Are you prepared for the most significant data regulation since GDPR? With just 30 days remaining until the EU Data Act becomes applicable on September 12, 2025, companies across Europe are scrambling to understand requirements that will fundamentally reshape how they handle connected device data.
Note: The EU Data Act entered into force on January 11, 2024, giving companies nearly two years to prepare. However, its obligations only become legally enforceable starting September 12, 2025.
The Reality Check: Every Connected Device Is Affected
The Data Act will touch companies of all sizes in almost every sector of the European economy. If your business manufactures smart consumer devices, cars, connected industrial machinery, smart fridges, or other home appliances, you’re directly in scope. But the impact extends far beyond manufacturers – any related services that interact with connected products, including streaming services, data analytics software, and cloud computing providers, must also comply.
Connected devices (also known as IoT devices) are physical objects embedded with sensors, software, and network connectivity that can collect and exchange data over the internet. This includes everything from smartphones and smart watches to industrial sensors and connected cars.
This isn’t just another regulatory checkbox. According to Skadden’s analysis, the Act establishes new rights for businesses and consumers to access data they generated using “connected devices,” fundamentally limiting the exclusive control exercised by many data holders.
What Changes on September 12?
The Data Act introduces sweeping new rules for data access, sharing, and interoperability. Most critically, all data generated after September 12th must be made available on request, while data generated before this date may remain under existing arrangements.
Key obligations include:
- Data Access Rights: Users gain unprecedented access to data generated by their connected devices
- Switching Provisions: Enhanced data portability between service providers
- Cloud Provider Restrictions: New limitations on unfair contractual terms
- International Data Protection: Providers must prevent unauthorized third-country governmental access to EU-stored data
The Compliance Challenge: Are You Asking the Right Questions?
If your organization operates in the EU data ecosystem, you need to ask yourself:
- Can you identify all connected devices and data flows in your business? Many companies underestimate the scope of their connected infrastructure. This includes not just obvious devices like smartphones, but also industrial IoT sensors, smart building systems, and embedded devices in machinery.
- Have you reviewed your data sharing agreements and cloud contracts? The Act specifically targets unfair contractual terms that may currently be standard in your agreements.
- Do you have systems in place to handle data access requests? Unlike GDPR’s focus on personal data, the Data Act covers broader categories of machine-generated data.
- Are your cloud providers compliant with new sovereignty requirements? As we’ve seen with recent Microsoft data sovereignty challenges, this is becoming increasingly complex.
Enforcement and Penalties: The Stakes Are High
National authorities will enforce the Data Act, with member states required to notify the European Commission of their enforcement frameworks and penalties by September 12, 2025. While specific penalty amounts vary by country, the regulation follows the EU’s pattern of substantial fines for non-compliance.
Your 30-Day Action Plan
With the application deadline approaching rapidly, immediate action is essential:
Week 1-2: Conduct a comprehensive audit of your connected devices, data flows, and existing contracts. Identify which products and services fall under the Act’s scope. Create an inventory of all devices that collect, process, or store data.
Week 3: Review and revise data sharing agreements, cloud contracts, and privacy policies to align with new requirements. Focus particularly on eliminating potentially unfair terms. Ensure your cloud service agreements comply with new sovereignty requirements.
Week 4: Implement systems for handling data access requests and establish procedures for data portability. Train relevant staff on new obligations. Test your data export capabilities and ensure you can respond to user requests within required timeframes.
The Data Act represents more than regulatory compliance – it’s a fundamental shift toward a fair, competitive data market that promotes transparency, innovation, and data-driven growth. Companies that view this as an opportunity to enhance customer trust and competitive positioning will be better positioned than those treating it as merely a compliance burden.
As the digital landscape continues evolving with regulations like the GDPR email ruling and blockchain compliance challenges, the question isn’t whether you can afford to comply with the Data Act – it’s whether you can afford not to be ready by September 12.
Key Terms Explained:
- Connected Devices/IoT: Physical objects with sensors and internet connectivity that can collect and share data
- Data Portability: The right to receive and transfer personal data in a structured, commonly used format
- Cloud Computing: On-demand delivery of computing services over the internet
- Interoperability: The ability of different systems to work together and exchange information