Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules for access to and use of data (hereinafter referred to as the Data Act) is a fundamental regulatory instrument within the EU's digital policy, aiming to establish transparent and fair rules for the functioning of the data market. The act entered into force on 11 January 2024 and began to apply on 12 September 2025. As part of a broader European Union legislative strategy, the Data Act complements existing regulations, such as the General Data Protection Regulation (GDPR) and the Data Governance Act, and aims to build a European data space based on the principles of balance, interoperability, and sustainable technological development.
The main goal of the regulation is to provide users—both consumers and businesses—with real control over the data generated by digital devices and related services, particularly in the context of the Internet of Things (IoT). Users of these devices gain the right to access the data generated through their use directly, free of charge, and in a format that allows for further use and reprocessing. This requires manufacturers and service providers to design devices to ensure data accessibility from the creation stage (the "design for access" principle) and to provide transparent information about the scope, nature, and method of data processing.
The Data Act also introduces a number of mechanisms aimed at counteracting the concentration of data resources in the hands of dominant market players and promoting a level playing field. Facilitating access to data by third parties – particularly small and medium-sized enterprises and start-ups – is intended to stimulate innovation and increase the competitiveness of the EU's digital economy. In this context, particular attention has been paid to combating unfair contract terms, which until now have often been imposed by the more powerful parties in economic relations. The regulation prohibits the use of asymmetric contractual clauses regarding data sharing and requires that all contractual obligations be formulated in a transparent and proportionate manner.
The regulation also provides for the possibility of accessing data by public sector bodies in situations of exceptional need, such as natural disasters, public health threats, or other emergencies. This mechanism is based on the principle of proportionality and its application is limited to strictly defined cases in which data held by private entities may be crucial to the performance of public tasks. At the same time, the regulation introduces appropriate safeguards to protect the rights and interests of data owners.
Another important area of regulation is the data processing services market, particularly cloud services. The Data Act establishes measures aimed at ensuring greater transparency, interoperability, and competition in this market, counteracting practices that lead to vendor lock-in. Facilitating the switching of service providers and the transfer of data between different platforms is intended to support data mobility and strengthen user digital security.
The regulation imposes specific obligations on manufacturers, who will be required to consider data access aspects during the product design and implementation phase. Data processing service providers will be required to adapt their contractual terms to the requirements of the Data Act. Users, on the other hand, will gain not only formal rights but also tangible instruments to enforce rights related to their data.
From a legal liability perspective, it is important to note that failure to comply with the obligations arising from the regulation may result in the imposition of administrative sanctions, including financial penalties. In cases where the processing of data regulated by the Data Act also involves personal data, the provisions of the GDPR will apply in parallel, requiring data processors to exercise particular caution in terms of regulatory compliance.
The Data Act is a groundbreaking piece of legislation that redefines the rules for access, use, and control of data in the European Union. By striking a balance between economic interests and user rights, this regulation strengthens the foundations of European digital sovereignty, and its practical implications for the development of a modern digital economy will be further explored in the coming years.
This article is for informational purposes only and does not constitute legal advice.
The law is current as of October 7, 2025.
Author:
Series editor:
