In less than six months, on 12 September 2025, most provisions of EU Regulation no. 2023/2854 (the EU Data Act) will go into effect. In light of the challenging compliance efforts, from legal and contractual points of view as well as from operational and product development perspectives, affected companies should act soon to avoid liability and administrative fines and to update their contractual frameworks. 

The below checklist provides initial level guidance to assist in companies in assessming their risk exposure and identifying mitigation steps.

While the EU Data Act covers many different data-related topics, topics that are most relevant for private companies are obligations regarding collection and use of Internet of Things (IoT) data (Section 1) and switching between cloud storage/service providers (Section 2).

For IoT Companies

Does Your Company Manufacture Connected Products (Connected Products)?

Definition: Connected Products are all categories of equipment collecting data about their use or vicinity and are able to transfer this data via internet connection, also commonly referred to as “smart devices” or “IoT devices,” such as cars, televisions, refrigerators, cleaning or lawn mowing robots, kitchen tools, etc. (Source: Art. 2(5) EU Data Act)

Does Your Company Offer Related Services (Related Services) in Connection With Connected Products?

Definition: Related Services include any digital service (usually provided via an app) essential for the intended use of a Connected Product or adding additional functionalities to a Connected Product. (Source: Art. 2(6) EU Data Act)

Who Are Your Users?

Definition: If your Connected Products or Related Services are offered to customers in the European Union, the EU Data Act will apply to such product or service, regardless of whether your customers are consumers (B2C) or commercial (B2B) customers. (Source: Art. 1.3 EU Data Act)

Does Your Connected Product or Related Service Allow Users to Access Collected Product Data (Product Data)?

Definition: Product Data is all information collected by a Connected Product or Related Service in connection with using such product or service or its environment, regardless of whether such data is considered “personal data” under GDPR or not.

Action: Users have a right to have access to Product Data in real time, either directly in the IoT device or related app, or at least separately in a machine-readable format. Technical measures for enabling this access need to be implemented.

Action: Users must be provided with core information when purchasing a Connected Product or Related Service, e.g., regarding the types and amount of usage data collected, for what purposes the data will be used, where and how long the data is stored, and how the data can be accessed and stored. Information documents need to be prepared.

Action: Users may also request to grant third parties access to their Product Data. It is recommended to assess upfront under which, if any, conditions such disclosure may be rejected and on which grounds.

Does Your Company Use the Product Data for Its Own Purposes?

Action: Any use of this data for own purposes (e.g., analytics or business intelligence or advertisement) is only permitted under permission from the user of the Connected Product or Related Service to be given in a contract, including detailed provisions on the use and protective mechanisms. These contracts must follow a strict agenda and must contain certain mandatory terms. Existing customer agreements and new customer agreements will need to be updated accordingly before either 12 September 2025 (new contracts) or 12 September 2027 (for contracts executed prior to 12 September 2025 and (i) of indefinite duration or (ii) due to expire after 11 January 2034.)

Does Your Company Share Any of the Product Data With Third Parties?

Action: Product Data may be shared by your company with third parties only on the basis of a contract between the third party and the user in addition to the contractual relationship of your company with the user.. These contracts must follow a strict agenda and must contain certain mandatory terms. Agreements need to be put in place with users and third parties receiving usage data.

Does Your Company Currently Have Contracts in Place With Customers or Third Parties Entitling or Requiring Your Company to Access or Share Product Data?

Action: Existing agreements need to be reviewed for clauses regarding access to Product Data and, if such clauses exist, need to be updated to meet the above data sharing requirements.

For Cloud Storage/Service Providers:

Does Your Company Offer Cloud Services?

Definition: These are usually services enabling customers to upload their data to cloud servers; not only cloud infrastructure providers are covered, but each provider offering services around data hosting is covered, even if the cloud infrastructure is owned by another service provider.

Who Are Your Customers?

Definition: If your Connected Products or Related Services are offered to customers in the European Union, the EU Data Act will apply to your product or service, regardless of whether your customers are consumers (B2C) or commercial (B2B) customers.

Does Your Company Enable Customers To Migrate to Another Service Provider or Replace the Service With an On-Premises Solution?

Action: The EU Data Act obliges cloud service providers to remove obstacles that could deter customers from switching to another provider or an on-premises solution, regardless of the nature of the obstacle and including in particular contractual and technical obstacles. Service providers must assess if their service setup may raise such obstacles and, if necessary, remove these.

Action: Customer contracts must provide wording regarding the procedures, rights, and obligations of the parties for switching to another service provider, including termination and migration rights.

Action: Customer data must be maintained in a file format that can easily be transferred.

Does Your Company Charge Fees for Migrating Customer Data to Another Service Provider or an On-Premises Solution?

Action: From 12 January 2027 onward, cloud service providers must not charge any fees if the customer decides to migrate to another service provider or an on-premises solution. Until then, fees may not exceed the internal costs of the service provider arising in direct context with the migration.