- Barbora Hanáková
Do you develop or provide smart devices, data-generating products, or cloud services? If so, you should be aware that as of 12 September 2025, Regulation 2023/2854 – better known as the EU Data Act – applies across the entire European Union. It changes the rules governing access to data, data sharing, and the practical use of data.
What is the Data Act and who does it apply to?
The Data Act is a European regulationthat establishes rules for accessing data generated through the use of digital and smart products. Typically, this includes data from connected devices, machines, vehicles, or software platforms – essentially anywhere a device collects and automatically transmits data as part of normal operation.
The regulation applies to manufacturers of smart devices, providers of digital services, and companies that further process such data – for example, by analyzing it, using it for maintenance, operational optimization, or developing related services. It also affects companies that do not develop smart devices themselves but actively use them.
At the same time, the Data Act significantly strengthens the rights of users of connected devices, particularly IoT products. Users now gain:
- the right to access the data generated by their devices, and
- greater control over whether and with whom that data is shared – for example, service partners, software vendors, or application developers.
For companies, this means clearly understanding what data their products generate, who owns that data, and how access will be granted. Data is no longer purely a technical matter – it becomes a strategic business decision.
The main obligation for companies? Clear rules for data sharing
For device manufacturers and digital service providers, the Data Act introduces specific obligations related to how data is made accessible and shared. Companies must provide access to data in a commonly used, structured, and machine-readable format so that authorized parties can actually work with it – not merely view it. Data must also be shared under fair, reasonable, and non-discriminatory conditions, without favoring selected partners or the provider’s own services.
In practice, this is not only about technical settings or interfaces. The Data Act also affects contractual relationships, terms and conditions, and internal processes. Companies must therefore align technology, legal frameworks, and everyday data handling practices.
Key obligations under the Data Act:
- Make data available in a commonly used, structured, and machine-readable format.
- Share data under fair, reasonable, and non-discriminatory conditions.
- Use data only for the purpose for which it was made available.
Protection of sensitive information and trade secrets
The Data Act recognizes that not all data can be shared without risk. If disclosure could cause significant economic harm or jeopardize trade secrets, the regulation allows companies to refuse to share such data.
However, this is not a blanket exemption. The decision must be properly justified, documented, and in some cases reported to the competent authority. The goal is not to block access to data broadly, but to establish a controlled mechanism that protects legitimate business interests while maintaining transparency and fairness.
The end of vendor lock-in: greater freedom in the Cloud
A significant part of the Data Act addresses cloud services. Its aim is to reduce vendor lock-in – situations where customers are effectively “trapped” with a provider because switching is technically or contractually too complex.
In practice, switching between cloud providers should become easier from both technical and contractual perspectives. Data migration must be feasible within a short timeframe – no longer than 30 days – and from 2027 onward, providers will no longer be allowed to charge fees solely for switching providers.
For cloud service providers, this means preparing for easier data portability and interoperability with other platforms. For customers, it represents a shift toward greater flexibility and a stronger negotiating position.
Access by public authorities in crisis situations
The regulation also addresses circumstances in which public authorities may request access to specific data in exceptional situations. This typically involves crisis scenarios such as natural disasters, major infrastructure outages, or public health emergencies, where data may play a crucial role in resolving specific problems.
Such sharing does not mean a general opening of company data. The rules require that access be limited to a specific purpose, time-bound, and proportionate to the situation. Only strictly necessary data may be provided. For companies, this means having a clear internal process in place: who decides what data can be provided, to what extent, and under what conditions.
What should you do if the Data Act applies to you?
1. Map your data and access rights
2. Review contracts and Terms & Conditions
Verify whether contractual provisions governing data use and sharing comply with the Data Act. Conditions must be fair, reasonable, and free of hidden restrictions that could be problematic.
3. Prepare for cloud provider switching
If you provide cloud services, you must enable customers to switch providers within clearly defined and short timeframes. This requires not only technical data transfer capabilities but also contractual and procedural readiness.
4. Set clear limits on data usage
Use data only for the purposes for which it was made available. Establish internal control mechanisms to prevent unauthorized use. When dealing with personal or sensitive data, ensure alignment with GDPR requirements.
5. Define responsibilities and assess risks
Determine who within your organization is responsible for compliance with the Data Act – both legally and technically. Review data flows and identify areas where risks, ambiguities, or responsibility conflicts may arise.
Does the Data Act apply to companies outside the EU? And what about the Czech Republic?
The Data Act may also apply to companies established outside the European Union, particularly if they supply connected devices or provide data services to customers in the EU market. This typically includes manufacturers of smart appliances, sensors, machinery, or service providers handling data generated through product use. What matters is not the company’s location, but whether its products or services target EU customers.
From the perspective of the Czech Republic, the Data Act already applies – just like in all other member states. As a regulation, it is directly applicable. Therefore, its core obligations apply regardless of whether the national supervisory framework and sanctions (such as the designation of a supervisory authority or determination of fines) have been fully established. The rules themselves are already binding.
Key takeaways
The most important point is that the Data Act is not merely another European regulation to be “somehow in compliance with.” For companies that prepare in time, it can serve as an opportunity to better understand how they handle data, who they grant access to, and under what conditions. It can also strengthen trust among customers and business partners.
Underestimating these changes carries not only regulatory risks but also long-term risks related to loss of oversight, trust, and competitiveness in an environment where data plays an increasingly central role.
