What do I risk for non-compliance with the Data Act?

Short answer: The Data Act has applied since 12 September 2025. If you do not follow the rules on access to and sharing of data from connected products, you risk civil claims, contract terms that turn out not to be binding, and GDPR enforcement where personal data is involved.

What the Data Act requires of you

Regulation (EU) 2023/2854 (the Data Act) governs access to and the sharing of data generated by connected products and related services. In transport and logistics this covers, for example, telematics, sensor data and data from vehicles, trailers and equipment. The user, meaning the owner, renter or lessee of the product, is entitled to access that data and may have it shared with third parties.

Data sharing must take place on FRAND terms: fair, reasonable and non-discriminatory. The Regulation also prohibits unfair contract terms imposed unilaterally, and makes switching between cloud services easier.

What you risk for non-compliance

Enforcement of the Data Act rests with the Member States, which designate competent authorities. Anyone who refuses to make data accessible or to share it may face enforcement of that obligation and civil claims from affected parties. Unfair or prohibited contract terms are not binding: you cannot rely on them, even if they appear in your agreement.

If the shared data contains personal data, the GDPR applies alongside the Data Act. A breach can then also trigger supervision and penalties under the privacy rules.

What is still coming

From 12 September 2026 a design obligation applies: new connected products and related services must be designed so that data is accessible to the user by default, easily and securely. If you are purchasing or developing now, it is wise to build in this requirement already to avoid later changes.

Read the main file: Data Act for transport & logistics. Or take the Transport & Logistics scan.