Regulation (EU) 2023/2854 Data Act

Welcome to data-act-law.eu. Here you will find the PDF of the Data Act in a clearly structured format. The final text of the regulation is available in German and English. Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data will apply from 12 September 2025 with some exceptions.

Quick Access

Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Chapter 11

Table of contents

Chapter 1General provisions
Art. 1 Data ActSubject matter and scope
Art. 2 Data ActDefinitions
Chapter 2Business to consumer and business to business data sharing
Art. 3 Data ActObligation to make product data and related service data accessible to the user
Art. 4 Data ActThe rights and obligations of users and data holders with regard to access, use and making available product data and related service data
Art. 5 Data ActRight of the user to share data with third parties
Art. 6 Data ActObligations of third parties receiving data at the request of the user
Art. 7 Data ActScope of business-to-consumer and business-to-business data sharing obligations
Chapter 3Obligations for data holders obliged to make data available pursuant to Union law
Art. 8 Data ActConditions under which data holders make data available to data recipients
Art. 9 Data ActCompensation for making data available
Art. 10 Data ActDispute settlement
Art. 11 Data ActTechnical protection measures on the unauthorised use or disclosure of data
Art. 12 Data ActScope of obligations for data holders obliged pursuant to Union law to make data available
Chapter 4Unfair contractual terms related to data access and use between enterprises
Art. 13 Data ActUnfair contractual terms unilaterally imposed on another enterprise
Chapter 5Making data available to public sector bodies, the Commission, the European Central Bank and union bodies on the basis of an exceptional need
Art. 14 Data ActObligation to make data available on the basis of an exceptional need
Art. 15 Data ActExceptional need to use data
Art. 16 Data ActRelationship with other obligations to make data available to public sector bodies, the Commission, the European Central Bank and Union bodies
Art. 17 Data ActRequests for data to be made available
Art. 18 Data ActCompliance with requests for data
Art. 19 Data ActObligations of public sector bodies, the Commission, the European Central Bank and Union bodies
Art. 20 Data ActCompensation in cases of an exceptional need
Art. 21 Data ActSharing of data obtained in the context of an exceptional need with research organisations or statistical bodies
Art. 22 Data ActMutual assistance and cross-border cooperation
Chapter 6Switching between data processing services
Art. 23 Data ActRemoving obstacles to effective switching
Art. 24 Data ActScope of the technical obligations
Art. 25 Data ActContractual terms concerning switching
Art. 26 Data ActInformation obligation of providers of data processing services
Art. 27 Data ActObligation of good faith
Art. 28 Data ActContractual transparency obligations on international access and transfer
Art. 29 Data ActGradual withdrawal of switching charges
Art. 30 Data ActTechnical aspects of switching
Art. 31 Data ActSpecific regime for certain data processing services
Chapter 7Unlawful international governmental access and transfer of non-personal data
Art. 32 Data ActInternational governmental access and transfer
Chapter 8Interoperability
Art. 33 Data ActEssential requirements regarding interoperability of data, of data sharing mechanisms and services, as well as of common European data spaces
Art. 34 Data ActInteroperability for the purposes of in-parallel use of data processing services
Art. 35 Data ActInteroperability of data processing services
Art. 36 Data ActEssential requirements regarding smart contracts for executing data sharing agreements
Chapter 9Implementation and enforcement
Art. 37 Data ActCompetent authorities and data coordinators
Art. 38 Data ActRight to lodge a complaint
Art. 39 Data ActRight to an effective judicial remedy
Art. 40 Data ActPenalties
Art. 41 Data ActModel contractual terms and standard contractual clauses
Art. 42 Data ActRole of the EDIB
Chapter 10Sui generis right under Directive 96/9/EC
Art. 43 Data ActDatabases containing certain data
Chapter 11Final provisions
Art. 44 Data ActOther Union legal acts governing rights and obligations on data access and use
Art. 45 Data ActExercise of the delegation
Art. 46 Data ActCommittee procedure
Art. 47 Data ActAmendment to Regulation (EU) 2017/2394
Art. 48 Data ActAmendment to Directive (EU) 2020/1828
Art. 49 Data ActEvaluation and review
Art. 50 Data ActEntry into force and application

What is the Data Act and why is it important?

The Data Act is a central component of the European data strategy and for the first time lays down standardised rules for fair access to and use of data within the EU. The aim is to promote the creation of a competitive internal market for data and to eliminate imbalances in access to data. The legal basis for the objective and scope are set out in Article 1 and Recitals 1 to 10.

When does the Data Act come into force and who does it apply to?

The Data Act came into force on 11 January 2024 and, in accordance with Article 50, will apply from 12 September 2025, subject to certain transitional arrangements. The Regulation applies to data holders, data recipients, users, manufacturers of connected products and providers of digital services based in the EU or outside the EU, provided that their activities have an impact on the EU internal market (see Article 2 on territorial and material scope).

What rights do users get under the Data Act?

Users of connected products, like smart home devices or industrial machines, get an explicit right to access the data generated during use. They can use this data themselves or share it with others. This right to use is set out in Article 4 and is backed up by Articles 5 and 6, which lay out the requirements for data access and sharing. The rights apply regardless of whether the data is personal or non-personal.

What does the Data Act mean for companies in the EU?

Companies that generate, process or control data must in future ensure that user data is made available in a structured, standardised and machine-readable format. In addition, unfair contractual clauses on data access or use are prohibited in relation to SMEs (see Article 13). Data controllers must cooperate with data requests from authorised third parties, provided that the conditions in Articles 8 to 12 are met. This applies in particular to transparency obligations and appropriate remuneration.

The Data Act introduces new obligations for companies in the EU when handling data. The aim is to ensure fair access to data and to promote innovation and competition. Important requirements:

  • Enable data access:
    Companies must enable users to access the data they generate (see Articles 4 and 5). The data must be provided in a structured, machine-readable format.
  • Comply with transparency obligations:
    Clear information about the type, scope and use of the data must be provided before the contract is concluded (Article 3(2)).
  • Ensure contractual fairness:
    Unfair contractual terms vis-à-vis SMEs – for example, regarding liability, use or refusal of data access – are prohibited (Art. 13).
  • Support public authorities:
    In exceptional cases (e.g. emergencies), data must be transferred to public authorities upon request if the conditions are met (Art. 14–22).
  • Ensuring data portability:
    Providers of cloud and data processing services must enable easy switching between services and avoid vendor lock-in (Art. 23–26).

How does the Data Act relate to the GDPR?

While the GDPR only applies to personal data, the Data Act regulates access to and use of both personal and non-personal data (see Article 1(2)). While the GDPR aims to protect personal data, the Data Act regulates the availability of data in the internal market. However, the two sets of rules are complementary: in the event of overlap, the GDPR takes precedence (see Article 1(5)).

What data is affected by the Data Act?

All data generated when using connected products and related services is covered – i.e. both personal and non-personal data, provided it is technically accessible. This is defined in Article 2(1) and (2). However, data that is specifically protected by intellectual property rights is excluded, unless there is legitimate access (see Article 4(6)).

What do manufacturers of connected devices need to consider with regard to the Data Act?

Manufacturers are obliged to design their products and services in such a way that user data can be made accessible by default. The technical design must promote data portability and interoperability (see Articles 3 and 4). In addition, manufacturers must provide clear information on data collection and use before the contract is concluded (see Article 3(2,3)).

What penalties are imposed for violations of the Data Act?

The Regulation leaves the specific design of sanctions to the Member States (see Article 40). They are required to empower authorities to impose ‘effective, proportionate and dissuasive’ measures (Article 37(5)). These may include fines, injunctions or other supervisory measures.