Since the beginning of this year, the Data Act has been in effect. As of Sept. 12, 2025, it is officially in force. This new European legislation has a major impact on companies dealing with IoT products, data processing and cloud services. In this article, Joost van Dongen discusses what the Data Act means and who it applies to.
Date: May 15, 2024
Modified May 15, 2024
Written by: Joost van Dongen
Reading time: +/- 4 minutes
The Data Act is a key pillar of the European Union's data strategy with the overarching goal of promoting the digital transition in the European Union. This EU regulation aims to ensure fair access to and use of data. The Data Act has a broad scope of application and is relevant to manufacturers and users of physical Internet of Things (IoT) products, providers of related services, business data holders and recipients, providers of data processing services (cloud and edge service providers) and national and European public institutions. As it is a European regulation, the rules from the Data Act have direct effect in the Netherlands without having to be implemented in national legislation.
The Data Act uses a broad definition of data. 'Data' means any digital representation of activities, facts or information, including images and sound. This can include both personal and non-personal data. Thus, when it comes to the data sharing obligation under the Data Act, it involves data collected or generated by IoT products.
The Data Act defines IoT products as products that can be connected to the Internet to then exchange data with other products (or systems). In this case, it is the IoT products themselves, but also the related service. The related service is the service necessary for the functionality of the IoT product. IoT products are often referred to as smart products. Examples include a smart doorbell, robotic vacuum cleaner, washing machines, medical equipment, agricultural machinery and other industrial machinery.
In many cases, data from IoT products is currently collected exclusively by the manufacturer. This gives the manufacturer a competitive advantage as it makes the user dependent on the manufacturer and unable to turn to other parties for repair, for example. The Data Act contains specific measures to allow users of products to access the data collected by the manufacturer. This data must be provided in a simple, secure, structured and cost-free manner so that it can then be shared with a third party that provides aftermarket (repair) services, for example.
This third party is also bound by rules and should include the data:
Please note that micro and small enterprises qualified as third parties are in principle not subject to the aforementioned obligations.
The Data Act provides that contractual terms imposed on micro, small or medium-sized enterprises are not binding if they are unilaterally imposed and deviate from good business practice. Specifically, these are contractual terms regarding access to and use of data or liability and remedies open for a breach or termination of data-related obligations.
A contractual provision is unfair, among other things, when it contains:
Furthermore, the Act contains rules that make it easier for customers of data processing services (cloud services for short) to switch to another provider. Cloud service providers should therefore not create pre-commercial, commercial, technical, contractual and organizational barriers to users. The Data Act seeks to address these issues by making it contractually easier to switch service providers or transfer data and records. In doing so, it is important that full support and service continuity remain in place during the transition.
The Data Act went into effect on Jan. 11, 2024, and imposes many obligations on businesses. As of Sept. 12, 2025, it will apply to businesses. Are you a supplier of IoT products or a related service or do you purchase data processing services as a customer and have questions about the Data Act? Ask them to our IT specialists.