Trusq

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NL·EN
Explainer

Data Act: obligations for manufacturers of connected products (IoT)

Adopted 2026-06-29 · ≈ 2 min read · Dirk Baaijen

Regulation (EU) 2023/2854 imposes concrete design obligations on manufacturers of connected products so that users and third parties can access generated data; the Article 7 exemption applies exclusively to Chapter II (Articles 3–6).

Short answer: The Data Act (Regulation (EU) 2023/2854) requires manufacturers of connected products to design their devices so that users can access generated data free of charge and in machine-readable format. The regulation applies from 12 September 2025; the design obligation for new products (Article 3 §1) applies from 12 September 2026. Micro and small enterprises are exempt from the obligations in Chapter II (Articles 3–6), but not from Chapter III (Articles 8–12).

Scope and definition of connected product

The regulation applies to connected products that collect data on use, performance or environment via their components or operating systems and communicate those data over an electronic communications network, physical connection, or on-device access. Examples include connected cars, medical devices, smart home appliances, industrial machinery and agricultural vehicles. Prototypes fall outside the definition.

Core obligations under Chapter II (Articles 3–6)

Article 3 — Design obligation: Manufacturers must design and manufacture connected products so that product data are, by default, easily, securely and free of charge directly accessible to the user in a structured, commonly used and machine-readable format. Before the contract is concluded, manufacturers must disclose the type of data, estimated volume, and retention period.

Article 4 — User right of access: Where direct access is technically not feasible, the data holder must make the data available immediately and in real time upon user request, free of charge and in machine-readable format.

Article 5 — Onward sharing with third parties: Upon user request, the data holder must transmit the data to a third party of the user's choice. The third party may only use the data for the agreed purpose and must delete it once that purpose has been achieved.

Article 6 sets obligations for the receiving third party: no profiling of natural persons beyond the agreed purpose, no sub-transfer to further third parties without user consent.

Exemption for micro and small enterprises (Article 7)

The obligations of Chapter II (Articles 3–6) do not apply to manufacturers qualifying as micro-enterprises (<10 employees, <€2 million annual turnover) or small enterprises (<50 employees, <€10 million turnover), provided they have no partner or linked enterprises falling outside those thresholds and are not subcontracted by a larger enterprise. Medium-sized enterprises (<250 employees, <€50 million turnover) benefit from a one-year transitional period after market introduction.

Important: Article 7 explicitly limits the exemption to Chapter II. Chapter III (Articles 8–12) — which governs mandatory B2B data sharing under fair, reasonable and non-discriminatory (FRAND) terms — falls outside the Article 7 exemption and applies independently.

Enforcement and penalties

Member States were required to designate competent supervisory authorities by 12 September 2025. The regulation does not prescribe fixed fine amounts; Member States must establish effective, proportionate and dissuasive sanctions. For processing of personal data, data protection authorities have concurrent jurisdiction alongside their GDPR powers.

Sources

  1. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32023R2854
    Official text Regulation (EU) 2023/2854 — EUR-Lex
  2. https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained
    European Commission — Data Act factsheet (application dates, definitions)
  3. https://www.gleisslutz.com/en/data-act-qa
    Gleiss Lutz Q&A — micro/small enterprise thresholds, scope of Art. 7, design deadline

Share on LinkedIn

Read next

U

The Data Act: what compensation may I charge for sharing data (FRAND)?

If the Data Act obliges you to share data, you may charge a reasonable fee based on your costs of making the data available, plus a reasonable margin. For SMEs and non-profits: only the direct costs. Terms must be fair and non-discriminatory (FRAND).

U

Data Act and cloud switching: can I switch cloud providers more easily?

Yes. The Data Act (Regulation (EU) 2023/2854), applicable since 12 September 2025, makes switching between cloud and data-processing services easier through mandatory switching support and a ban on unfair contract terms.

U

What do I risk for non-compliance with the Data Act?

The Data Act applies since 12 Sep 2025. Non-compliance risks civil claims, contract terms that are not binding, and GDPR enforcement where personal data is involved. From 12 Sep 2026 the design obligation applies.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject — programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method →

A project or programme? Work with YRproject →

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.