The EU Data Act Explained for Data Buyers | DataSupplier
DataSupplier
Insights EN · ES Log in Request a Quote
Insights / Compliance & Governance

The EU Data Act explained for data buyers

DataSupplier·17 min read

The EU Data Act is one of the most significant pieces of the European data strategy, and it changes the backdrop against which external data is sourced and shared. This guide explains what it is, what it requires, and what it means in practice for organisations that buy and use data, without the legalese.

Available across the EU. DataSupplier sources and delivers this data in all 27 European Union countries — including Germany, France, Spain, Italy, the Netherlands and Poland — and across the EEA, in the format and cadence you need.

What the Data Act is

The Data Act is formally Regulation (EU) 2023/2854 on harmonised rules on fair access to and use of data. It entered into force on 11 January 2024 and applies from 12 September 2025, with some provisions phased in later. Where the GDPR governs personal data, the Data Act addresses the much larger world of data generated by connected products and related services, both personal and non-personal, and the conditions under which it can be accessed and shared.

Why it exists

The European Commission’s aim is a fairer, more competitive data economy: giving users greater control over the data their connected devices generate, reducing lock-in to a single manufacturer or cloud provider, and enabling more data to flow to those who can create value from it, all while protecting personal data and trade secrets.

The core rights and obligations

  • Access to connected-product data. Users of connected products, from industrial machines to vehicles and smart devices, gain a right to access the data their use generates, and to share it with third parties of their choosing.
  • Obligations on data holders. Manufacturers and service providers must make that data available to users and, on request, to designated third parties, under fair, reasonable and non-discriminatory terms.
  • Protection against unfair contract terms in data-sharing agreements, particularly for smaller businesses.
  • Cloud switching. The Act makes it easier to switch between data-processing (e.g. cloud) providers, with switching charges phased down over time.
  • Public-sector access to data in exceptional circumstances, such as emergencies.

The timeline that matters

Most obligations apply from 12 September 2025. Some arrive later: the obligation to design new connected products for data access applies to products placed on the market from September 2026, and certain interoperability and switching provisions phase in through to 2027. For buyers, the practical point is that the access regime is now live.

How it interacts with the GDPR

The Data Act applies to both personal and non-personal data, but it does not override data-protection law. Where data is personal, the GDPR continues to govern: lawful basis, data-subject rights and transfer rules all still apply. In mixed datasets, both frameworks operate together, and sourcing arrangements must satisfy each.

Penalties

Enforcement sits with national authorities, and Member States set penalties for non-compliance. For certain infringements these can be significant. Commentary on the Regulation points to fines of the order of up to €20 million or 4% of worldwide annual turnover, mirroring the GDPR’s upper tier. The exact regime depends on the Member State.

What it means for sourcing external data

For organisations that buy data, the Data Act is mostly an opportunity. More data generated by connected products can now be made available, and switching between providers is easier. But it raises the bar on documentation: access rights, licensing terms and the lawful basis for use need to be clear and evidenced. A well-run sourcing process, with provenance, licensing and compliance information captured as standard, is exactly what the new environment rewards.

Who is in scope

The Data Act casts a wide net. It reaches manufacturers of connected products placed on the EU market and providers of related services, the data holders who control the data those products generate, the users (consumers and businesses) who operate them, and data-processing service providers such as cloud and edge platforms. Importantly, it applies regardless of where a company is established: what matters is whether the product or service is offered to users in the Union. Micro and small enterprises are exempted from several obligations, and there are tailored rules so that the burden falls proportionately.

For a data buyer, the practical question is usually which party is the data holder for the dataset you want, and whether the user whose product generated it can direct that it be shared with you as a third party. That triangular relationship, holder, user, recipient, is the mechanism the Act creates, and it is new.

Trade secrets and the limits of access

The right to access connected-product data is not absolute. The Act balances it against the protection of trade secrets: holders can require proportionate measures to preserve confidentiality, and in exceptional cases may refuse or suspend sharing where disclosure would cause serious economic harm. Data obtained under the Act also cannot be used to develop a directly competing product. For buyers, this means access is real but conditioned, and the contractual terms around confidentiality and permitted use matter as much as the access right itself.

What buyers should ask data suppliers

Whether you source connected-product data directly or through a partner, a short due-diligence list keeps you on solid ground:

  • Who is the data holder, and what is the lawful basis for the data being shared with us?
  • Does any personal data sit inside the dataset, and how is the GDPR satisfied alongside the Data Act?
  • What are the confidentiality and permitted-use terms, including any restriction on competing products?
  • For cloud-sourced data, are switching and portability terms compliant with the Act’s timetable?
  • What provenance and documentation travel with the data?

Common misconceptions

Three misunderstandings recur. First, that the Data Act replaces the GDPR, it does not; the two apply together, and the GDPR prevails for personal data. Second, that it makes all machine data “free”, in fact access is on fair, reasonable and non-discriminatory terms, and holders may charge recipients reasonable compensation. Third, that nothing changes until an enforcement case appears, when in reality the access regime has applied since September 2025 and shapes what can be sourced today.

Key takeaways
  • Regulation (EU) 2023/2854 applies from 12 September 2025, with some provisions later.
  • It covers connected-product data, personal and non-personal, and eases cloud switching.
  • The GDPR still governs personal data; both frameworks operate together.
  • Clear access rights, licensing and provenance documentation are now essential.

This article is general information, not legal advice. Confirm obligations for your situation with qualified counsel.

Sources & further reading

  • European Commission, Data Act, digital-strategy.ec.europa.eu (applicable from 12 September 2025).
  • EUR-Lex, Regulation (EU) 2023/2854 (full text).
  • European Commission, Data Act: Frequently Asked Questions and guidance materials.
  • EUR-Lex, Regulation (EU) 2016/679 (GDPR).
Sourcing data in the EU?

We structure supply with licensing, provenance and compliance documentation designed to support GDPR and EU Data Act requirements. Get a no-obligation quote.

Request a Quote Book a 30-minute call
Related
GDPR for external data: lawful bases, roles and transfers → The complete guide to enterprise external data sourcing →