Share this article:

EU Data Act: A game changer for IoT?

By William Dearn, Associate and Caroline Day, Partner

Businesses dealing with internet of things (IoT) devices will face new obligations under the EU Data Act to ensure users can access and share their data freely and fairly. This article breaks down the key provisions of the Data Act, its impact on businesses, and why early compliance is crucial. Read on to understand how to align your strategies with this new EU regulation.

Get in touch

William Dearn | | Connect on LinkedIn

Caroline Day | | Connect on LinkedIn

Let’s start with an uncontroversial statement: We are in the Data Age. The value of data to manufacturers, governments, AI development and elsewhere cannot be understated. With the increasing prevalence of the internet of things (IoT), there is an abundance of data being collected – but how do we ensure fair use is made of this data, and not only by a select few entities who rule the data markets?

That’s where the EU Data Act comes in. This law, with provisions that will largely begin to bite in September 2025, is part of the European data strategy aiming to regulate and encourage data sharing. It aims to foster a competitive data market by making data more accessible and usable while regulating who can use what data and under which conditions.

The Data Act is not to be confused with the General Data Protection Regulation (GDPR), but there are some parallels. Like GDPR, the Data Act will impact not just businesses within the EU, but also covers anyone who wants to provide IoT devices (or ‘connected products’ as the Act describes them) to EU citizens or residents. Like GDPR, it will bring in a new set of rules and obligations. While GDPR-level fines are not included, it leaves the door open to member states to set sanctions for non-compliance.

While we’re not confusing acts, the EU Data Act is also not the EU Data Governance Act. Where the Data Governance Act regulates structures that facilitate voluntary data sharing, the Data Act defines requirements for entities to make data accessible to other parties.

What do businesses in the context of IoT need to do?

Let’s say you make toasters[1] which, for some reason, are connected to the Internet. You want to sell these toasters into the European market. Congratulations: under the Data Act, you (and any developer of the inevitable toaster app) are now a data holder and will become subject to a bunch of obligations.

First and foremost, you are required to allow users – whether owners or renters of the toaster (hereinafter not referred to as crumpet eaters) – to access the data they generate through use of the toaster/toaster app, and to share this data with third parties if requested to do so by the user. This second part can allow a user to change allegiance to a new toaster with minimal loss of toasting excellence – surely a basic human right. That said, there are some limitations on what can be done with this data: for example, it cannot be used to develop a competing product, and you’ll be relieved to hear you don’t have to share it with everyone, e.g. you don’t have to share with third parties based outside the EU.

Among other provisions, in order to give users access to data, the Data Act requires data holders to:

  • inform users about the type of data that they will generate when using the connected product or related service,
  • enable users to request access to the data through a simple process, and
  • make the data available to users for free.

What data?

The Data Act regulates the sharing of all raw and pre-processed data – including meta data-generated from the use of a connected product or a related service that is readily available to the data holder (e.g. manufacturer of a connected product/provider of a related service.

Take home message

If your business relates – directly or tangentially – to IoT devices in the EU, you should be thinking now about meeting the requirements of the Data Act. This could impact how you hold data in order to be able to fulfil requests under the Act, and how contracts are drafted.

We would encourage businesses to recall the early days of GDPR: for many businesses, this was a tricky transition but most now incorporate it seamlessly into day to day activities. Getting to grips with these concepts now will smooth what could otherwise be a difficult adjustment.

Please feel free to get in touch if you want to learn more about how this could impact your business in the future.

[1] At this point, we acknowledge that toasters, along with electric kettles, are a singular obsession of the British. While we struggle to imagine life without them, we further acknowledge that their status in other countries is somewhat lesser. Should that be the case for you, please do feel free to imagine you make IoT fridges, or washing machines, or cars – all of which are excellent examples of connected devices, but none of which make hot cross buns delicious.

This is for general information only and does not constitute legal advice. Should you require advice on this or any other topic then please contact or your usual HLK advisor.

HLK bubble graphic HLK bubble graphic

Stay connected with HLK

Keep up-to-date with the latest IP insights and updates as well as upcoming webinars and seminars via HLK’s social media.