Are you up to date with the Data Act?

Machine builders supplying customers in the European Union will already be aware of the Machinery Directive. Its replacement, the Machine Regulation, comes into force in January 2027 and introduces requirements relating to cybersecurity. However, there is another new piece of European legislation that already has implications for machine builders and system integrators. This is Regulation (EU) 2023/2854 on harmonised rules on fair access to and use of data – which can be shortened to the Data Act. Although the Data Act covers a wide range of products, this present article is concerned solely with how the legislation impacts machine builders and system integrators; for simplicity, we will just refer to machine builders.

What is covered?

Regulation (EU) 2023/2854 has been applied since 12 September 2025, though some aspects do not apply until September 2026 or September 2027. It covers ‘connected products’ and, for the avoidance of doubt, this includes products with on-device access, products with wireless connectivity, and products that require a physical connection to be made when needed. ‘Data’ includes data generated by use of the product or related service, metadata necessary to interpret and use the data, and data created when users interact with the product. Even if data is only stored and not processed, then it still falls within the scope if it can be accessed.

Paragraph 14 of the preamble lists various types of connected product, with industrial machinery being one such type. This paragraph also states that prototypes do not fall within the scope of the Data Act, but machine builders should not assume that a one-off special-purpose machine is exempt, even though it could be argued that it is a prototype. Article 31 excludes custom-built data processing, as well as data processing services provided as a non-production version for test/evaluation over a limited time period.

If any data can be accessed by the machine builder, then it is covered by the Data Act. It must therefore be sharable with the end user and, by implication, third parties. On the other hand, information that has been derived from data is excluded from the scope of the Data Act and does not need to be sharable. If data, such as from sensors, is processed but not stored, then it does not need to be sharable. Personal data is covered by other EU legislation, though the Data Act covers personal data that has been anonymised.

Article 7 states that the Data Act does not apply to products manufactured or designed by microenterprises and small enterprises provided they do not have a partner enterprise or linked enterprise and the enterprise is not subcontracted to design or manufacture the product. The same applies to an enterprise that has qualified as a medium-sized enterprise for less than one year, and to connected products for one year after the date on which they were placed on the market by a medium-sized enterprise.

Why is the Data Act needed?

The Data Act recognises the value of data for businesses, consumers and society, largely as a result of the ‘Internet of Things’ (IoT). Furthermore, the European Commission believes that high-quality and interoperable data increases competitiveness and innovation and, therefore, ensures sustainable economic growth. Consequently, the Data Act aims to make it easier for users to share data with third parties or use it themselves, rather than having the data restricted to being stored or processed by, for example, a machine builder. The situation is the same, whether the user has purchased, leased or rented the product.

Standardisation

In common with many EU Regulations, the Data Act contains essential requirements that must be met. In this case, the requirements relate to the form of the data and its usability. Data must always be accessible to a user easily, securely, free of charge, and in a comprehensive, structured, commonly used and machine-readable format.

Clauses in the Data Act provide for harmonised standards that, if complied with in full, would provide a presumption of conformity with the essential requirements. In the absence of such standards, ‘common specifications’ can provide a presumption of conformity. At the time of writing, no harmonised standards or common specifications have been published but these may follow in due course.

Contractual arrangements

When a machine is placed on the market in the EU, whether for sale, lease or rent, information about sharable data must be provided before a contract is concluded. This includes the data functions available, how they can be accessed, the type and volume and format of the data, whether data is generated continuously and/or in real time, and the nature, location and retention period of data.

A contract must cover the basis for a manufacturer’s use of product data, and the terms could exclude or limit the user from accessing all or some of the data. Some data might be classified as trade secrets, in which case the data holder can require data users to treat it as trade secrets.

Within the Data Act, there are clauses to prevent product suppliers from imposing unfair contractual terms on customers. The EC has published non-binding model contractual terms in a document ‘Final Report of the Expert Group on B2B data sharing and cloud computing contracts.’ Nevertheless, Article 1, Clause 6 of the Data Act states that it does not apply when voluntary agreements are in place for exchanging data.

Compensation

If a data holder (such as a machine builder) is requested by the user to make data available to a third party, then the data holder can require the third party, not the user, to pay reasonable compensation for the cost of providing the data, but not for the data itself.

The EC has foreseen that levels of compensation might be contentious, so the Data Act sets out arrangements for resolving disputes and lays the foundations for dispute settlement bodies that can decide whether compensation is reasonable.

Initially, providers of data processing services can charge users for switching between different providers. However, these switching charges will be abolished after three years.

Sharing data with authorities

So far, we have focused on situations where, typically, a user wishes to share data with a third party of their choosing. In addition, the Data Act covers the requirement for data holders to make data available to public sector bodies, the Commission, the European Central Bank and Union bodies when there is an exceptional need, such as in the event of a public emergency. Data holders are entitled to compensation for making the data available. Micro and small businesses are exempt from the requirement to share data with authorities.

Legal representation

For machine builders based outside the EU, a key point to note is Article 37, Clause 11: ‘Any entity falling within the scope of this Regulation that makes connected products available or offers services in the Union, and which is not established in the Union, shall designate a legal representative in one of the Member States.’ Clause 12 explains what the legal representative is mandated to do, which is essentially to act on behalf of an entity to cooperate with the relevant authorities and, upon request, demonstrate how connected products and related services are in compliance with the Data Act.

Hold Tech Files Ltd is based in the Republic of Ireland and is therefore established in the EU. Hold Tech Files performs numerous roles for non-EU machine builders in accordance with various EU legislation, including acting as a legal representative in line with the requirements of the Data Act.

Summary

From the perspective of a non-EU machine builder exporting to the EU, complying with the Data Act requires the following unless there are relevant exemptions:

• Certain information about the data and its usability must be made available before a sale, lease or rental contract is concluded;
• There must be an agreement with the data user regarding which data is sharable, the characteristics of that data and how it would be shared, and this agreement must be fair to both parties;
• If harmonised standards or common specifications have been published, then the data should comply with these unless it can be shown to meet the essential requirements (stated in Article 33) another way;
• Data and metadata must be suitable for sharing with the data user or, upon request from the user, a third party;
• Upon request from the user, the data holder must be ready to share the data with the user or a third party;
• A method should be established for calculating the reasonable level of compensation that can be claimed for transferring data to a third party or the authorities; and
• Before placing the product on the market, a machine builder outside the EU must appoint a legal representative who is established in the EU.

For information about appointing an EU legal representative, contact Hold Tech Files.

www.holdtechfiles.eu