The Data Act (Regulation (EU) 2023/2854) is set to transform how data generated by connected products and related services is accessed, shared, and used across the EU.
Previously, much of this data remained with manufacturers or service providers. The Regulation shifts this balance, granting users greater access and control to the data they generate, and in turn it attempts to foster a fairer and more competitive data economy.
The Regulation will largely apply directly in all EU Member States from 12 September 2025 with certain obligations relating to the design of connected products and related services kicking from 12 September 2026. This leaves businesses, manufacturers, service providers, and public authorities a limited timeframe within which to adapt their systems, contracts, and internal processes.
Defining the Data in Scope
The Regulation applies to inter alia manufacturers, providers of data processing service and users of connected products and related services placed on the EU market as well as data holders and recipients of data generated by such connected products or related services, in the case of manufacturers or providers, the regulation will apply regardless of where the manufacturer or provider is established if such products or related services are placed on the EU market.
Connected products are physical items capable of collecting, generating, or transmitting data about their use or environment via electronic communication, physical connection, or on-device processing. These can range from wearable fitness trackers and smart home appliances, to automotives and aircrafts.
Related services are those services that are connected to a product, and that collect and generate data from the use of a connected product. Examples include virtual assistants embedded in a device, and navigation systems integrated into vehicles.
The Regulation focuses on readily available data, such as raw data, being data that can be accessed from the connected product or related service without disproportionate effort. However, it does not extend to data that has been significantly processed beyond a simple operation. It will cover both personal and on-personal data though, in the cases of personal data, it will also operate alongside the GDPR.
Stakeholders and their Roles under the Data Act
The Regulation creates a framework involving several stakeholders. These include the manufacturer, user of the connected product and related service, the data holder, the data recipient and providers of data processing services.
Data holders being the individual or organisation (typically the manufacturer or service provider that controls access to data retrieved or generated from a connected product or related service, and has the right or obligation to use and share that data are particularly affected by this regulation. In fact, for these persons, compliance with the Data Act means undertaking a review across several fronts, including:
- Determining the scope and applicability of the Data Act
- If applicable, updating contracts and documentation such as terms of service.
- Creating and implementing operational processes:
- Meeting design obligations for future connected products or related services.
A data recipient is any third party, acting for purposes related to their trade or profession, to whom the data holder makes data available. This could be an application developer, or even a public authority in certain circumstances. They must use the data only for the purposes for which it was shared, respect applicable trade secret rules, and not use the data to develop competing connected products.
The data processing service provider is any entity providing services that enables access to shared computing resources, such as cloud storage, to their customer. Providers of data processing services will be required to enable their customers to terminate contracts and migrate data to other data processing services without undue delay or cost, removing barriers to competition and ensuring interoperability.
Enforcing the Data Act
The enforcement of the Data Act will be decentralised, with each Member State designating competent authorities responsible for monitoring compliance and handling complaints. Each Member State shall designate one or more competent authorities to be responsible for the application and enforcement of the Data Act. In turn, persons shall have the right to lodge a complaint with the relevant competent authority in the Member State of their habitual residence, place of work or establishment if they consider that their rights under the Data Act have been infringed. In Malta, the Malta Digital Innovation Authority (MDIA), together with the Malta Communications Authority (MCA), are the prospective Competent Authorities responsible for the application and enforcement of the provisions of the Data Act.
While the Regulation does not set specific penalty amounts in case of non-compliance, it requires that Member States establish penalties that are effective, proportionate and dissuasive. This leaves room for variation across Member States. Although these penalties will be borne by companies as legal entities, directors should not overlook their personal exposure in the event of non-compliance by a company. While the Data Act does not explicitly create liabilities for directors, their existing duties and responsibilities under national laws, specifically the Companies Act (Chapter 386 of the Laws of Malta), mean that they can potentially be held accountable for a company’s failure to adhere to the Data Act. This stems from a director’s overarching duty to exercise the care, diligence and skill expected of their position.
The Data Act marks a shift towards a data economy in which value is shared more equitably between those who generate data and those who hold it. With key provisions applying from 12 September 2025, organisations must act swiftly in making operational, contractual, and technical changes to meet their new obligations. For directors, proactive oversight and a commitment to compliance remain the most effective safeguard against liability in this regulatory landscape.
This article was first published in the Sunday Times on 07/09/2025 and can be found here.
