EU Data Act: What companies need to know, decide and implement now
Why the EU Data Act should be at the center of the business agenda now: The EU Data Act marks a fundamental pillar in Europe’s digital economy. It creates uniform rules for how companies must share, use and protect data from networked products or digital services – and at the same time opens up new avenues for data-driven business models, interoperable product worlds and innovative services. For companies, this means that processes, interfaces, contracts and governance must be modernized to ensure compliance. Those who act early will also gain transparency, efficiency and new data-based business models – those who wait risk operational costs, regulatory conflicts and competitive disadvantages.
Executive Summary -
The EU Data Act at a glance
- Strategic relevance: The EU Data Act has a fundamental impact on the European data economy - it defines who can access which data and creates a harmonized framework for interoperable, fair and user-centric data usage.
- Operational impact: Companies must restructure data flows, interfaces, contracts and governance models in order to fulfil obligations in a legally compliant manner and minimize associated risks.
- Growth opportunities: The EU Data Act promotes data-based business models, new services, open ecosystems and clear competitive advantages for companies with a modern data strategy.
- Success factors: Data architecture, compliance frameworks, cloud flexibility and active preparation are key to meeting regulatory requirements and directly exploiting the associated opportunities.
The EU Data Act -
Significance, objectives and dynamics
The EU Data Act is a central element of the European digital strategy. Together with the EU AI Act, the Data Governance Act and the Digital Services Act, it creates a Europe-wide framework for a sovereign, secure and innovation-friendly data economy.
The Data Act is the first binding definition:
- who can access which data,
- how device and usage data must be provided,
- how data contracts must be structured,
- how cloud changes should work,
- how government data access is regulated in crises.
This creates a new basis for data sharing, interoperable ecosystems and data-based value creation.
The EU Data Act affects almost all companies that manufacture, use or generate data from networked products. It applies in particular to:
- Manufacturers of IoT products and machines – they must provide uncomplicated, standardized and secure data access,
- Providers of digital services and platforms – they must give users access to data and ensure fair contractual clauses,
- Cloud and edge providers – they are obliged to ensure portability and reduce lock-ins,
- Companies that use IoT or operational data – regardless of whether they are manufacturers themselves,
- public bodies – in defined crisis situations with data access obligations.
In short, the EU Data Act applies to all players in the digital value chain – from device manufacturers and data processors to cloud providers.
Your experts for AI use cases in the healthcare sector
The most important deadlines and phases at a glance
January 11, 2024
The Data Act formally came into force on this date.
- from September 12, 2025:
From this date, the Data Act will be binding and will take legal effect in the EU without any obligation to implement it. - created after September 12, 2026:
The obligation under Article 3(1) – “Connected products/services shall be manufactured or provided in such a way that their product and service data are easily, securely and freely accessible by default” – shall only apply from that date. - enter into force after September 12, 2025:
Chapter III (Obligations of data holders who are obliged to provide data under Union law) only applies in relation to data provision obligations that enter into force after September 12, 2025. - concluded after September 12, 2025:
Chapter IV (unfair contract terms in relation to data access and use between companies) applies to contracts concluded after this date. - from September 12, 2027:
Chapter IV (unfair contract terms in relation to data access and use between companies) applies from this date to contracts concluded on or before September 12, 2025, if they are concluded for an indefinite period or if their term ends no earlier than 10 years after January 11, 2024.
Although the Data Act applies directly, the member states of the Union must define national responsibilities and enforcement rules. Germany is currently in the middle of the parliamentary process.
- October 29, 2025
The Federal Cabinet has approved the draft of the Data Act Implementation Act. - January 16, 2026
The Bundestag discussed the draft for the first time and referred it to the committees. - January 28, 2026
Hearing on the draft law “Implementation of the European Data Act”. A hearing is a key instrument of parliamentary quality assurance. Important detailed questions were disclosed, which the responsible Committee on Economic Affairs and Energy will address in its report. This will be followed by the regular readings in the Bundestag and then participation in the Bundesrat until the “Implementation of the European Data Act” can finally enter into force.
- Completion of committee phase: end of Feb./March 2026
- Plenary debates and final vote: March-April 2026
- Federal Council: April-May 2026
- Announcement: expected in May/June 2026
- Entry into force (with transitional periods): Summer 2026
The most important innovations of the EU Data Act - clear and compact
For the first time, the EU Data Act creates a uniform legal framework across Europe that defines exactly who can access which data from networked products, how this data must be provided and which technical and contractual obligations companies must fulfill. The key innovations are:
Users – whether private individuals or companies – are given the clear right to access the data on their devices or to pass on the data generated by networked products and connected services to third parties.
users can demand that this data be made easily, securely and free of charge accessible and available in an understandable, structured and machine-readable format.
In future, manufacturers must develop their products in such a way that product and service data is accessible as standard and can be exported without additional technical hurdles.
This will put an end to proprietary and difficult-to-access interfaces as far as possible.
This applies to all IoT devices, machinery, industrial plants, vehicles, smart state devices and digital services that generate usage or operating data.
The Data Act prohibits abusive or unilateral contractual clauses relating to data use, access and disclosure.
Data contracts between companies must be fair, transparent and comprehensible in future.
This is intended to protect smaller companies in particular from power imbalances.
Cloud and edge service providers must make it easier for customers to switch cloud providers and keep data and workloads as portable as possible.
Switching fees must be reduced and may only cover the actual costs incurred by the provider.
In the long term, switching fees will be banned completely.
Authorities may request certain data from companies in clearly defined emergencies, such as natural disasters or serious public threats.
The Data Act sets out strict requirements, transparency obligations and purpose limitations to prevent misuse.
Planned catalog of fines in Germany
The EU Data Act deliberately leaves the specific form of sanctions to the member states. It only stipulates that fines must be “effective, proportionate and dissuasive” – however, the Data Act itself does not define specific amounts.
No final implementing law has yet been passed for Germany. However, the current government draft provides for a tiered system of sanctions:
In serious cases, fines of up to 5 million euros can be imposed, and in the case of infringements by companies with market power (“gatekeepers”) even up to 2% of annual global turnover. Authorities are also to be authorized to exceed these maximum limits if this is necessary to fully absorb unlawfully obtained economic benefits.
Important: GDPR fines remain unaffected by this. Breaches of personal data protection will continue to be punished separately under the GDPR – in addition to possible measures under the Data Act.
Why the Data Act is crucial for companies now: Impact of the EU Data Act on companies
The EU Data Act describes the way in which companies must fundamentally provide, share and commercially utilize IoT data. The new rules entail some far-reaching operational, technical and contractual adjustments – and at the same time open up new strategic potential. For companies, this means that data architectures, IoT systems, contractual landscapes, governance models and cloud strategies need to be reconsidered and actively aligned with the Data Act.
- Technical adaptation of data access
Companies must provide standardized, secure, machine-readable interfaces for product and usage data. - Revision of all relevant contracts
Data Act-compliant contracts are mandatory, as unilateral or abusive clauses will become ineffective in future. - Transparency and documentation obligations
Companies must clearly communicate which data is collected, used and passed on – including evidence. - Integration into existing systems
Heterogeneous IoT, ERP, platform and cloud systems must be made interoperable. - Compliance risks due to lack of preparation
Missing processes or delays can lead to fines, conflicts with customers and operational disruptions.
- Development of new data-driven business models
Clearly defined processes enable companies to monetize their own data and develop new services. - Increased transparency and customer trust
Transparent data processes strengthen customer and partner relationships. - More efficient processes and automation-capable data flows
Standardized data structures are the basis for automation in maintenance, service, planning and reporting. - Open data spaces and new collaborations
The Data Act facilitates participation in European data spaces and interoperable ecosystems. - Stronger negotiating position vis-à-vis cloud providers
The elimination of lock-ins creates flexibility and cost control.
What companies need to do now
- Analyze data landscape and IoT architecture
Determine which data is generated where, how it is stored and which interfaces can be used to make it accessible. - Identify relevant data sources and systems
Record all devices, platforms, applications and cloud environments that fall under the Data Act. - Revise contracts with customers, partners and cloud providers
Ensure that data usage, access and transfer clauses are formulated transparently and in compliance with the Data Act. - Establish a governance model for data access and transfer
Define responsibilities, decision paths and control mechanisms for data access processes. - Develop standardized interfaces and export processes
Implement APIs and data formats that are legally compliant and technically efficient. - Conduct training & awareness programs
Sensitize product teams, IT, legal, sales and service to Data Act obligations and new processes.
How Ventum Consulting supports you in implementing the EU Data Act
Ventum Consulting combines regulatory expertise and technological competence with a focus on data-based value creation – and supports companies throughout the entire data act lifecycle:
We assess your current data landscape, governance, contracts and IoT architecture.
You receive a clear maturity level, identified gaps and concrete immediate measures for compliance and value creation.
We develop scalable data and API architectures that meet data act requirements and support future AI and analytics applications.
We use proven best practices from industry data spaces such as Catena-X or Manufacturing-X.
We design and implement standardized, secure and auditable interfaces in accordance with Data Act specifications.
This enables you to provide users, partners and authorities with compliant access to product and usage data.
We support the development, integration and operationalization of data spaces (e.g. Catena-X, Mobility Data Space).
This allows you to create secure, interoperable and future-proof data ecosystems.
We help manufacturers of connected products to embed Data Act obligations directly into product design, IoT architecture and service processes.
This helps you avoid technical debt and regulatory rework later on.
We prepare teams from product, IT, legal, sales and service for the new roles and obligations.
This creates long-term data competence in your organization.
From analysis and architecture to deployment, we provide holistic support for your transformation – including project management, documentation and audit preparation.
You receive compliance and business benefits from a single source.
Use the structures you need for the EU Data Act for AI applications. We identify use cases for AI, automation and analytics that are only made possible by Data Act-compliant data architectures.
This allows us to combine compliance with genuine value creation.
Conclusion EU Data Act
The EU Data Act is more than just a regulatory update: it marks the beginning of a new European data order. Companies must not only meet technical requirements, but also rethink their business logic, governance and value creation. Data that was previously hidden away unused in devices, machines, platforms or services is now becoming a strategic asset.
Companies that modernize their architecture early on, create interoperable interfaces and establish a consistent data access governance model will secure themselves:
- faster innovation because data becomes easier to use and available.
- more efficient processes because data flows are clearly regulated and can be automated.
- stronger customer relationships because transparency creates trust.
- better negotiating positions with cloud and platform operators.
- new digital business models along services, platforms and data-based offerings.
- Sustainable regulatory security because compliance requirements are met.
The Data Act forces action – but it rewards early strategic decisions.
Arrange a non-binding initial consultation now
- Strategic: Analysis, roadmap & data act potentials incl. Implementation
- Secure: Compliance with Data Act, AI Act & GDPR
- Practical: Over 20 years of experience in data strategy, governance & architectures
- Measurable: focus on compliance, efficiency & new value creation
- Holistic: technology, organization, governance & regulation
TISAX and ISO certification for the Munich office only
Your message
FAQ - EU Data Act
The Data Act affects all companies that manufacture, operate or sell connected products or data-based services – regardless of size or industry – with the exception of the defined small and micro enterprises under Article 7. This includes industry, mechanical engineering, mobility, IoT platforms, software and cloud providers as well as any organization that uses data from digital products.
In principle, all usage, sensor, telemetry and operating data generated by a networked product must be made available – provided that this does not conflict with data protection or IP protection.
From 12 September 2026, this data must be standardized, machine-readable, secure and available for retrieval free of charge. Proprietary interfaces that make data sharing more difficult will no longer be permitted from this date.
- According to the cabinet draft, Germany is planning fines of up to €5 million or 2% of global annual turnover for companies with a gatekeeper position. There is also the threat of contractual risks due to inadmissible data clauses.
- Irrespective of this, data protection violations remain sanctionable under the GDPR (up to €20 million or 4% turnover).
The Data Act harmonizes the use and sharing of industrial data. The Data Governance Act creates trustworthy mechanisms for data sharing. The Digital Services Act regulates digital platforms and strengthens user protection. The EU AI Act lays down comprehensive rules for the safe, transparent and responsible use of AI for the first time. Together, they form the core of a secure and fair European digital single market.
Differences:
- Data Act: access to IoT data, data portability, B2B/B2G data usage.
- Data Governance Act: framework for data trustees, data altruism, secure data rooms.
- Digital Services Act: platform rules, content moderation, risk management for large services.
- EU AI Act: risk-based regulation of AI, transparency obligations, bans on dangerous AI practices.
Together, the four EU laws create a coherent framework in which data can be used, shared and regulated in a secure, fair and trustworthy manner. A structured and organized database forms the central basis for ensuring that data portability, data use, platform supervision and AI regulation are effectively interlinked.
From January 12, 2027, cloud switching may no longer incur any fees – neither direct nor indirect.
Between September 2025 and January 2027, switching fees must already gradually decrease and be limited to real switching costs of the provider.
Cloud companies therefore need an exit-capable cloud strategy and must review and adapt existing contracts.
From 12 September 2026, manufacturers must guarantee that every networked product can provide data via standardized interfaces.
This applies fundamentally:
- Machines
- Vehicles
- Smart home devices
- Industrial plants
- Sensor-based devices
Companies therefore have to adapt product design, firmware, APIs and documentation – sometimes deep into product development.
The Data Act enables, among other things:
- new data-based services (e.g. predictive maintenance services)
- Cross-industry cooperation through data rooms
- Data-driven upgrades & subscription models
- Product differentiation through transparency & interoperability
- Lower operating costs thanks to harmonized data flows
Early starters can massively strengthen their market position by actively shaping standards and partner ecosystems.
Companies need roles and responsibilities such as data access owners, API owners or data governance teams.
In addition, employees in product development, IT, service and legal need to be informed about the new requirements.
Without clear governance, there is a risk of inconsistent data processes or contradictory contractual regulations.