IoT Data Access Rights
Users gain access to their own data. Data generated through use of connected products (IoT) or services must be provided to users promptly, free of charge, in machine-readable formats. By-design requirement.
Data Act
Fair Data Access & Cloud Portability
What is the Data Act?
Regulation (EU) 2023/2854 creates EU-wide harmonized rules for fair data access, interoperability and cloud portability. Application date: 12 September 2025. Directly applicable in all EU Member States.
Core Objectives of the Data Act
The Data Act pursues six strategic objectives – from IoT data access to B2B/B2G provisioning to cloud switching and interoperability.
B2B Data Access (FRAND)
Data holders must share data. At user request, data must be passed to third parties – under fair, reasonable, non-discriminatory terms (FRAND). Quality parity. Purpose limitation. No dark patterns.
B2G: Exception Data Access
Public bodies in emergencies. In exceptional cases (natural disasters, cyber incidents, pandemic), public bodies/EU/ECB can request data access. Strict purpose limitation, anonymization, erasure obligation.
Cloud Switching Without Barriers
Switchability becomes mandatory. Cloud/edge providers must enable switching: open interfaces, machine formats, documented processes, functional equivalence (min. IaaS). Egress fees are phased out (after 3 years: €0).
Interoperability & Standards
EU-harmonized standards. Commission can mandate standards/common specifications for data spaces, cloud interoperability (e.g. ISO/IEC 19941, EU Cloud Rulebook). Multi-vendor cloud and open interop specifications promoted.
Protection Against Third-Country Access
Prevent unlawful access. Providers must protect non-personal data from unlawful third-country access (only via agreements/court orders). Encryption, audits, customer notification, challenge procedures.
Data from Connected Products (IoT)
Users of IoT products and connected services receive comprehensive data access rights – free of charge, machine-readable, including metadata. By-design requirement for manufacturers.
User Access Right
Promptly & free of charge. Users (B2B/B2C) receive access to all data generated through use: raw and pre-processed data plus metadata (context, timestamp). Structured, common, machine-readable formats (CSV, JSON, Parquet). Derived/inferred data (proprietary algorithms) excluded.
Pre-Contract Transparency
Pre-information mandatory. Sellers/manufacturers must clearly communicate before purchase/rental: What data does the product generate? Type, format, volume? How to access/export (APIs, SDKs, URL, QR)? Communicate changes over lifecycle.
Third-Party Recipients on User Request
B2B data access via authorization. Users may authorize third parties. Data holders must provide data in same quality as for own purposes. Gatekeepers (DMA) explicitly excluded. Purpose limitation, no dark patterns, profiling only if strictly necessary.
Trade Secrets
Disclosure despite trade secrets. Data with trade secrets must be disclosed – but under confidentiality safeguards (NDA, access controls, technical measures). Refusal only if serious economic harm threatens (must be justified).
GDPR Compliance
Data Act does not change GDPR. Any processing of personal data requires valid legal basis. If user is not data subject: Data Act does not create new legal basis – data holder can anonymize data.
Unfair B2B Clauses
SME protection. Unilaterally imposed unfair clauses on data access/use are non-binding towards SMEs. Black & grey lists of presumptively unfair clauses. Contract fairness as enforcement standard.
B2G – Data Access for Public Bodies
In case of exceptional need, public bodies, EU Commission, ECB or Union bodies can request data access – under strict conditions.
Exceptional Need Criteria
Only in emergency/exceptions. Public emergency (natural disasters, major cyber incidents, pandemic) or other exceptional needs. No routine requests. Subsidiarity principle: data must be actually necessary.
Anonymization & Purpose Limitation
Avoid personal reference. Avoid or anonymize personal data where possible. Use only for stated purpose. No reuse for other purposes. Technical/organizational measures for protection.
Transparency & Erasure
Logging & deletion. Transparency about requests, justifications, purpose. Erasure obligation after purpose fulfilled. Time limitation on use. Documentation for later verification. Customer protection as priority.
Cost Reimbursement
For non-emergencies. In non-emergency scenarios: cost reimbursement possible (actual costs + reasonable margin). In true emergencies: no cost reimbursement. Calculation must be traceable.
Cloud Switching & Portability
The Data Act establishes hard rules for cloud switchability – from open interfaces to egress fee phase-out to functional equivalence. Lock-in is systematically dismantled.
Switching Right & Portability
Cloud/edge customers must be able to switch. Including multi-cloud scenarios. Providers must enable switching – without unnecessary barriers. Complete data export: data, applications, configurations in machine-readable formats. Metadata included.
Pre-Contract Information
Transparency before contract signing. Providers must inform before contract: switching process, data formats, tools, technical limitations, duration, costs. Understandable, accessible, machine-readable. Communicate changes in good time.
Open Interfaces
Standardized APIs mandatory. Providers must provide open, documented interfaces. No proprietary lock-ins. Compatibility with established open specifications for object storage, container images, storage/network interfaces and API definitions. Enable export automation.
Functional Equivalence
At least for IaaS. Providers must support functional equivalence for IaaS features. Target cloud must be able to offer comparable functionality. Test environments for parallel operation. No vendor-specific feature dependencies.
Egress Fee Phase-Out
Gradually to zero. Egress fees and other switching charges are phased out. After 3 years from entry into force (i.e. from 12.09.2028): €0 for switching. Parallel operation can retain cost caps. Cost-based transition allowed.
Multi-Cloud Support
Enable parallel operation. Customers must be able to use multiple providers in parallel (testing, gradual migration). Support hybrid cloud scenarios. No artificial barriers. Data sync between clouds possible.
Interoperability & Harmonized Standards
The EU Commission can mandate standards and common specifications for data spaces, cloud services and interoperability. Goal: multi-vendor ecosystems without lock-in.
EU-Harmonized Standards
ISO/IEC 19941 & EU Cloud Rulebook. Commission references/mandates harmonized standards for cloud interoperability (e.g. ISO/IEC 19941). EU Cloud Rulebook/Guidance as implementation guide. Conformity creates legal certainty.
Open Specifications
Open, established standards preferred. Use of vendor-independent, open specifications for object storage, container formats, API definitions, storage and network interfaces. Cloud-native standards for workloads. REST/GraphQL-based APIs. No proprietary protocols without open alternatives.
Data Spaces Interoperability
Gaia-X, IDSA, European Data Spaces. Standards for data spaces are harmonized. Promote interoperability between data spaces. Standardize technical building blocks (trust, identity, metadata).
Common Specifications
Where standards are missing. Commission can issue common specifications if harmonized standards are not available. Mandatory technical specifications for interop requirements. Development via ESOs (CEN, CENELEC, ETSI).
Protection Against Third-Country Access
Providers must prevent unlawful access by third countries to non-personal data. Encryption, customer notification and challenge procedures become mandatory.
Lawful Access
Only via agreements/court orders. Third-country access only on basis of international agreements or strict rule-of-law criteria (court order, proportionality, legal guarantees). No blanket disclosure.
Technical Measures
Encryption & key management. State-of-the-art encryption (at rest, in transit). Customer-managed keys (BYOK/BYOHSM). Separation of keys and data. No provider access to customer keys. Audit logs.
Customer Notification
Pre-information where possible. Providers must inform customers of government access requests – where legally permissible (no gag order). Transparency about type, scope, legal basis of request. Provide challenge opportunity.
Challenge Procedure
Challenge requests. Providers must challenge disproportionate/unlawful requests. Legal review before disclosure. Documentation of challenge. Escalation to authorities/data protection. Customer protection as priority.
ayedo and the Data Act
Our Software Delivery Platform is designed for Data Act compliance – from data access rights to open APIs to transparent switching processes and EU data protection.
API-First & Data Access
Structured, machine-readable data. Standardized export APIs, OpenAPI documentation, schema catalogs. Formats: JSON, CSV, Parquet, YAML. Metadata included (timestamp, context). Self-service portals for users. GitOps audit trail.
FRAND-Compliant Third-Party Releases
Purpose limitation & access controls. Policy-based enforcement of purpose limitation. Time-/purpose-based releases via tokens/scopes. “Allow once/while using” flows. Logging/notarization of all releases. No dark patterns.
Trade Secret Protection
NDA & technical safeguards. Secret tagging at field level, dynamic masking, protected export paths. NDA flows for sensitive data. Rejection process for threatening harm (justified, documented).
B2G Exceptional Need Runbook
Structured review procedures. Decision trees (emergency vs. exception), purpose/necessity review. Anonymization pipeline, erasure proofs, transparency logging. Cost calculations for non-emergencies. Legal review board.
Cloud Switching Without Barriers
Complete exit runbooks. Export of all digital assets: data, container images, IaC, policies, SBOMs, signatures. Standardized formats (YAML/JSON/OCI). Infrastructure-as-code porting to other cloud providers. Documented timelines. No egress fees (Data Act compliant).
Interoperability Standards
Open, vendor-independent standards. Container orchestration, package management, API specifications, identity/authentication protocols, object storage APIs, storage/network interfaces. Multi-vendor cloud capable. Portable architectures. Standard migration paths. ISO/IEC 19941 oriented. EU Cloud Rulebook ready.
EU-Only & BYOK
Minimize third-country access. EU operations (Germany), EU data centers, EU jurisdiction. Customer-managed keys (BYOK/BYOHSM). Separation of keys/data. Encryption at rest/in transit. Challenge procedure for requests. Customer notification.
Data Act Compliance Center
Transparency & documentation. Detailed switching register, data categories, formats, processes. Pre-contract information. Audit evidence packages. Authority contact matrix. Complete compliance roadmap. To Compliance Center.
Data Act Enablement Packages
Turnkey compliance. Assessment of data access rights, API design reviews, switching process setup, contract clause review (FRAND), interoperability audits, B2G runbook implementation. Support for your own Data Act compliance.
Data Act in Regulatory Context
The Data Act is part of the EU data strategy ecosystem. It integrates with DORA, CRA, Cloud Sovereignty Framework, NIS-2, GDPR and the Digital Markets Act (DMA).
Data Act & DORA
Complementary exit strategies. DORA requires ICT third-party risk management including exit capability. Data Act provides technical/contractual instruments for effective switching. Together: resilient, portable financial infrastructures. More about DORA.
Data Act & Cyber Resilience Act
Secure, interoperable products. CRA requires security across product lifecycle. Data Act requires interoperability and data portability. Together: secure products with open interfaces – without lock-in. More about CRA.
Data Act & Cloud Sovereignty
Portability as sovereignty enabler. Cloud Sovereignty Framework evaluates exit capability as core element of operational sovereignty. Data Act makes this legally enforceable. EU-only stacks with standardized exit processes = maximum control. More about the Framework.
Data Act & NIS-2
Interoperability supports resilience. NIS-2 requires BCP/DR and supply chain management. Data Act portability facilitates disaster recovery and provider switching during incidents. Open standards reduce vendor dependencies. More about NIS-2.
Data Act & GDPR
Data protection remains paramount. Data Act does not change GDPR. For personal data: observe legal bases, DPIAs, data subject rights. Data Act data access requires GDPR compliance. Pseudonymization/anonymization as harmonization means. More about GDPR.
ayedo Compliance Overview
Comprehensive compliance approach. How ayedo systematically addresses Data Act, DORA, CRA, NIS-2, GDPR, ISO 27001. Certifications, processes, technical measures, audit readiness. Complete roadmap. To overview.
Strategic Implications
The Data Act fundamentally changes data markets, cloud economics and IoT business models in Europe. From lock-in strategies to B2G obligations – here are the core implications.
End of Vendor Lock-in
Portability becomes enforceable. Cloud providers can no longer bind customers via proprietary formats, high exit costs or missing APIs. Multi-cloud strategies more attractive. Competition on quality/service, not lock-in.
Data as Shareable Resource
B2B data economy enabled. IoT/machine data can be legally shared (FRAND terms). Aftermarket services, predictive maintenance, AI training benefit. New business models beyond vertical integration emerge.
Interoperability as Norm
Open standards prevail. Proprietary APIs/formats lose attractiveness. EU-harmonized standards (ISO/IEC, CEN/CENELEC/ETSI) become standard. Data spaces (Gaia-X, IDSA) benefit. Ecosystem thinking instead of silos.
New Contract Standards
Fairness review in B2B. Unilateral, unfair clauses (towards SMEs) become ineffective. Standard contracts must be revised. FRAND principles as default. SMEs gain stronger negotiating position.
B2G as New Dimension
Data access in emergencies. Companies must be prepared for exceptional need requests: anonymization, purpose limitation, erasure, cost calculation. New compliance area alongside GDPR/NIS-2. Review boards required.
Compliance Complexity Increases
Multi-regulation compliance. Data Act + GDPR + NIS-2 + DORA + CRA = complex compliance puzzle. Integrated approaches required. Audit trails, policy-as-code, automated evidence. Early adopters have competitive advantage.