The EU’s new data regulation – also known as the Data Act – will enter into force in the EU on September 12, 2025. The regulation introduces a common set of rules for sharing and accessing data from connected (IoT) products and services in the EU’s internal market. The aim is to promote innovation and competition by ensuring that such data is made available to users and other actors. The regulation has not yet been incorporated into the EEA Agreement, but is considered EEA-relevant and will probably also be incorporated into the EEA Agreement and Norwegian law. In any case, this will be relevant for Norwegian operators offering services within the EU.
The Data Act marks a shift in EU regulation of digital value creation and access to data, and will affect a range of different businesses, including manufacturers and suppliers of IoT devices (e.g., sensors, machines, vehicles), software developers, service providers in cloud services and edge computing, as well as players who use data from such systems.
For many businesses, the regulations entail new obligations, the need for technical and organizational adjustments, and a review of existing contract practices. At the same time, the regulations open up new business opportunities for players who can build services based on the data that must be shared.
Main content of the Data Act
What data is covered?
A key element of the regulation is that users of connected products or related services are entitled to receive data generated during use, such as data collected automatically through sensors and systems in the products. Only “available” raw data and metadata are covered by the regulation. Finished analyses, aggregated models, and data containing trade secrets or intellectual property are therefore exempt. Companies must therefore map and clearly distinguish between data covered by the sharing obligation, data that is exempt, and information that may need to be anonymized or protected.
Right of access and transfer
Data shall be made available free of charge to the user, in a structured and machine-readable format, preferably via digital interfaces (APIs).
The user also has the right to instruct that the data be transferred directly to a third party of their choice. The data controller (the manufacturer or service provider) is then obliged to facilitate this. However, the data may not be used to copy products, build competing devices, or attempt to derive business-critical information about the manufacturer.
There are also certain restrictions on which actors can request data to be transferred to them: Large platform companies covered by the Digital Markets Act (so-called “gatekeepers”), typically Google, Microsoft, Amazon, Apple, etc., cannot be recipients under this scheme.
Switching cloud services
Companies that use cloud services will have new rights to move their data and digital resources to other service providers without unnecessary delays, data loss, or extra costs. From January 2027, standard fees for data transfer (known as “exit fees”) will also be prohibited.
Cloud providers must ensure technical interoperability, use common formats, and make the necessary export tools available to facilitate this. Clear information must also be provided about the conditions for service migration.
Prohibition of unfair terms
The Data Act prohibits unfair contract terms in situations where there is an imbalance between the parties, particularly to the detriment of small and medium-sized enterprises. The obligation to share data must be on fair, reasonable, and non-discriminatory terms, commonly abbreviated as FRAND (Fair, Reasonable, and Non-Discriminatory). It must be assumed that the threshold for what will be permitted in this context will not necessarily coincide with what is permitted under Section 36 of the Contracts Act. The European Commission will publish model clauses as guidance in 2025. This may also have implications for existing standard agreements and license terms, particularly where one party has exclusive rights to data that other players depend on in order to provide their services.
Relationship to other legislation
Interaction with GDPR
Where the data includes personal data, the General Data Protection Regulation (GDPR) applies in parallel. This means that a basis for processing (typically consent or contract) must be in place, and that the principles of data minimization, purpose limitation, and information security must be observed. For some actors, this will require a review of how consent is obtained and documented, and the development of solutions to enable users to easily withdraw consent or terminate data sharing.
Protection of trade secrets
Businesses may refuse to share information if there is a significant risk that sharing will result in substantial financial damage or exposure of trade secrets. Such an exception must be specifically justified and documented. It is also possible to impose confidentiality and security requirements, such as non-disclosure agreements and technical access controls.
What should businesses do now?
Although the regulation will not take effect until September 2025, and has not yet been incorporated into the EEA Agreement, affected businesses should start working on this now. Businesses that offer IoT products, cloud services, or data-driven business models must familiarize themselves with how the regulation affects their own role and contractual relationships—and what measures should be implemented.
Current measures include:
- Mapping of what data is generated, who has access to it, and which datasets are subject to the sharing obligation.
- Assessment of whether existing product designs, data flows, and user interfaces are in line with the requirements set out in the regulation.
- Review of contracts with suppliers, customers, and third parties, with a view to ensuring FRAND terms.
- Review of procedures for processing personal data, including consent and duty to provide information.
- Protection of intellectual property rights and trade secrets through clear documentation and access restrictions.
Our lawyers have in-depth knowledge of this and other topics related to the digital economy.
