The EU Data Act, adopted in 2023, will be enforceable from 12 September 2025, except for some parts that will come into force later in 2026. The Data Act is a cornerstone of the EU’s Strategy for Data, aimed at tackling down data monopolies and boosting Europe’s data economy, promoting sharing, innovation, and fair value distribution across stakeholders. In our article, we summarize the scope and key aspects of the legislation.
Smartlegal Schmidt&Partners reports from Hungary:
1.Scope
The Act covers both personal and non‑personal data generated by connected products (IoT devices, smart appliances, connected vehicles, industrial equipment) and related services essential for their functioning. It focuses especially on industrial, non-personal data but is relevant for personal data too (together with GDPR). As you can see, the Act covers only a specific type of data that are related to smart devices.
The Act applies to users (businesses or consumers owning, leasing, or renting connected products), data holders (e.g. manufacturers), and data processing service providers (including cloud, SaaS, IaaS, PaaS providers).
The Act is directly applicable in EU Member States and also extraterritorially. Non-EU entities must comply if (1) they offer a connected product or related service in the EU, (2) they make data available to EU users or recipients, or (3) they provide data processing services to EU customers.
Most of the obligations in the Data Act become directly applicable starting on 12 September 2025, with further phased provisions rolling out from 12 September 2026 onward for product design requirements.
2. Key Rights & Obligations
2.1 Rights for Users of Connected Products
Users shall have the right to access, use, and port data generated by their use of a connected product or related service—this includes both personal (e.g. location, usage) and non-personal (e.g. sensor metrics) data. To this end, data holders must design products/services so that user‑generated data are easily accessible, secure, and, where appropriate, directly accessible by default.
Manufacturers and service providers must inform users, before contract signing, about what data will be generated, how to retrieve or erase it. On user request, if data isn’t directly accessible, they must provide it to the user or a third-party designated by the user, under Fair, Reasonable, And Non‑Discriminatory (FRAND) terms.
The Act prohibits unfair contractual terms, including clauses that unilaterally favor stronger parties in data sharing contracts.
2.2 Switching and Portability for Data Processing Services
The Data Act addresses long-standing vendor lock‑in issues in cloud/SaaS/IaaS/PaaS environments, furthermore, it ensures businesses can access their data and switch providers upon notice, without requiring approval and without functional loss
2.3 Public Sector Data Access
Public sector bodies can request access to non-personal data from businesses in exceptional situations, such as public emergencies. The Data Act sets out procedural rules and safeguards, including limits to prevent access by third-country government bodies in conflict with EU or national law.
2.4 Interoperability and Standards
Products and services must meet essential requirements for interoperability, facilitating data flows across Common European Data Spaces and between Member States and providers
3. Enforcement & Compliance
The Regulation will be enforced at member-state level by designated authorities, similar in scope to GDPR enforcement agencies. Non-compliance can trigger fines up to €20 million or 4% of global turnover, whichever is higher.
From 12 September 2025, most primary obligations will apply, including user access rights and switching protections. From 12 September 2026, products placed on EU market must be designed to deliver direct access to use‑generated data by default.
4. Conclusion
The EU Data Act, which will be enforceable from September 2025 sets a template for other EU data access legislation and it is hoped that the new legislation will tackle data monopolies by preventing manufacturers and cloud providers from monopolizing data access, promoting competition, and supporting innovation. It is expected that the Act will facilitate the creation of a single EU data market by enabling cross-border and cross-sector data flows in a trusted and fair legal environment, complementary to the Data Governance Act (which focuses on voluntary sharing mechanisms). On the other hand, the affected businesses (e.g. manufacturers) must ensure compliance with the Data Act as the sanctions can be severe.
The article was written by dr. Gritta Péter
SMARTLEGAL is a team of agile business & litigation lawyers in Budapest, Hungary, helping international corporate clients and individual entrepreneurs doing business in Hungary. For more information please visit our website at smartlegal.hu