The European Union has taken a major step toward reshaping data governance with the adoption of Regulation (EU) 2023/2854, more commonly known as the “Data Act”. The Act addresses a longstanding imbalance of power between users of connected products and related services, and the manufacturers or service providers who have traditionally held exclusive control over the data generated through the use thereof.
At its core, the Data Act seeks to ensure fair access to and use of data, ultimately shifting control into the hands of the individuals and entities who generate it. This aligns with broader EU digital policy goals promoting transparency, competition, and user empowerment in an increasingly data-driven economy.
The Act employs wide-reaching definitions to ensure comprehensive coverage across existing and future technologies, namely:
- Connected products, defined as any item that collects or generates data about its use or surroundings and can transmit such data through electronic communications, physical connections, or direct on-device access; and
- Related services, defined as digital services, such as embedded software, mobile apps, and cloud-based functionality, that are integral to or enhance a connected product’s operation.
To rebalance the relationship between stakeholders in the data ecosystem, the Data Act introduces a set of new user rights and corresponding obligations on manufacturers and service providers, including:
- Data accessibility by design – all connected products and related services newly placed on the EU market must be designed to provide users with seamless access to the data they generate.
- Right to share data with third parties – upon user request, data must be made available to authorised third parties such as independent repairers, insurers, and other service providers, enabling greater consumer choice and fostering innovation.
- Fair and competitive data and cloud practices – the Act restricts unfair contractual terms that limit data use and requires cloud service providers to facilitate switching between platforms, preventing vendor lock-in and supporting a more competitive market.
In parallel, the Act brings with it significant operational and strategic implications for businesses. To ensure compliance, manufacturers and service providers will need to:
- redesign product architecture to support built-in data accessibility;
- review and strengthen data governance and data-sharing processes;
- update customer and B2B contractual terms to reflect the Act’s rights and obligations;
- ensure interoperability and data portability across cloud environments; and
- implement clear procedures for handling data access and third-party sharing requests.
Despite entering in to force into force on 11 January 2024, the substantive obligations of the Data Act will apply progressively from 12 September 2025 through 2027. This phased timeline allows businesses time to adapt their operations and compliance frameworks.
Although the Data Act applies directly in all EU Member States, national authorities remain responsible for supervision, monitoring, and enforcement. In Malta, these roles will be undertaken by the Malta Digital Innovation Authority (MDIA) and the Malta Communications Authority (MCA). Their practical approach to oversight, sanctioning, and industry engagement will be closely monitored in the months ahead to determine the manner in which the provisions of the Data Act will be implemented in practice.
The Data Act represents a significant evolution in EU data regulation, shifting meaningful control to users and opening the door to greater transparency, innovation, and competition. Businesses should act now to align their product designs, contractual terms, and data practices with the Act’s requirements to ensure a smooth transition ahead of its phased application.
By: Kelly Xuereb and Julia Darmanin
