What is the EU Data Act?
The EU Data Act (Regulation (EU) 2023/2854) is a landmark law reshaping how data from connected products and related services is accessed and shared across Europe. Here’s what it requires, who it affects, and how to comply.
A law to unlock the value of connected-device data.
The Data Act establishes clear, fair rules on who can access and use data generated by connected products — from industrial machinery and vehicles to smart-home devices — and the related services that depend on them.
For decades, the data a connected product generated stayed locked with its manufacturer. The Data Act changes that: it gives users — the people and businesses that own or operate a device — the right to access that data and to share it with third parties of their choosing.
The goal is a more competitive, innovative European data economy: enabling new aftermarket services, fairer competition in repair and maintenance, and smoother switching between providers — while protecting trade secrets and personal data along the way.
Who must comply?
If your products generate data in the EU — or you build services on top of that data — the Data Act likely applies to you.
Manufacturers of connected products
Makers of IoT devices, machinery, vehicles, and smart equipment that generate data in use.
Industrial & IoT operators
Companies running connected equipment across EU markets and supply chains.
Related-service providers
Providers of digital services that make a connected product work as intended.
Users & recipients
Businesses and individuals who own or operate devices, and the third parties they share data with.
Public-sector bodies
Entitled to request data in cases of exceptional need (e.g. public emergencies).
What the Data Act requires — and where Steelbridge fits.
The regulation spans access rights, third-party sharing, fair contract terms, public-sector access, and provider switching. Here’s a high-level map of the core duties to the modules that handle them.
| Obligation | What it means | Reference |
|---|---|---|
| Access by design & user access | Products and services must let users access the data they generate — readily, securely, and free of charge. | Art. 3–5 |
| Sharing with third parties | On the user's request, data holders make data available to third parties on fair, reasonable, and non-discriminatory terms. | Art. 5, 8–12 |
| Fair contract terms | Unilaterally imposed, unfair data-sharing contract terms are not binding. | Art. 13 |
| Public-sector access | Make data available to public bodies in cases of exceptional need, within strict limits. | Art. 14–22 |
| Trade-secret protection | Share what the law requires while safeguarding trade secrets and IP. | Art. 4–5 |
Key dates.
Adopted
The Data Act is adopted by the European Parliament and Council.
Entered into force
The regulation formally enters into force, starting the transition period.
Becomes applicable
The core obligations apply. Companies must now provide data access, third-party sharing, and audit trails.
Access-by-design takes effect
Data-access-by-design requirements apply to connected products placed on the market from this date.
Common questions.
When did the EU Data Act come into force? +
It entered into force on 11 January 2024 and became applicable on 12 September 2025. Data-access-by-design obligations apply to products placed on the market from 12 September 2026.
How is it different from the GDPR? +
The GDPR governs personal data and privacy. The Data Act is broader: it covers access to and sharing of data generated by connected products and related services — personal and non-personal — and sets rules for fair contracts, public-sector access, and cloud switching. The two regimes apply together.
What data is covered? +
Data generated by the use of connected products and related services — for example sensor, telemetry, performance, and usage data — both personal and non-personal.
What are the penalties for non-compliance? +
Enforcement is handled by competent authorities designated by each EU member state, which set penalties. These can be significant, and non-compliance also carries commercial and reputational risk. Consult local counsel for specifics in your markets.
Do we have to build the infrastructure ourselves? +
No. The Data Act requires operational data-access interfaces, not just policies. Steelbridge provides that layer — consent, access APIs, contract enforcement, and audit trails — as a ready-to-deploy platform, so you don't build it from scratch.
Turn the Data Act from a deadline into infrastructure.
See exactly how Steelbridge maps to your obligations — and how fast you can switch it on.