Who must comply with the EU Data Act’s product and IoT data rules?

Makers of connected products, providers of related services, and data holders that control product or usage data. It applies to EU and non-EU firms selling into the EU.

When do design-for-access obligations start?

From September 12, 2026. Products and services must be designed so users can access their product/usage data easily, securely, and free of charge.

What must be disclosed before sale?

What data is generated, whether it’s real-time/continuous, how users can access or erase it, and basic retention practices.

What are the user access and sharing rights?

On request, provide data at no charge in common machine-readable formats and, if asked, send it directly to a third party.

How are trade secrets and competition handled?

Trade secrets can be protected with NDAs and technical controls; specific disclosures can be refused if they risk serious economic harm. DMA gatekeepers cannot be recipients via the user-request route.

What about B2B sharing and public sector requests?

B2B sharing must be on FRAND terms; certain unfair clauses are banned. Public sector bodies can request data in cases of exceptional need under strict conditions and compensation rules.

The EU Data Act: What must connected-product makers and IoT services let users access?

Privacy & Data

Sep 12

Written By Shayne Adler

The EU Data Act gives users of connected products and related services the right to access and share product/usage data—easily, securely, and free of charge. From September 12, 2026, products/services must be designed for access. Before sale, you must explain what data is generated, how often, how users access/erase it, and basic retention. On request, you must provide data in a common, machine-readable format and send it to a third party if the user asks. Guardrails protect trade secrets, ban DMA gatekeepers as recipients in this route, and carve out micro/small business exemptions.

Who this affects

Makers of connected products, providers of related services, and any data holders controlling product/usage data—EU and non-EU firms selling into the EU.

Key obligations

Design for access (from September 12, 2026): Build products/services so users can get their data easily, securely, and at no charge.
Pre-sale transparency: Tell buyers what data is generated, real-time/continuous nature, how to access/erase, and retention basics.
User access & sharing: Provide data for free, in common machine-readable formats; send directly to a third party on user request.

Protections & limits

Trade secrets: Protect with NDAs/technical controls; you may refuse a specific disclosure if you can show a high risk of serious economic harm.
Gatekeepers: DMA-designated gatekeepers cannot be recipients via the user-request route.
Database rights: You cannot use sui generis database rights to block access.
Micro/Small businesses: Exempt from certain Chapter II obligations (conditions apply).

B2B & public sector scenarios

B2B sharing: Terms must be FRAND (fair, reasonable, and non-discriminatory); certain unfair terms (e.g., excluding liability for gross negligence) are prohibited.
Public sector (“exceptional need”): Requests allowed (e.g., emergencies) with rules on scope and compensation; prefer non-personal data.

Compliance checklist (fast start)

Map product/usage data per device/service; mark personal vs non-personal.
Draft pre-sale disclosures (data generated, frequency, access/erasure, retention).
Build an export pathway (self-serve if possible) in common machine-readable formats.
Set a third-party transfer flow at the user’s request; log transfers.
Add a trade-secret review (redaction/NDAs, refusal criteria).
Review contracts for FRAND and unfair-terms bans.
Create a public-sector request SOP (who approves, what’s compensable).

Definitions

Connected product: Device that generates data, often with an app/service.
Data holder: Entity that controls product or usage data.
FRAND: Fair, reasonable, non-discriminatory terms for B2B sharing.

EU Data ActIoTproduct dataaccess rightstransparencydesign for accessFRANDtrade secretsDMA gatekeeperspublic sector requestssmall business exemption

Shayne Adler