The Data Act (Regulation (EU) 2023/2854) applies across the EU as from 12 September 2025. It reshapes access to and use of data generated by connected products and related services and the design by default of these connected products and related services, introduces pre-contractual information obligations, tightens contract fairness rules (B2B) and sets essential requirements for smart contracts.
1. Scope
The Data Act applies to both personal and non-personal data. It establishes harmonised rules on:
- access to and sharing of connected products data and related services data with users of the connected products or related services;
- making data available to third parties, i.e. data recipients and, exceptionally, to public bodies;
- facilitating switching between data processing services and interoperability standards for data to be accessed, transferred and used; and
- safeguards against unlawful third-party access to non-personal data.
The Regulation applies (among others) to the following actors:
- manufacturers of connected products: any manufacturer placing connected products on the EU market (e.g. manufacturers of smart fridges, of wearable fitness trackers, of connected robots, etc.);
- providers of related services: any provider of digital services linked to a product such that, without them, the product could not perform one or more functions (e.g. providers of apps for smart home devices);
- users: any natural or legal person who owns, rents, leases a connected product or receives a related service (e.g. users of smart fridges);
- data holders: any natural or legal person that has a right or obligation to use and make data available (e.g. manufacturers of smart fridges, IoT providers); and,
- data recipients: any natural or legal person, acting for professional purposes, other than the user, to whom a data holder makes data available, including a third party following a request by the user or in accordance with a legal obligation (e.g. service providers for the repair of maintenance).
2. Design of the Connected Product or Related Service
Connected products must be designed and manufactured, and related services designed and provided, so that product and service data (plus necessary metadata) are by default accessible to the user easily, securely, free of charge, in a structured, commonly used, machine-readable format and, where relevant and technically feasible, directly and in real time (see Article 3.1).
This design obligation will apply only to connected products and related services placed on the market as from 12 September 2026.
3. Pre-Contractual obligations
Connected products’ sellers and service providers must clearly inform users about the types of data generated by the product or service, how users can access or retrieve their data and any intended use or sharing of that data before entering into a contract with the user.
4. B2B fairness
In B2B relationships, any unfair term unilaterally imposed is not binding. To help, the Data Act provides “black” and “grey” lists of unfair terms.
These rules apply from 12 September 2025 to contracts concluded after that date. The rules will apply from 12 September 2027 to contracts concluded on or before 12 September 2025 provided that they are of undetermined duration or that they are due to expire at least 10 years after 11 January 2024.
5. Smart Contracts for Data Sharing
Where smart contracts are used to execute data-sharing agreements, vendors must ensure compliance with essential requirements, i.e. robustness and access control, safe termination or interruption, archiving and continuity and consistency with the underlying data-sharing agreement.
Vendors of smart contracts solutions must conduct a conformity assessment and issue an EU declaration of conformity.
6. Belgian Competent Authorities
In Belgium, according to the 2025-2029 federal coalition agreement, the Belgian Institute for Postal Services and Telecommunications will be entrusted with the supervision and coordination powers foreseen by the Data Act and will assume the role of data coordinator.
On top of such supervision, data protection authorities are responsible for monitoring the application of the Data Act insofar as the protection of personal data is concerned.
Conclusion
The EU Data Act marks a significant shift in the legal landscape for data generated by connected products and related services. Its requirements on transparency, user rights, contract fairness, and technical design will require most businesses in the sector to review and adapt their practices (e.g. to ensure seamless data transfers to third parties), their contracts (e.g. to ensure there is no unfair clause in their B2B contracts, to add clear terms on data sharing), and their product development processes (e.g. by redesigning back-end systems and user interfaces). However, for micro and small enterprises, the Data Act contains some lighter rules.
For tailored advice on how the Data Act may affect your business, or for a review of your contracts and compliance framework, please contact the authors: Joan Carette, Eric De Gryse, Maïka Bernaerts or Ségolène Nève.
***
This newsletter is not a legal advice or a legal opinion. You should seek advice from a legal counsel of your choice before acting upon any of the information in this newsletter.