34 answers
What is the EU Data Act and what does it actually change for my company?
The Data Act (Regulation (EU) 2023/2854) is the European law that establishes who can access and use the data generated by connected products (machinery, vehicles, smart appliances, IoT sensors) and the related digital services. In practice, it gives the person using the product the right to obtain that data and share it with third parties of their choice.
For an SME this means two concrete things: if you use connected machinery or software, you have more rights over the data you produce; if instead you manufacture them or offer them as a service, you have new transparency and access obligations. On top of that, the regulation makes it simpler and cheaper to switch cloud provider.
GiBSeS — Understanding which side of the table you're on — data user or data provider — is the first step we take together in a diagnostic assessment.
When did the Data Act come into force? Do I need to act now?
The Data Act entered into force on 11 January 2024, but most of its obligations apply from 12 September 2025. Some deadlines come later: the obligation to design connected products so that data is accessible "by default" applies to products placed on the market after 12 September 2026, while the elimination of switching costs for cloud providers is due by 12 January 2027.
So yes, the bulk of it is already applicable: it's worth checking your position now, rather than waiting for the later deadlines.
GiBSeS — If you're not sure which deadlines actually apply to you, lining up the dates against your specific situation is part of the starting point we work from.
Does the Data Act apply to a small business like mine too?
Yes, but differently depending on your role. The regulation applies to manufacturers of connected products, providers of related services, users of these products (businesses and consumers), cloud service providers and data recipients. Even a small company that simply uses connected machinery or software falls among the parties it protects.
However, there are important exemptions for micro and small enterprises when they are the ones manufacturing the product or providing the service: in that case many data-sharing obligations don't apply. Being an SME matters, but your position needs to be assessed case by case.
GiBSeS — Establishing whether you're a protected party, an obligated party, or both is exactly the kind of clarification we start from.
What data are we talking about exactly? Does this only cover IoT devices?
The Data Act covers data generated by the use of connected products and their related services: we're talking about industrial machinery, vehicles, medical devices, smart appliances, sensors, but also the software and apps that manage how they work. This includes both raw data and pre-processed data that the product collects, records or transmits during use.
It does not, however, cover information the provider derives through complex analysis and its own investment (so-called "derived" or "inferred" data), which stays outside the sharing obligation.
GiBSeS — Distinguishing shareable raw data from processed, protected data is one of the technical assessments we work through with you.
Can I access the data generated by my machinery or devices?
Yes. If you use a connected product or a related service, you have the right to access the data you generate through its use, easily, securely and free of charge, and where technically possible, directly and continuously. If you can't obtain it directly from the device, the data holder (usually the manufacturer or provider) must make it available to you without undue delay.
This breaks a widespread practice: until now, the data from your own machinery often stayed locked inside the manufacturer's systems.
GiBSeS — Reclaiming the data from your own equipment is at the heart of the "data sovereignty" issue we work on with SMEs.
Can I have my data given to a third-party provider, for example an independent repair shop?
Yes, and it's one of the most concrete new features. At your request, the data holder must share your data with a third party you choose — an independent maintenance provider, another service provider, a solution developer. This lets you, for example, have a system maintained or optimised by whoever you want, without staying tied to the manufacturer.
The third party may only use the data for the purposes agreed with you and cannot pass it on again without your consent. Large gatekeepers designated under the Digital Markets Act are excluded from this mechanism.
GiBSeS — Using this right to open up competition on after-sales services is an anti-lock-in lever we help put into practice.
I manufacture connected devices or machinery: what do I need to do?
As a manufacturer you have some key obligations. You must clearly inform the buyer, before the sale, about which data the product generates, how to access it and with whom it can be shared. You must make the data accessible to the user and, at their request, to third parties they name. For products placed on the market after 12 September 2026, there's also the obligation to design them so that data is accessible "by design and by default".
You can protect your trade secrets with adequate measures, but you cannot use them as a blanket excuse to deny access altogether.
GiBSeS — Reviewing sales contracts, technical documentation and product architecture from a Data Act perspective is work we support end-to-end.
I'm a user of connected products: what changes for the better for me?
You gain more control and more negotiating leverage. You can access your products' usage data, take it with you, and hand it over to third-party providers for maintenance, analysis or new services. This reduces dependence on a single manufacturer and lets you compare service offers on the open market.
In practice, you can put a value on data that used to stay out of reach: energy efficiency, wear and tear, failure prediction, process optimisation.
GiBSeS — Turning these rights into savings and better decisions is the practical part we care about most.
How does this relate to the GDPR? Does the Data Act replace it?
No, the Data Act does not replace or weaken the GDPR: the two apply in parallel. The GDPR continues to govern all personal data; the Data Act adds rights around access and portability, but in case of conflict, personal data protection prevails. When the data generated by the product includes personal information, you still need a valid legal basis and compliance with GDPR principles.
In practice, many IoT datasets are mixed (personal and non-personal data intertwined): they need to be managed with both regulations in mind at once.
GiBSeS — Untangling the mix of personal and non-personal data without breaching either regulation is a typical knot we help unpick.
Can a provider impose unfair conditions on how I use data?
The Data Act introduces a protection against unfair contractual terms concerning data access and use, when they are unilaterally imposed by one company on another. A term found to be unfair is not binding: for example, one that excludes or limits remedies for non-performance in a manifestly unfair way, or that gives whoever imposed it the unilateral power to decide whether the data supplied is compliant.
This protection is designed above all to rebalance relationships when the other party holds strong negotiating power.
GiBSeS — Combing through data contracts for clauses that no longer hold up is a quick check that's often revealing.
Are there specific protections or exemptions for micro and small enterprises?
Yes. Micro and small enterprises benefit from important relief: when they are the ones manufacturing a connected product or providing a related service, the data-sharing obligations set out in Chapter II of the regulation generally don't apply. This avoids burdening smaller businesses with the same obligations as multinationals.
Be careful though: the exemption can lapse if the micro or small enterprise is a linked or partner enterprise of a larger company. SME status must be verified according to EU criteria (employees, turnover, ownership structure).
GiBSeS — Precisely checking whether you fall within the exemption — and whether your corporate structure voids it — is a check worth doing before investing in compliance work.
Does the Data Act really help me switch cloud provider?
Yes, it's one of its central goals. The regulation requires data processing service providers (cloud and edge) to remove technical, contractual and commercial obstacles to switching provider. They must guarantee a migration process with defined timeframes, assist the customer in transferring data and applications to another provider or to on-premise infrastructure, and cannot impose disproportionate constraints.
It's designed precisely to reduce the lock-in that holds companies hostage to a single platform.
GiBSeS — Cloud lock-in is one of the risks we assess first: the Data Act finally gives you concrete tools to get out of it.
Is it true that the costs of leaving the cloud will be eliminated?
Yes. The Data Act provides for a gradual reduction of switching charges and their elimination by 12 January 2027. During the transitional period, providers may only charge reduced costs, tied to the expenses actually incurred for the migration, not punitive penalties. Normal costs for ordinary use of the service, however, remain chargeable.
This removes one of the strongest economic barriers to switching provider, alongside the technical ones.
GiBSeS — Quantifying your real exit cost today — and how it will fall by 2027 — is a calculation that changes negotiations with providers.
What does the Data Act say about system interoperability?
The regulation imposes interoperability requirements to facilitate data exchange and switching between services. Cloud service providers must make open interfaces and sufficient information available so that data can be transferred and reused elsewhere. Specifications for common European data spaces and the possibility of harmonised standards are also provided for.
The goal is that data doesn't stay "trapped" in a proprietary format or platform.
GiBSeS — Designing or choosing systems that are genuinely interoperable, not just declared as such, is an independent technical assessment where we're useful.
If I have to share data, are my trade secrets at risk?
The Data Act seeks a balance: the sharing obligation does not cancel out trade secret protection. As the data holder, you can identify data covered by trade secrets and agree with the user or the third party on adequate measures to preserve confidentiality (agreements, technical measures, terms of use). In exceptional cases, if despite these measures there is a serious and demonstrable risk of harm, sharing can be suspended or refused.
However, you cannot use trade secrets as a generic pretext to deny access altogether: any refusal must be justified and notified.
GiBSeS — Setting up know-how protection measures that actually hold up, without straying into an unlawful refusal, is a delicate point where we work alongside you.
Can the third party I give my data to use it to compete with me?
There are precise limits. The third party who receives data at the user's request may only use it for the purposes and under the conditions agreed with that user, and cannot use it to develop a product that competes with the one the data comes from. Nor can it pass the data on to others without consent.
The data holder, for its part, also cannot use the non-personal data generated by the user to derive insights about the user's economic situation or strategies in a way that damages their commercial position.
GiBSeS — Drafting data-sharing agreements so these prohibitions are genuinely enforceable is part of the contractual work we handle.
Do I have to share data for free, or can I charge for it?
Access for the product's user to their own data is free of charge. When, however, data is made available to a third-party business, the holder can request reasonable, non-discriminatory compensation, based on the costs incurred in making the data available. If the recipient is an SME or a research body, the compensation cannot exceed those costs, with no additional margin.
The financial terms must in any case be fair, transparent and not used as a hidden barrier to access.
GiBSeS — Defining compensation that holds up — neither given away nor exclusionary — is a tailored economic and contractual assessment.
What are the penalties, and who enforces compliance with the Data Act?
The Data Act does not set uniform fine amounts at European level: it leaves it to each Member State to establish penalties, which must be effective, proportionate and dissuasive. Each State designates one or more competent national authorities for supervision; for the part concerning personal data, data protection authorities remain competent (in Italy, the Garante).
The amounts and procedures therefore depend on national implementing rules: for your specific situation, you need to check how the competent State has transposed the regulation.
GiBSeS — Understanding which authority supervises you, and with what penalties, in your country, is a clarification that avoids nasty surprises.
In practical terms, where do I start to get compliant?
A pragmatic path starts with four steps: 1) map the connected products and services you use or offer and the data they generate; 2) establish your role (user, holder, manufacturer, cloud provider) and the obligations or rights that follow from it; 3) review contracts — sales, service, cloud — looking for clauses that are no longer enforceable or exit costs to renegotiate; 4) align your measures on personal data and trade secrets.
There's no need to overhaul everything: what matters is understanding where you're exposed and where, instead, the regulation gives you leverage in your favour.
GiBSeS — This four-step mapping is exactly the initial diagnostic we work through with SMEs.
Do my already-signed B2B contracts need to be redone?
Not necessarily all of them, but they need to be reread. The new protections on unfair terms and data access also affect ongoing relationships, and some clauses may turn out to no longer be binding. For fixed-term or long-term contracts already in place, the regulation provides for transitional periods, but the direction is clear: data-related terms must be brought into line.
Now is the right time for a targeted review of contracts touching on data, cloud and connected services, without waiting for a dispute.
GiBSeS — A contract review focused on the points touched by the Data Act is a quick intervention with a concrete return.
What's the difference between the Data Act, the Data Governance Act and the GDPR?
They're three complementary pieces of the European data strategy. The GDPR protects personal data. The Data Governance Act (Regulation (EU) 2022/868) creates the rules and structures for voluntary, trustworthy data sharing (intermediaries, data altruism, reuse of public-sector data). The Data Act establishes who has the right to access and use data generated by connected products, and regulates cloud switching and contractual terms.
In short: the GDPR says how to protect personal data, the Data Governance Act says how to share it in a trusted way, the Data Act says who can obtain and use it.
GiBSeS — Finding your way among overlapping regulations, without confusion or duplicated work, is part of the value an independent advisor brings.
Why is the Data Act strategically important, not just a compliance matter?
Because it shifts power over data towards whoever generates it. Beyond the legal obligation, for an SME this means being able to reclaim the data from your own equipment, freely choose technology providers and partners, cut cloud lock-in and reduce exit costs. It's the practical foundation of data sovereignty: depending less on a single provider and keeping control of your own information.
Seen this way, compliance becomes an opportunity to redesign your technology choices for the better, not just a box to tick.
GiBSeS — Turning the Data Act from an obligation into an anti-lock-in, independence-building lever is precisely how we approach it with you.
Does the Data Act apply to my company even if I have no registered office or establishment in the European Union?
Yes. The Data Act (Reg. (EU) 2023/2854) follows a market-based criterion, not an establishment-based one: it applies to whoever places connected products on the EU market or provides related services and data processing services to users and customers in the Union, regardless of where they are legally established. Being based in the US, the UK, Switzerland or Asia does not exempt you from the obligations.
In practice, if one of your machines, IoT devices or cloud services ends up in the hands of a European user, you fall within the scope of the regulation and must comply just like an EU company.
GiBSeS — GiBSeS helps non-EU SMEs understand from the outset whether and how the Data Act affects them, before it becomes an obstacle to entering the European market.
What exactly counts as a 'connected product' and a 'related service' if I export to Europe?
A connected product is a good that obtains, generates or collects data about its use or environment and is able to communicate that data via an electronic communications service, a physical connection or on-device access: industrial machinery, vehicles, medical devices, smart appliances, sensors, agricultural equipment and IoT devices in general. Related services are the digital services (apps, platforms, cloud functions) without which the product could not perform one or more of its functions, or which the provider connects to the product.
If you sell hardware that "talks" to your own cloud or app, you almost certainly fall into both categories.
GiBSeS — GiBSeS maps your product and its digital ecosystem to precisely establish which Data Act obligations are triggered on the EU market.
From when do I need to comply with the Data Act to keep selling in Europe?
The Data Act has been in force since 11 January 2024 but applies generally from 12 September 2025. Some provisions have their own timelines: the obligations to design products so that data is accessible "by design" apply to connected products placed on the market after 12 September 2026, while the rules eliminating cloud switching costs come fully into force from 12 January 2027.
If you're planning product launches or updates for the EU market, these dates need to be factored in already at the design stage, not right before the sale.
GiBSeS — GiBSeS builds a roadmap with you aligned to these deadlines, so access to the EU market isn't slowed down by last-minute adjustments.
In concrete terms, what do I need to allow European users of my products to do?
The EU user (who can be a business or a consumer) has the right to access the data they generate by using your connected product or related service, and to share it with third parties of their choice, for example another maintenance or service provider. As the data holder, you must make this data available easily, securely, free of charge for the user and, where technically possible, continuously and in real time.
You can no longer treat the product's usage data as your own exclusive asset: control shifts, in part, towards the European customer.
GiBSeS — GiBSeS helps you redesign data flows and contracts in a compliant way, without giving up more than the rule actually requires.
Do I need to redesign my products to sell them in the EU?
In many cases, yes, at least in part. The Data Act introduces the principle of 'data access by design and by default': connected products and their related services must be designed and manufactured so that the user can access the data generated easily, securely and (where possible) directly. This may require changes to firmware, interfaces, APIs and technical documentation.
The design obligation applies to products placed on the EU market after 12 September 2026, so those designing new versions today have a window to adapt.
GiBSeS — GiBSeS works alongside your technical teams to build data accessibility into the product from the design stage, avoiding costly changes later on.
Do I need a representative or a point of contact in Europe for the Data Act?
The Data Act does not impose a general obligation to designate an EU representative equivalent to the one under Article 27 of the GDPR for all parties. However, you still need to be reachable and manageable from a compliance standpoint on the European market: clear information for the user, channels to respond to data access requests, and the ability to interface with the competent authorities.
Whether you need a dedicated figure or entity of reference in the EU depends on your model (direct sale, through an importer, through a distributor) and must be assessed case by case, also in combination with other EU regulations that do require a representative.
GiBSeS — GiBSeS, as an independent advisor, helps you structure a proportionate compliance presence in Europe, without tying you to a single provider or intermediary.
Who is responsible for compliance: me as the foreign manufacturer, the importer, or the EU distributor?
The Data Act assigns the main obligations to the 'data holder', i.e. the party with the right or obligation to make the data available: typically the manufacturer or provider of the related service that controls the product's data, even if based abroad. European importers and distributors have a role, but they don't automatically relieve you of your design and data-provision responsibilities.
Responsibilities need to be clearly defined in contracts along the supply chain: an unclear agreement risks leaving the obligation (and the risk) with you, the manufacturer.
GiBSeS — GiBSeS analyses your EU distribution chain and helps allocate roles and responsibilities in contracts so that no obligation is left uncovered.
I'm a non-EU cloud provider with European customers: what switching and interoperability obligations do I have?
If you provide data processing services (cloud, edge and similar) to customers in the Union, the Data Act requires you to facilitate switching provider: removing contractual, commercial and technical obstacles, defined timeframes for migration, portability of data and digital assets, and interoperability requirements. Switching costs must be progressively reduced and, from 12 January 2027, can no longer be charged (except for transitional exceptions based on actual costs).
This applies even if your infrastructure is outside the EU, as long as the customer is European.
GiBSeS — GiBSeS supports non-EU providers in adapting contracts, egress and portability architectures to stay competitive and compliant on the European cloud market.
Does the Data Act restrict transferring my European customers' non-personal data outside the EU?
Yes, in part. Chapter VII of the Data Act requires, in particular, data processing service providers to take measures to prevent access to and international transfer of non-personal data held in the EU when this would conflict with EU or Member State law. If a government or authority of a third country requests such data, the provider must comply with precise safeguards before acting on the request.
For a company based, say, in the US or in Asia, this means that "domestic" access requests can come into tension with EU obligations: this is an issue to be managed, not ignored.
GiBSeS — GiBSeS helps set up governance and technical measures that hold up under the double bind between your home country and EU data rules.
How does the Data Act relate to the GDPR when the product's data includes personal data?
The Data Act sits alongside the GDPR, it does not replace it. When the data generated by the connected product includes personal data, the GDPR continues to apply in full: in case of conflict, personal data protection law prevails, and a valid legal basis is needed for every processing and sharing activity. The Data Act adds rights of access and sharing, but does not by itself create a new legal basis for processing personal data.
For anyone selling into the EU, this means having to manage two layers at once: access/portability (Data Act) and lawfulness of processing (GDPR).
GiBSeS — GiBSeS coordinates Data Act and GDPR compliance into a single framework, so the two regulations don't clash in your products and contracts.
What do I actually risk if I'm not compliant: fines, customs blocking my goods?
Penalties for violating the Data Act are set by individual Member States and must be effective, proportionate and dissuasive; where personal data is involved, GDPR penalties may also apply (up to 20 million euros or 4% of annual global turnover). Beyond fines, non-compliance can translate into contractual disputes with EU customers and partners and into commercial difficulties accessing the market.
The main risk for a non-EU company isn't so much an automatic "customs block", but losing customers, tenders and European partnerships because the product no longer meets requirements the market now expects.
GiBSeS — GiBSeS translates these risks into concrete priorities, helping you protect access to the EU market before it becomes a commercial or legal problem.
Where do I actually start to comply with the Data Act and access the EU market?
A sensible path starts with three steps: (1) map your products and services to identify which are "connected" or "related" and what data they generate; (2) identify your role (data holder, cloud service provider, etc.) and the relevant deadlines; (3) check product design, contracts with EU users and partners, and measures on international data transfers.
From there, you define a prioritised compliance plan, focusing effort where market and penalty risk is highest, without overloading the organisation with unnecessary requirements.
GiBSeS — GiBSeS, an independent technology advisor, guides non-EU SMEs through this path step by step, so access to the European market stays fast and isn't tied to a single provider.
This content is informational and does not constitute legal advice.
Let's take stock of your data
You don't need endless legal counsel: just a mapping of your role under the Data Act and a targeted read of your contracts, to see where you're exposed and where, instead, the regulation gives you leverage against lock-in. As an independent advisor, we tell you what really matters for your SME.
Book an initial diagnostic