Skip to main content
Share via Share via Share via Copy link
Smart data regulation: Part 1 of 2

The EU Data Act on manufacturing, industrial and automotive sectors

16 July 2026
Philip James

This article is part one of a two-part series addressing current topics in smart (or open) data. Part two covers the impact of the DUAA on the UK's industrial sectors.

The EU Data Act (Regulation (EU) 2023/2854) (Act) came into force on 11 January 2024 and took effect from 12 September 2025. The Act represents a significant overhaul of European data law and is primarily aimed at opening up data, whether or not personal, subject to limited derogations. 

The implications of the Act are substantial, both for those who wish to leverage the new rights to access data, and for those who hold relevant data within scope of the Act. 

The Act seeks to unlock the economic and social value of data generated through the use of connected products and related services.

Who is within scope of the Act?

The Act targets a wide range of businesses operating in the EU, including manufacturers, importers and distributors of connected products, as well as providers of related services. 

Under Article 2(5) of the Act, a “connected product” is defined as any item that: 

  • Collects or generates data concerning its use or environment. 
  • Is capable of communicating that data. 
  • Whose primary function is not the storage, processing or transmission of data on behalf of a party other than the user. 

The Act has extra-territorial effect. It is therefore equally relevant to manufacturers, importers and service providers outside the EU (e.g. in the UK, US or Japan) that place connected products on the EU market. It is important therefore to conduct an initial assessment to identify the extent to which connected products (or related products) fall within the scope of the Act (for instance, either because the relevant products have been placed on the EU market or the data collected relates to users of connected products in the EU).

What does the Act require?

The Act grants users (both consumers and businesses) of connected products (as well as related services for those products) extensive rights to require data holders to provide access to, and share, data with third parties (known as ‘data recipients’). 

There are exemptions for trade secrets; however the legislation is weighted in favour of disclosure, and data holders should develop a robust internal data classification protocol to identify which data may properly be exempted from disclosure. 

In certain limited circumstances and subject to specific criteria, fair compensation is payable to data holders for allowing access.

The Act imposes several significant obligations on data holders, namely that:

  • Data holders are required to share raw operational data with users, upon request (free of charge where consumers are concerned or in return for reasonable compensation in a B2B context, securely, in a timely manner and in a useable format).
  • Connected products sold after 12 September 2026 must be designed to provide users with easy, secure, and direct access to relevant data. 

The Act applies to data, whether or not personal (and therefore applies beyond the more limited personal data boundaries regulated by the General Data Protection Regulation (GDPR). However, where personal data is involved, the GDPR will continue to apply.

Where users wish to share their data with third parties (i.e. ‘data recipients’), data holders must facilitate that sharing on a fair, reasonable and non-discriminatory (FRAND) basis. However, data recipients under the Act are prohibited from using the data to develop a competing connected product, preserving the commercial incentives of manufacturers. Notably, there is no express provision prohibiting the development of a competing service. 

Why this matters for manufacturing, industrial and automotive businesses

Industrial machinery operators will be entitled to demand their operational data back from manufacturers, giving them far greater control over the data generated by their own equipment. 

In the automotive sector, connected vehicle data (including speed, fuel consumption, braking and tyre pressure) must be made available, where data falls within the scope of the Act (and no applicable derogations or exemptions apply). 

For example, fleet operators may be able to redirect their telematics data to a third party of their choosing. 

The same principle applies in agriculture. Farmers will be able to take their tractor sensor data to any mechanic or platform they choose, rather than having to rely on the manufacturer.

The key carve-out: Raw data only, not enhanced data

It is important to bear in mind that data holders are only required to share raw or minimally processed data. Derived insights, analytics and algorithmic outputs fall outside the scope of the sharing obligation and do not need to be disclosed. 

Penalties

Penalties under the Act are governed at a national level. The Act does not prescribe an EU-wide maximum penalty cap. Instead, member states have discretion to set penalty levels, subject to the requirement that sanctions must be effective, proportionate and dissuasive. This means that penalty levels currently vary significantly across member states which is a key risk for businesses operating across multiple EU jurisdictions.

However, where Article 40(4) applies (i.e. the infringement concerns obligations in Chapters II, III and V of the Act and falls within the competence of a GDPR supervisory authority), supervisory authorities may impose GDPR-level fines of up to €20 million or 4% of worldwide annual turnover of the undertaking of the preceding financial year, whichever is higher. Bearing in mind, an “undertaking” is often interpreted as the entire economic group, not just the specific legal entity that committed the infringement. This means regulators may look at the consolidated global revenue of the parent company and its subsidiaries rather than the revenue of a single local subsidiary.

Key dates to be aware of

While the majority of the Act came into force on 12 September 2025, some phases continue to roll out, namely: 

  • From 12 September 2026, the data accessibility by design requirements, which require manufacturers to build data-sharing capability into connected products, will apply to products placed on the market.
  • From 12 January 2027, providers of data processing services will be prohibited from imposing switching charges on customers, and businesses and individuals will have the right to transfer their data to a new provider within 30 days. 
  • By the end of 2027, the Act’s rules on unfair contractual terms will extend to existing B2B contracts that predate 12 September 2025.

Six steps to take now

  1. Review your contracts: Review existing contracts and data-sharing arrangements with third parties to ensure that users’ rights under the Act are properly reflected. 
  2. Build and update technical interfaces: Ensure that any technical interfaces are built and updated where necessary to facilitate data access and establish clear access policies. 
  3. Map your data: Review all data within the business to identify the different types and ensure the relevant policies and agreements are in place. 
  4. Conduct audit reviews: Examine your data assets to identify which datasets may qualify as trade secrets and ensure robust confidentiality agreements are in place where disclosure is required. 
  5. Develop a data request process: Proactively develop a process to receive and respond to requests for data, including how to manage AI-driven requests. 
  6. Consider your user rights: Consider where, as a user, you may be able to leverage the data rights to gain access to commercial data that was not previously available to you.

If you haven’t yet had an opportunity to carry out an assessment of its implications, you should do so now. This is because the Act may well influence your commercial data strategy and how an organisation protects and controls access to its data assets. It will have implications for contracts and procurement, the protection of trade secrets, and general compliance.

In part two, we look at smart data in the UK context, specifically what manufacturing, industrial and automotive businesses need to know about the new Data (Use and Access) Act 2025, which is now in force.

For more information on the EU Data Act, smart data compliance regarding your commercial data strategy, please contact Philip James, Jeanne Kelly or Raymond Sherry.

Author

Author

Philip James

Partner

philip.james@brownejacobson.com

+44 (0)330 045 1022

View profile Connect on LinkedIn
Can we help you? Contact Philip

Co-authors

You may be interested in...