Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023, which lays down harmonized rules on fair access to and use of data, and amends Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (the “Data Act”) was published in the Official Journal of the European Union on 22 December 2023 and entered into force on 11 January 2024.
Most of the provisions of the Data Act came into force on 12 September 2025.
Generally
The Data Act fundamentally changes the way entities, whether public institutions, companies, or individuals, handle data. It introduces another very significant EU data regulation, which can be compared, for example, to the GDPR[1].
The Data Act also significantly affects other areas of digital regulation, in particular the Data Governance Act (“DGA”)[2], rules for online content, and other key EU regulations such as the Digital Services Act (“DSA”)[3], the Digital Markets Act (“DMA”)[4] and regulations in the field of artificial intelligence. The Data Act is a key element of the EU’s digital space and data strategy (especially the much-discussed AI Act[5]).
The Data Act has a significant impact on a wide range of entities, with the primary aim of promoting innovation by increasing the availability and reusability of data on the performance, use, and environment of smart products and services.
What is the purpose of the Data Act?
The Data Act is specifically designed to empower users, both consumers and businesses, and give them greater control over the data generated when using their connected devices, such as cars, smart TVs, or other industrial equipment.
Unlike the GDPR, which only protects individuals’ personal data, the Data Act focuses on data in general, including non-personal and industrial data, and seeks to make it accessible, interoperable, and fairly shared across the market.
The Data Act primarily deals with data generated by IoT devices (“Internet of Things”).
IoT encompasses a wide range of connected products, from smart appliances, cars, smart TVs, and wearable electronics to industrial machines and sensors in agriculture. These devices constantly collect and transmit data about their operation, usage, and surrounding environment. One of the main objectives of the Data Act is therefore to ensure that this data is available to its users and can be shared and reused fairly and securely.
The Data Act is a horizontal piece of legislation that sets out general principles and rules applicable across all sectors. It does not change existing obligations regarding access to data, but establishes an EU framework with which all future legislation should be aligned.
Key areas of regulation
- Removing barriers to accessing and using IoT data
The Data Act requires manufacturers to design and manufacture connected products in such a way that data from them can be easily accessed and shared. Users, whether consumers or businesses, have the right to obtain data on the use and performance of these products and services and may decide to pass them on to third parties.
The Data Act also sets out requirements for the format, quality, and security of the data provided and introduces rules for its use, including the protection of trade secrets and sensitive information.
- Framework for data sharing between businesses (B2B)
The Data Act creates a fair framework for data sharing between businesses. It regulates the protection of trade secrets, requires fair and balanced contractual terms, and allows for reasonable and non-discriminatory compensation for data access.
This includes mechanisms for dispute resolution and measures against unauthorized or fraudulent use of data, including the possibility to request data erasure.
- Data sharing between businesses and the public sector (B2G)
The Data Act allows public authorities to access data in cases of exceptional need, such as in crisis situations. Data requests must be specific, justified, and proportionate.
Public authorities may only use the data for the specified purpose, must protect it, and delete it after use. Personal data must be anonymized or pseudonymized. In some cases, data holders are entitled to financial compensation.
- Protection against access by third-country authorities and transfer of non-personal data
Data processing service providers are required to protect data from unauthorized requests by third-country authorities if they would be contrary to EU or Member State law. Access is only permitted on the basis of international agreements, and providers must minimize the amount of data shared and inform data subjects of the requests, unless this would jeopardize an investigation.
- Facilitating switching between service providers and interoperability
An important part of the Data Act is the effort to make it easier for customers to switch between different data processing service providers, such as cloud or edge services.
Providers must not impose technical or contractual barriers, they must provide customers with clear information about the transition process and data formats, and they must cooperate to ensure that the transition is quick and secure. The regulation also requires technical interoperability and the so-called functional equivalence of the new service.
Transition fees must be phased out within three years of the Data Act coming into force. The Data Act thus aims in particular to prevent so-called “vendor lock-in”, which is considered undesirable in most situations.
This will have a major impact on providers of SaaS, PaaS, and IaaS (Software, Platform, or Infrastructure as a Service) services.
Providers will have to enable easy and secure transfer of data, applications, and digital resources, remove technical or contractual barriers, and transparently inform customers about the terms of migration. Customers will thus be able to freely change providers without fear of data loss or vendor lock-in. This will affect not only cloud services for businesses, but also common online applications used by end users.
The regulation also supports the creation and operation of EU data spaces by setting rules for the content, format, and quality of data sets, transparency, and contractual terms for data access. The aim is to ensure legal certainty, technical compatibility, and a secure environment for cross-sector data sharing.
- Requirements for smart contracts
The Data Act introduces basic technical requirements for smart contracts that automate the fulfillment of data sharing agreements. These contracts must be robust, secure, allow for controlled access, and enable secure termination or suspension of operations.
The content of the contract must be consistent with the relevant data sharing agreements. The European Commission plans to adopt harmonized technical standards that will unify these rules across the EU.
Integration into the EU legislative framework
The Data Act is part of broader European digital legislation and builds on other legislation.
- DGA – Data Governance Act: The Data Act complements the Data Governance Act, which sets out the basic framework for data access and sharing in the EU. While the DGA has established basic rules and mechanisms for trustworthy voluntary data sharing, the Data Act adds specific obligations for data access and harmonized requirements for data reuse;
- GDPR: The Data Act applies to both personal and non-personal data. Requirements relating to the processing of personal data must therefore comply with the GDPR, and it is necessary to understand how the two pieces of legislation overlap, particularly in the case of mixed data sets;
- DMA – Digital Markets Act: The Data Act is closely linked to the Digital Markets Act, which aims to ensure fair competition in the online environment and limit the abuse of market power by large platforms. The DMA designates certain large digital platforms (such as large search engines, marketplaces, operating systems, or social networks) as “gatekeepers”, i.e., entities that are so powerful that they can influence others’ access to the digital market. In this context, the Data Act explicitly states that data from connected products and services may not be provided to these “gatekeepers” if this would restrict competition or strengthen their market dominance;
- Protection of intellectual property rights: The Data Act states that it does not affect the applicable EU and Member State laws on the protection of intellectual property. An exception is the so-called sui generis right to databases under Directive 96/9/EC, which does not apply to data obtained from connected products or services that fall within the scope of the Data Act. The aim is to limit possible conflicts with the protection of trade secrets or copyright and patent rights.
Enforcement and supervision of the Data Act
Each EU Member State must designate at least one competent authority responsible for applying and enforcing the rules laid down in the Data Act. In the Czech Republic, the Ministry of Industry and Trade (MPO) is actively working on the implementation of the Data Act, preparing the necessary legislative and organizational steps to put the regulation into practice.
The Office for Personal Data Protection (ÚOOÚ) will also likely be involved in supervising compliance with the rules, particularly in the area of personal data processing and the protection of data subjects’ rights.
The Data Act leaves the determination of specific sanctions to individual EU Member States. Each state must adopt effective, proportionate, and dissuasive sanctions for violations of the Data Act rules within its jurisdiction. This means that the amount and form of fines may vary between Member States, as the regulation allows for a so-called national sanctions regime.
When creating sanction mechanisms, Member States are required to take into account the recommendations of the European Data Innovation Board (EDIB) and the criteria directly specified in the Data Act. For certain types of violations (e.g., in the area of personal data), sanction rules under other regulations, typically the GDPR, will also apply.
In the Czech Republic, it is not yet entirely clear in which legal regulation sanctions for violations of the Data Act will be enshrined. It can be expected that this issue will be resolved as part of the planned implementation by the Ministry of Industry and Trade and, where appropriate, with the involvement of other supervisory authorities.
Since the adoption of the Data Act, the European Commission has been actively cooperating with businesses of all sizes, professional associations, and representatives of civil society to clarify the individual provisions of the regulation and prepare practical tools to facilitate its application in practice. This cooperation will continue after 12 September 2025 in the form of ongoing dialogue between the European Commission and the entities subject to the regulation.
The European Commission has already published a range of information materials, such as a set of frequently asked questions (FAQ)[6] and other resources. In addition, it plans to set up a special legal helpdesk for the Data Act, which will provide direct support to obligated entities in addressing specific questions regarding the application of the new rules.
Conclusion
One of the European Union’s long-term strategic goals is to build a truly unified and open data market, understood as the “fifth freedom” of the internal market, alongside the free movement of persons, goods, services, and capital.
The Data Act represents a major step towards realizing this vision, as it removes the technical and contractual barriers that have hitherto prevented the effective sharing and use of data across Member States.
The Data Act establishes basic rules for fair access to and use of data. It clearly defines who can obtain, use, and share data and under what conditions, thereby promoting a transparent and fair environment for all market participants and contributing to strengthening Europe’s competitiveness in the digital world.
In conclusion, the Data Act is essentially not considered by the European Commission to be merely a legislative measure, but an investment in the future of the EU’s digital economy. Obligated entities should prepare for its impact in a timely manner, not only to comply with new obligations, but also to take full advantage of the opportunities that a more open access to data will bring.
If you have any questions about data regulation or other areas of EU regulation and compliance, we at PEYTON legal are here to help.
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
[2] Regulation (EU) 2022/868 of the European Parliament and of the Council of May 30, 2022 on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act).
[3] Regulation (EU) 2022/2065 of the European Parliament and of the Council of October 19, 2022 on the Digital Services Act and amending Directive 2000/31/EC (Digital Services Act).
[4] Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on fair and open markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act).
[5] Regulation (EU) 2024/1689 of the European Parliament and of the Council of June 13, 2024, laying down harmonized rules on artificial intelligence and amending Regulation (EC) No. 300/2008, Regulation (EU) No. 167/2013, Regulation (EU) No. 168/2013, Regulation (EU) 2018/858, Regulation (EU) 2018/1139, and Regulation (EU) 2019/2144, and Directives 2014/90/EU, (EU) 2016/797, and (EU) 2020/1828 (AI Act).
[6] FAQ here: https://ec.europa.eu/commission/presscorner/detail/en/qanda_22_1114.
Mgr. Jakub Málek, managing partner – malek@plegal.cz
JUDr. Tereza Pechová, junior lawyer – pechova@plegal.cz
25. 9. 2025