The EU Data Act brings real business risks and opportunities for organizations. Non-compliance can lead to fines of up to €20 million or 4% of global annual turnover (Article 33), exclusion from the EU market for products that don’t meet access-by-design requirements after September 2026, delayed launches of connected products, reputational harm from lack of transparency, and costly last-minute retrofits. At the same time, early action offers strategic upside: modernizing product and technology foundations, reducing security risks through strong governance, and tapping into data-driven growth opportunities as the EU opens access to vast pools of currently unused industrial data.
Core obligations and timeline
The regulation sets common rules for all connected products and related services:
- Article 3 – Access by design: products must enable user access to readily available data by default, with export tools and clear instructions.
- Article 4 – User access rights: users must be able to retrieve their data free of charge, in a structured, machine-readable format, including metadata.
- Article 5 – Third-party sharing: users may authorize third parties to access their product-generated data, and data holders must enable this on FRAND (Fair, Reasonable, Non-Discriminatory) terms.
The timeline of the act is phased in two main stages. By 12 September 2025, users must be able to access and share their data (Articles 4 and 5), while by 12 September 2026, products must comply with access-by-design requirements (Article 3). What does that mean for organizations in practice?
Focusing on Third-party sharing (Article 5)
One of the act’s key points is the obligation to share data with third parties upon user request. When a user authorizes a third party, data holders must provide access under FRAND terms. For your customers and users of your products, this begins with an activation process and user journey involving clear notices, data listings, and privacy-compliant mechanisms for activation, sharing, and revocation across all touchpoints.
For third parties, the process begins with gaining access to documentation and infrastructure to receive data. It also requires secure, interoperable access via APIs and/or export tools with access controls, usage logs, and audit-ready records. Interfaces should follow standards and include well-documented metadata to ensure safe integration across domains and platforms.
Finally, operational readiness is critical: processes must cover identity, authentication, and authorization for both users and third parties, as well as request handling, billing, and contracting.
Third-party access by FRAND criteria in practice and legal coordination
In practice, FRAND means access on fair, reasonable, and non-discriminatory terms. Transparent processes and consistent application help ensure that comparable third parties in comparable situations receive comparable access. In practice, applied FRAND means that access must be granted based on neutral criteria.
Coordination with other regulations is also essential. The Data Act intersects with GDPR (personal data), MDR/IVDR (device safety), the AI Act (risk controls), the European Health Data Space (clinical data reuse), and FIDA (finance). Early mapping of overlapping obligations prevents conflicts, recertification, or retrofits. Cross-functional alignment between Legal, IT, and Product teams is crucial, while sanctions and sector-specific restrictions must also be considered within the compliance program.
Is your organization ready for the EU Data act?
Start preparing now to ensure you comply with the requirements.
Contractual guardrails
As other similar regulations, the Data Act promotes openness but also expects proportionate safeguards. To strike this balance, data holders need defensible guardrails:
- Scope and minimization: catalogue product and service data, provide only what is readily available and relevant to the use case, and track ownership and sources across data pipelines.
- Protection of sensitive data: apply layered access, filtering, and monitoring to limit disclosure of sensitive fields such as trade secrets, diagnostic data, or transient real-time data.
- Standardized third-party contracts: define permitted purposes, retention limits, restrictions on onward sharing, and security obligations; agreements should also include audit rights, incident notification, and alignment with governance and data privacy models.
Remuneration for data provisioning
Article 5 allows for the monetization of user-authorized third-party access. The regulatory framework for pricing anticipates a tiered model: small and medium-sized enterprises are restricted to cost-based pricing, whereas larger enterprises have greater flexibility.
To implement remuneration, companies should establish transparent and consistent pricing tiers, such as for file downloads versus APIs or for batch versus near real-time access, and integrate automated billing and contracting into the third-party process.
Readiness roadmap for Article 5
Having a structured roadmap will become vital as it allows the connection between regulation, technical solutions, and business strategy. Organizations can adopt a phased program which is able to accelerate compliance while simultaneously creating value:
- Discovery & assessment: define scope for each product and service, map data flows and ownership, identify regulatory touchpoints, assess product-level risks, and prioritize use cases.
- Solution design & alignment: translate legal requirements into architecture, user experiences, and governance; define roles, standards, and guidelines; and draft FRAND-compliant access models for data infrastructure and exports.
- Build, test & validate: implement secure architecture, provide safe user access with audit-ready logs, integrate consent layers and external service connections, and validate security, performance, and – where applicable – MDR/IVDR documentation at pilot scale.
- Launch & sustain: train teams, roll out change management, ensure secure integration across domains and platforms, monitor KPIs and feedback loops, and maintain audit readiness through continuous reporting and governance.
Key challenges and risk mitigation
Organizations often struggle to turn legal requirements into concrete architecture and user flows. Tackling this early avoids bottlenecks and rushed decisions. IT adaptations can be significant, so evaluating solution scenarios upfront helps minimize risks, retrofits and technical debt.
Strong governance is also essential. Clear roles, standards, and policies for data owners, with standardized risk assessment and mitigation will become a necessity. Another aspect, critical to execution, is cross-functional alignment (Legal, Data Protection, IT, R&D, Product). On the business side, companies should prevent one-sided value extraction by building their own integration capabilities and value-added services around shared data.
Next steps
The immediate priorities for organizations are clear:
- Assess readiness: identify products in scope, map data flows and owners, and close gaps in access, sharing, and security.
- Establish governance: set up cross-functional ownership with decision rights and a joint roadmap.
- Design the third-party model: standardize consent journeys, FRAND-aligned terms, onboarding, and billing, aligned with IT architecture and market strategy.
- Build the backbone: prioritize identity and access management, interoperable APIs and exports, and audit-ready monitoring. Pilot these capabilities ahead of the 2025 milestone.
Start preparing for the EU Data Act now. Proven data-sharing patterns already exist across industries, so leverage these learnings. The regulation puts users at the center, emphasizing secure, user-friendly experiences and scalable third-party ecosystems. If you want to learn more about the EU Data Act and how your organization can be prepared for it, check out our the page here.
