Skip to content Skip to sidebar Skip to footer
Menu
Menu
Data Protection & Cybersecurity

Data Act Effective from September 2025: Here is a Guide to the Main Obligations

15 minutes ago
6 minRead time
data act effective
Share This Article
Share Post

The Data Act effective date is approaching fast: on 12 September 2025, most of the provisions of Regulation (EU) 2023/2854, better known as the Data Act, will finally come into force.

For many companies, this is not just another piece of regulation to tick off. It is a game-changer for the European data economy, reshaping how organizations collect, access, share, and process data.

The ambition of the Data Act is to create a genuine single market for data, where access and sharing are simple, secure, and transparent. But for businesses—especially those active in IoT and digital services—it means concrete new obligations and, in some cases, profound changes to their commercial models.

So, what exactly will change when the Data Act becomes effective? Let’s look at the key obligations.

Key Obligations for the IoT Sector

Chapter II of the Data Act focuses on connected products and related services. Think smart cars, wearables, connected household appliances, and industrial IoT tools. From September 2025, manufacturers, sellers, lessors, and service providers will face new transparency and access rules.

The main obligations include:

  • Pre-contractual information: Before signing, customers must be clearly informed about the type, format, and volume of data generated by the product or service.

  • Access to data: Users will have the right to request free, secure, real-time access to the data generated by their connected devices, in a structured and machine-readable format.

  • Data sharing with third parties: Upon user request, data must be shared with a third party designated by the customer under fair, reasonable, and non-discriminatory conditions.

  • Accessibility by design: Products and services should, where technically feasible, be designed to allow direct user access to the data they generate.

This framework is intended to empower users while ensuring businesses maintain adequate protection for trade secrets, intellectual property, and personal data.

Key Obligations for Data Processing Service Providers

The Data Act effective date is also a milestone for cloud, SaaS, PaaS, and IaaS providers. The Regulation takes direct aim at the problem of vendor lock-in, requiring providers to make it easier for customers to switch between services.

From September 2025, providers must:

  • Eliminate technical, contractual, and commercial barriers that make it difficult for customers to switch to a competitor.

  • Guarantee that customers can terminate contracts with minimal notice and move their data and digital resources elsewhere.

  • Ensure functional equivalence when migrating services to another provider.

  • Enable the disaggregation of services, where technically feasible.

On top of these requirements, contracts must include specific clauses on portability and cooperation (Article 25), and providers must implement technical measures to guarantee interoperability between different cloud services (Article 30).

This will require not just new legal documentation, but also technical and operational restructuring for many providers.

Uncertainties and Next Steps

While the Data Act effective date is fixed, many uncertainties remain. The European Commission still has to publish implementing acts, and Member States—including Italy—must define their national enforcement frameworks, including the rules on sanctions.

Companies therefore face a dual challenge: preparing for obligations that are already clear, while staying agile to adapt to future clarifications and guidance. The absence of harmonized penalties across the EU also raises questions about potential divergences in enforcement.

Why Businesses Cannot Afford to Wait

The countdown to 12 September 2025 has already started. Organizations that fall under the scope of the Data Act—whether in the IoT sector or in digital services—should not underestimate the scale of the required changes.

Practical steps to take now include:

  • Mapping data flows generated by connected products and services.

  • Reviewing contracts with customers and partners to ensure compliance with transparency and portability requirements.

  • Testing interoperability and portability to reduce switching barriers.

  • Monitoring regulatory updates, both at EU and national level, to adapt compliance roadmaps as new guidance emerges.

The Data Act effective date will not only test regulatory compliance—it will also separate those who see data as a compliance burden from those who see it as a strategic opportunity. The most forward-looking companies will use the Act to differentiate themselves in terms of trust, transparency, and customer empowerment.

Final Thoughts

September 2025 is closer than it looks, and the Data Act effective date will reshape the European digital economy. While uncertainties remain, the direction is clear: organizations must be ready to provide access, ensure portability, and reduce barriers to data use.

The real question is: will your company simply comply, or will you seize the chance to innovate and lead in Europe’s new data market?

On the same topic, you can read the article “Data Act: the level of enrichment of data for it to be considered inferred or derived“.

(Visited 2 times, 2 visits today)
Tags:
0LikesShare Post