What Is the EU Data Act?
The EU Data Act (Regulation (EU) 2023/2854) is a European law that sets the rules for who can access, use, and share the data generated by connected products and related services. It shifts control of that data toward the users who generate it, forces cloud providers to make switching easier, and sets fair terms for data sharing between businesses and, in defined cases, with public bodies. It applies across the EU since 12 September 2025.
It matters because a huge and growing share of enterprise data now comes from connected products, industrial machines, vehicles, and smart devices, and until now the manufacturer usually controlled all of it. The Data Act rebalances that: users gain the right to their data, and the businesses that hold data gain new obligations to make it accessible and portable. For any organization operating in the EU, it turns data access and sharing from a commercial choice into a legal requirement.
The EU Data Act (Regulation (EU) 2023/2854) governs access to and sharing of data from connected products and cloud services. It gives users the right to the data their devices generate, sets fair rules for business-to-business and business-to-government data sharing, and requires cloud providers to remove switching lock-in (data portable within set timeframes). It entered into force on 11 January 2024 and applies since 12 September 2025, with some provisions phasing in later (cloud switching charges are removed entirely from 12 January 2027). It is distinct from the Data Governance Act, which governs data intermediaries and altruism. To comply, an organization has to know what data it holds, where it lives, how sensitive it is, and where it flows, which is exactly what a governed data catalog, classification, and lineage provide.
What the EU Data Act Is
The Data Act is a horizontal regulation, meaning it applies across sectors rather than to one industry. Its central idea is that data generated by a connected product belongs, in usage terms, to the people and businesses that generate it, not solely to the manufacturer. It addresses both personal and non-personal data, and it works alongside the GDPR rather than replacing it: where the data is personal, GDPR still applies in full.
What It Covers
The regulation has a few main pillars:
- Access to connected-product data. Users of connected products (from smart home devices and wearables to connected vehicles and industrial machinery) have the right to access the data their use generates, and manufacturers must design products so that data is accessible by default, directly and free of charge.
- Business-to-business and business-to-government sharing. The Act sets fair, reasonable, and non-discriminatory terms for sharing data with third parties a user chooses, and allows public bodies to request data in defined exceptional situations.
- Cloud switching. Cloud and other data-processing providers must remove technical and contractual obstacles to switching, so customers are not locked in and can move their data and applications to another provider.
- Interoperability and safeguards. The Act sets interoperability requirements for data spaces and cloud services, curbs unfair contractual terms imposed on smaller businesses, and includes safeguards for trade secrets and against unlawful international data transfers.
Timeline
The Data Act was published in the Official Journal on 22 December 2023 and entered into force on 11 January 2024. Its obligations apply since 12 September 2025. Some provisions phase in later: cloud switching charges are removed entirely from 12 January 2027, and certain obligations affecting contracts signed before September 2025 apply from 12 September 2027. The direction is clear: access and portability are now defaults, not favors.
EU Data Act vs. the Data Governance Act
These two laws are easy to confuse but do different jobs. The Data Governance Act (Regulation (EU) 2022/868) is about the mechanisms for voluntary data sharing: it regulates data intermediaries, sets rules for reusing certain public-sector data, and enables "data altruism." The Data Act is about rights and obligations: who can access and use the data connected products and services generate, and on what terms. In short, the Data Governance Act builds the plumbing for sharing; the Data Act decides who gets the water.
What It Means for Data Teams
The Data Act turns questions that were once optional into compliance obligations. To honor a user's right to access connected-product data, you have to know that data exists and where it lives. To share data on fair terms, or to move it between clouds, you need to know its structure, its sensitivity, and its dependencies. And to protect trade secrets and personal data while sharing the rest, you need classification you can trust. In other words, the Act rewards organizations that already have a clear, governed picture of their data estate and penalizes those flying blind.
How Dawiso Fits
Dawiso does not file your compliance paperwork, but it gives you the governed foundation the Data Act assumes you have: a trustworthy, current map of what data you hold, what it means, how sensitive it is, and where it moves.
- An inventory of your data estate. The data catalog gives you a governed view of what data exists across systems, including data generated by connected products and services, so access and sharing requests can actually be answered.
- Sensitivity you can act on. Classification flags personal data and trade secrets, so you can share what is required while protecting what must stay protected.
- Flows you can prove. Interactive lineage shows where data comes from and goes, supporting portability, data sharing, and audit.
- Consistent meaning for sharing. The business glossary keeps definitions consistent, so shared data is understood the same way by every party.
The Data Act joins GDPR and the EU AI Act in a growing body of EU rules that all reward the same thing: knowing and governing your data. Build that foundation once, and each new regulation becomes a configuration, not a scramble.
Conclusion
The EU Data Act rewrites who controls the data from connected products and cloud services, giving users access rights, setting fair sharing terms, and ending cloud lock-in, with obligations live since September 2025. It is separate from the Data Governance Act, and it works alongside GDPR. Meeting it comes down to a single capability: a governed, current understanding of the data you hold, its sensitivity, and its flows. Get that foundation right and the Data Act, like the regulations around it, becomes manageable rather than daunting.
See it in action
Data & Analytics Catalog
Create a unified view of your data assets and gain insights faster with automated data discovery.