All Posts

Open Finance

EU Data Act for Connected Product Manufacturers: What You Need to Share and How

What the EU Data Act requires connected product manufacturers to do. Covers data-sharing obligations, technical requirements, and implementation options.

The EU Data Act (Regulation (EU) 2023/2854) has been in effect since September 12, 2025. If you manufacture or sell connected products in the European Union — smart appliances, industrial machinery, connected vehicles, wearables, medical devices, agricultural equipment, or any product that generates data through its use — you now have legal obligations to share that data with your users and, at their request, with third parties.

This guide explains what the Act requires, who it applies to, and what infrastructure you need to comply.

What the EU Data Act Requires from Manufacturers

The core obligation is straightforward: users of your connected products have the right to access the data generated by their use of those products. You must provide this data:

  • Free of charge to the user
  • In a structured, commonly used, and machine-readable format
  • Without undue delay — continuously or in real time where technically feasible
  • Through a secure and easily accessible channel

When the user requests it, you must also share this data with a third party designated by the user. You may charge the third party, but on FRAND terms (Fair, Reasonable, and Non-Discriminatory). For SMEs and non-profit third parties, you can only charge cost recovery.

What Data Must Be Shared

The Act covers data generated by the use of a connected product. This includes:

  • Sensor data — temperature, pressure, vibration, location, speed, energy consumption
  • Usage data — operating hours, cycles, mode settings, performance metrics
  • Diagnostic data — error codes, maintenance alerts, fault history
  • Environmental data — ambient conditions recorded by the product
  • Interaction data — user inputs and configuration changes

The data that must be shared is the data that the product generates through its operation — not your proprietary algorithms, trade secrets, or inferred data that you derive from the raw data.

What Products Are Covered

Any product that obtains, generates, or collects data concerning its use or environment, and can communicate that data. This includes:

  • Smart home devices (thermostats, lighting, security systems, appliances)
  • Connected vehicles (telematics, diagnostics, navigation, battery management)
  • Industrial machinery (CNC machines, robots, compressors, pumps)
  • Agricultural equipment (GPS-guided tractors, sensors, irrigation systems)
  • Medical devices (wearable monitors, connected diagnostics)
  • Energy systems (smart meters, inverters, EV chargers, building management)
  • Wearables and consumer electronics (fitness trackers, smartwatches)

Excluded: products whose primary function is to store, process, or transmit data on behalf of a party other than the user (PCs, smartphones, tablets, cameras, gaming consoles).

The Timeline: Where We Are Now

DateWhat AppliesStatus
January 2024Act enters into forceDone
September 2025Main data-sharing obligations applyNow in effect
September 2026"Data by design" — new products must be designed to make data directly accessible to usersUpcoming
January 2027Complete ban on cloud switching chargesUpcoming

If you are selling connected products in the EU today, the data-sharing obligations already apply to you.

Technical Requirements: How to Share Data

The Act does not prescribe a specific technical standard, but the requirements effectively push toward API-based infrastructure:

Format Requirements

Data must be provided in a structured, commonly used, and machine-readable format. In practice, this means JSON, XML, or structured CSV — not proprietary binary formats or PDF reports.

Access Channel

The channel must be secure and easily accessible. For simple, low-volume use cases (a consumer downloading their thermostat data once), a self-service portal with download functionality may suffice. For high-volume, continuous data flows (industrial equipment, fleet telematics), APIs are the practical solution.

Timeliness

Data must be provided without undue delay, and where technically feasible, continuously or in real time. For products that generate high-frequency data (industrial sensors, vehicle telematics), this effectively requires streaming or near-real-time API access.

Third-Party Access

When a user directs you to share data with a third party, you need:

  • Authentication — verify that the request genuinely comes from the user
  • Authorization — ensure the third party is who they claim to be
  • Consent management — record what data the user has authorised to be shared, with whom, and for how long
  • Access controls — ensure the third party can only access the data scope the user approved
  • Audit trail — log all data access events for compliance reporting

Interoperability

The Act requires interoperability across data holders and third parties. Data must be provided in formats that allow third parties to use it without reverse engineering or proprietary tools.

Implementation Options

Option 1: Build In-House

Build your own data-sharing infrastructure — APIs, consent management, access controls, audit logging, and a user-facing data access portal. This gives you full control but requires significant engineering investment and ongoing maintenance as requirements evolve.

Option 2: Use a Managed Platform

Use a data provider platform that handles the API layer, consent management, third-party onboarding, security, and audit logging. You integrate the platform with your product's data systems, and the platform handles compliance with the Act's technical requirements. This approach is faster (weeks instead of months) and reduces the ongoing compliance burden.

Option 3: Open-Source Infrastructure

Use EU-funded open-source components like the Eclipse Dataspace Connector (EDC) or IDSA Reference Architecture. These are standards-based and free, but require in-house expertise to deploy, configure, and maintain.

FRAND Pricing for Third-Party Access

When third parties request data, you may charge them — but on FRAND terms. This means:

  • Pricing must be transparent and non-discriminatory
  • For SMEs, you can only recover the cost of making the data available
  • You cannot use pricing to restrict competition or create barriers to data access
  • You must be able to justify your pricing if challenged

This is a new operational requirement for many manufacturers. Your data-sharing platform needs to support tiered pricing, usage metering, and pricing transparency.

The "Data by Design" Deadline: September 2026

From September 12, 2026, connected products placed on the EU market must be designed and manufactured to make data directly and easily accessible to the user, by default. This means product teams need to build data access capabilities into the product architecture from the design phase — not bolt them on after the fact.

For product leaders, this is the bigger challenge. It affects hardware design, firmware, connectivity architecture, and the product development roadmap.

Penalties

Enforcement is at the member state level. Penalties vary but are significant:

  • Netherlands: Up to EUR 1,030,000 or 10% of EU-wide annual turnover
  • Germany (draft): Up to 4% of worldwide annual turnover
  • Where personal data is involved, GDPR penalties also apply (up to EUR 20 million or 4% of worldwide turnover)

No enforcement actions have been publicly reported as of early 2026, but enforcement frameworks are being established across member states. The first actions will likely target large, high-profile non-compliance.

What You Should Do Now

  1. Audit your connected products. Identify which products generate data, what data they generate, and how that data is currently stored and accessed.
  2. Assess your current capabilities. Can you provide data in machine-readable formats today? Do you have user-facing data access? Can you handle third-party data requests?
  3. Choose an implementation approach. Build in-house, use a managed platform, or adopt open-source infrastructure — based on your scale, timeline, and internal capabilities.
  4. Implement consent management. Build or deploy the infrastructure to handle user-directed data sharing with third parties, including authentication, consent records, and audit trails.
  5. Prepare for "data by design." Product teams should start incorporating data accessibility into the design process for products launching after September 2026.
  6. Define your FRAND pricing. Establish a transparent, defensible pricing model for third-party data access.

Fiskil's Data Provider platform helps organisations meet data-sharing obligations with managed API infrastructure, consent management, third-party onboarding, and audit logging. Learn about our EU Data Act solution.

Related articles

The EU Data Act Is Already in Effect: What Companies Need to Do Now

The EU Data Act Is Already in Effect: What Companies Need to Do Now

The EU Data Act's main obligations are already enforceable. What companies with connected products need to do now to comply and avoid penalties.

EU Data Act for Automotive: What OEMs Need to Know About Connected Vehicle Data

EU Data Act for Automotive: What OEMs Need to Know About Connected Vehicle Data

How the EU Data Act affects automotive OEMs and fleet operators. Covers vehicle data obligations, telematics sharing, and compliance requirements.

Building EU Data Act Compliant Data Sharing Infrastructure: A Technical Guide

Building EU Data Act Compliant Data Sharing Infrastructure: A Technical Guide

How to build data-sharing infrastructure that meets EU Data Act requirements. Covers API architecture, consent flows, formats, and security patterns.