive.” For larger organisations with complex operations, this could mean significant exposure if non-compliance is discovered.
Businesses are also required to keep records demonstrating how they comply with the Act. To support implementation, the European Commission has published model contract clauses and launched a dedicated Data Act Legal Helpdesk for practical support.
Criticism and Challenges
While the Act has been broadly welcomed as a long-overdue update to Europe’s fragmented data landscape, it will come as no surprise that it has not escaped criticism.
For example, some industry voices argue that compliance will be costly, particularly for small businesses that may lack the resources to adapt infrastructure and contracts at pace.
Others have raised concerns about cybersecurity and intellectual property. The ability for third parties to access usage data, even with safeguards in place, has prompted questions about how effectively sensitive information can be protected.
Concerns have also been raised about uneven enforcement. For example, as each EU country sets up its own supervisory regime, multinational businesses may face inconsistency in how the rules are applied or interpreted.
That said, supporters appear to believe that these are reasonable trade-offs in building a more equitable and open data economy. As the European Commission noted in its official guidance, “The Data Act provides a horizontal framework for unlocking data value, while protecting rights and ensuring fairness in the data-driven economy.”
What Does This Mean For Your Business?
For UK companies operating in the EU, the immediate priority is to ensure contracts, systems and internal processes reflect the new rights granted to users. This is particularly relevant for manufacturers of connected products and providers of cloud, edge and data processing services. Organisations that fail to prepare could face compliance risks, contractual disputes or even restricted access to key EU markets.
Those that act early may be better positioned to compete. Building in user data access, transparency and portability could strengthen customer relationships and support future product development. For cloud providers, the pressure to enable smooth switching and eliminate unreasonable fees will only increase as the 2027 deadline approaches.
Beyond UK businesses, the regulation is likely to affect a broad range of stakeholders. Public sector bodies may benefit from greater access to data for emergency response and infrastructure planning. Smaller firms across the EU could gain new opportunities by accessing usage data that was previously unavailable to them. At the same time, larger players may face greater scrutiny over how they manage contractual fairness and protect trade secrets.
While enforcement consistency remains a concern, the main message is that any business interacting with EU customers through connected products or cloud services will need to align with these rules. The next key dates are already set. Those preparing now will be in a stronger position to meet them, reduce legal risk, and remain competitive in a rapidly evolving digital market.
