As the core pillar of the EU's digital strategy, the "Data Act" came into effect on January 11, 2024, and officially took effect on September 12, 2025. It aims to regulate data circulation and activate the economic value of data, and imposes clear compliance requirements on enterprises with an EU presence. The key points are dissected from three aspects: core obligations, key deadlines, and regulatory measures.
The act clearly defines the obligations of three types of entities. For end-users on both B and C sides, the core is to safeguard data control rights. They must follow the principle of transparency, disclose information such as the purpose of data processing and the recipient, and conduct data processing and third-party sharing based on user consent. At the same time, they are granted the right to access data. For data processing service providers, they are prohibited from setting barriers for switching and must ensure the data migration and interoperability of cloud platforms, adopt technical and legal measures to prevent illegal access to non-personal data by non-EU countries, and balance data security and circulation efficiency. For data recipients and governments, they must share data upon user request or in accordance with legal obligations. In emergency situations and for optimizing public utilities, they must open data to the government. They are strictly prohibited from abusing their data monopoly position.
The three key deadlines determine the compliance rhythm. Starting from September 12, 2025, all relevant business entities must fully implement the new regulations; for connected products launched after September 12, 2026, they must fulfill the obligation of "default accessibility", and only apply to products launched after the new regulations come into effect; starting from January 12, 2027, cloud services will have zero charges for switching and data transmission, and enterprises must adjust their cooperation costs and processes in advance. Existing long-term contracts must be revised by September 12, 2027.
The regulation covers a wide range of connected devices, excluding non-connected products. This includes smart home devices, wearable devices, health and medical devices, vehicle-mounted devices, consumer electronics, and industrial and commercial equipment. It covers common devices such as smart speakers, blood pressure monitors, vehicle networking modules, and smart POS machines. The core criterion is that they must have the function of networking and be capable of generating, collecting, and transmitting data.
The act clarifies the rights and responsibilities and timeframes, balancing data utilization and rights protection. EU enterprises need to benchmark and sort out in advance to ensure the implementation of compliance.
