EU Regulation

The Data Act Opens Your Products

The EU Data Act gives users a right to the data your connected products generate, with sharing on fair terms. Here are the dates and what owners should do now.

By Leon Soliman · 2026-06-29 · 3 min read

What the Data Act actually grants

The EU Data Act entered into application on 12 September 2025. It establishes that the data generated by a connected product belongs, in use, to the person who uses that product, not solely to the company that built it. A user, whether a consumer or another business, can require access to the product data and related service data that the data holder can reach, supplied in a commonly used, machine-readable format and, where relevant and technically feasible, made available continuously and in real time.

This is a different regulation from the Cyber Resilience Act. The Cyber Resilience Act governs the security of a product. The Data Act governs the rights to the data the product produces. A machine builder can be fully compliant on security and still owe a user the data that machine generates. The two obligations run in parallel, and both reach manufacturers selling into the EU regardless of where they are established.

Access by design and sharing on fair terms

Connected products and related services placed on the EU market from 12 September 2026 must be designed so that data are, by default, easily, securely, free of charge and directly accessible to the user, in a structured, commonly used and machine-readable format. Direct access without the data holder stepping in is required only where relevant and technically feasible, but the design question now has to be answered before a product reaches the market, not after a customer asks.

The user can also require that this data be shared with a third party of their choice, for example a maintenance provider or a competing service. Where a data holder shares data with a third party, the terms must be fair, reasonable and non-discriminatory. The burden of proof is reversed: it is the data holder that must show its terms are non-discriminatory, not the recipient that must prove they are unfair. Switching to a different provider is meant to be straightforward rather than obstructed.

What this means for owners and machine builders

For a Mittelstand operator whose products are connected, the practical shift is ownership of the data stream. The telemetry, usage and performance data your installed base produces is no longer yours to hold alone. A customer can ask for it, and can ask you to hand it to a third party they have chosen, on terms you must be able to defend as fair. Aftermarket service models that depended on being the only party with the data need to be reconsidered on that basis.

The work to do is concrete and datable. Map what data each connected product generates and which of it falls within scope. Decide how access will be provided, whether by direct interface or by request. Prepare contractual terms for third-party sharing that you can demonstrate are non-discriminatory. Products designed today are the products that will be placed on the market in 2026, so the design decisions are being made now.

Frequently asked questions

Is the Data Act the same as the Cyber Resilience Act?

No. The Cyber Resilience Act addresses the security of products with digital elements. The Data Act addresses rights to the data those products generate, including user access and sharing with third parties. A product can meet the security rules and still owe the user its data.

Which date matters for a machine builder?

Two dates matter. The Data Act applies from 12 September 2025, including access and sharing obligations. The connected-product design obligations bind products placed on the EU market from 12 September 2026, so design choices made now are already in scope.

The data your connected products generate is now a right your customers can exercise, not an asset you hold by default. The owners who map it and price its sharing fairly will keep their service relationships on their own terms.

EU Data Act connected products access by design FRAND data sharing Mittelstand machine builders IoT Cyber Resilience Act data rights

More from the Servola Journal

AI Regulation

Germany Now Has a Named AI Regulator

2026-06-29 · 3 min read

Read the article →

AI and IP

Your AI Content May Belong to No One

2026-06-29 · 3 min read

Read the article →

AI Regulation

Your AI Must Now Identify Itself

2026-06-29 · 3 min read

Read the article →

Servola

Servola maps the data each of your connected products generates, designs how access and third-party sharing will work, and prepares sharing terms you can defend as fair.

Request a private introduction About Servola →

Servola is technology counsel for a small number of families and offices. When a decision cannot be delegated, we sit on your side of the table.

Servola Systems GmbH · Ludwigshafen, Germany · [email protected]

← All articles