A key pillar of the European Data Strategy is Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023, which entered into force on 11 January 2024 (herinafter reffered to as the “Data Act”). Its provisons will become directly applicable across the EU in a phased approach, starting on 12 September 2025 and continuing from 12 September 2026.

A) Why has the EU adopted the Data Act?

By 2025, global data volumes are expected to reach 175 zettabytes – equivalent to 175 billion gigabytes. Estimates project that the value of the data economy could rise to as much as EUR 11 trillion by 2030. Through its data strategy, the European Commission seeks to create a single market for data, fostering Europe’s global competitveness and digital sovereignty. At the same time, the framework aims to enable opportunites for data monetization.

A significant portion of the data concerned is generated by digital products and services, which is precisely where the Data Act’s regulatory scope applies.

Who is affected by the Data Act?

• In particular, all manufacturers of connected/smart products and providers of related services in all industries in case of access to the data
• Users of connected/smart products and services (legal entities/natural persons)
• Third parties as (potential) data recipients

What Data is covered? – “In Scope” vs. “Out of Scope”

The Data Act covers all data generated thorugh the use of a “connected product” or a “related service”. Such connected products are often referred to as “Internet of Things” (IoT). In essence, it addresses data that arises from the use of a product and would not exist without that use.

After extensive debate, the EU legislator decided to draw a (more or less clear) distinction between two categories of data. On one hand, the Act defines a broad set of “in scope” data – particularly including metadata and data from interactions with virtual assistans. On the other hand, it explicitily excludes “dervied data” (“out of scope”).

In Scope: Covered are so-called “primary data”, i.e., raw data that is actually generated thorugh the use of a product or service. This also includes data resulting through interactions with virtual assistants.

Metadata is likewise relevant. Metadata are strcutred descriptions of the content or use of primary data, aimed at improving the findability or usability of the data (e.g. author, creation date, file size, format, access rights, licensing terms, encoding, data source, modification history, etc.).

Out of Scope: In contrast, derived data or information is not covered. Such data or information is not generated by the mere use of the connected product or service but requires further analysis processing (especially by means of proprietary algorithms) or transformation of the primary data and typically has a more extensive informative value than primary data (e.g. statistical data, aggregated data, forecasts, reports). In some cases, this is also referred to as “refined data”.

Relationship with Data Protection Law

Data protection law remains unaffected (cf. Recitals 20 and 34 of the Data Act). The provisions of the GDPR and other data protection regulations continue to apply in parallel. Consequently, where personal data is involved, all Data Act obligations must be implemented in full compliance with data protection law.

In practice, datasets often include both personal and non-personal data (“mixed-datasets”) and are thus subject to the Data Act as a whole. The key challenge lies in fulfilling data access requests under the Data Act while also observing the applicable data protection requirements – to avoid exposure to fines under both frameworks.

B) Understanding the Data Act and Planning Measures

The key innovation – or “revolution” – of the Data Act lies in its contractual approach: any use of data by the data holder or third-party recipients requires a contract with the user. In this “contractualization of data law”, the agreement with the user becomes the central legal anchor point.

Accordingly, the necessary measures must be tailored from the perspective of the main stakeholders involved.

In the simplest case, the conditions of the data flow are regulated by two parties: the user and the data holder. More frequently, a third party, the data recipient, is added to these two parties. Finally, multi-layered constellations involving data holders, several users (e.g. in cases of multiple user accounts), and data recipients and other entities (e.g. data aggregators, including those under the Data Governance Act) are also relevant. Overall, the technical and legal requirements result in a wide range of design options.

Action Planning Overview

Each stakeholder group faces distinct questions and considerations when preparing for the Data Act. Below is a summary of the key obligations and opportunities.

Contract Drafting

Designing the contract is a key element in implementing the Data Act’s requirements. Before the Data Act comes into force, potential data holders should consider the conditions, modalities, and purposes of data provision and use.

The Data Act contains a large number of requirements and restrictions in terms of contract design. For instance, data holders must provide data to data recipients (B2B) under “fair, reasonable, and non-discriminatory conditions” (FRAND) and in a transparent manner. A margin is permitted under Art. 9 of the Data Act. Furthermore, contractual provisions are subject to (split²) general terms and conditions control in accordance with Art. 13 Data Act. Additionally, requirements for the protection of trade secrets may be included. One component of this is providing various contract templates according to a predefined scheme. It is advantageous to embed them in a contract management system (CMS). However, it should be noted, that the Data Act’s requirements and restrictions only apply directly to contracts for “in scope” data, not “out of scope” data.

The Commission has already published the initial drafts of the model contract clauses (Article 41 of the Data Act). These should be taken into account when drafting and implementing the Data Act requirements, even though the Commission's models will not be finalized until September 12, 2025.

Legal Consequences of Non-Compliance

The Data Act has the potential to permanently transform the data economy. Non-compliance with the Data Act can result in fines of up to 20 million euros or four percent of a company's total revenue, which lends weight to the Data Act. Therefore, companies should familiarize themselves early on with the requirements that apply to them, as well as the potential opportunities, and prepare for the gradual implementation.

How we can support you

We are happy to support you throughout your entire EU Data Act journey, from compliance and pricing and monetisation strategies to service delivery and the fulfilment of data sharing requests. We draw on proven accelerators such as our EU Data Act Compliance Framework (for maturity assessments and action planning) and a broad network of regulatory, technical and strategic experts.

Please do not hesitate to contact us.

________________

¹ There are exceptions to these obligations for micro and small enterprises (see Art. 7 Data Act). Microenterprises are companies with fewer than 10 employees and an annual turnover or balance sheet total of no more than EUR 2 million. Small enterprises are companies with fewer than 50 employees and an annual turnover or balance sheet total of no more than EUR 10 million. See commission recommendation (2003/361/EG).

² The GTC control pursuant to Art. 13 of the Data Act is limited to the Data Act provisions. Thus, the national GTC control applies to non-regulated areas as well (split GTC control).