EU Data Act Applicability Checker

Determine data-sharing obligations under the EU Data Act for IoT/connected products

Select your connected product type and your role — manufacturer, data holder, data recipient, user, or cloud provider — to identify your EU Data Act obligations: access by design, FRAND data sharing, limited use, portability, and the September 2025 timeline. Runs in your browser. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

What does the EU Data Act regulate?

It governs access to and sharing of data generated by connected products and related services. Users gain rights to access the data their devices generate and to direct it to third parties, while manufacturers and data holders gain matching obligations to make that data available.

The EU Data Act unlocks the data that IoT devices and connected products generate, giving users access rights and imposing sharing duties on the firms that hold the data. Because the obligations depend on your role, this checker pairs your product type with your position in the data value chain.

How it works

The Data Act assigns duties by role against data generated through product use:

manufacturer  → access by design + pre-sale transparency + data on request
data holder   → FRAND sharing + no competing use of the data
data recipient → use only for the agreed purpose, no competing product
user          → right to access and to redirect the data to a third party
cloud provider → portability + functional equivalence + remove egress fees

The tool first checks whether your product is a connected product or related service (in scope) versus standalone software or a non-connected product (largely out of scope), then lists the obligations for the role you select.

Notes and example

A smart-appliance maker is both the manufacturer and, usually, the data holder. As manufacturer it must build access by design and tell buyers what data is generated; as data holder it must share that data on FRAND terms with the user or a repair company the user nominates, and it must not use the same data to compete with the user. A user, meanwhile, gains the right to pull that data and redirect it. Roles frequently overlap, and trade-secret protection, GDPR, and gatekeeper rules all interact with these duties, so treat this as orientation and confirm the detail for your specific arrangement.

Key definitions the Data Act turns on

Understanding the Data Act requires clarity on a few terms the regulation defines specifically:

Connected product: a physical object that can collect and communicate data concerning its use or environment, and that can be connected to the internet — including via another device. This covers industrial sensors, smart appliances, wearables, connected vehicles, and a wide range of IoT hardware.

Related service: a digital service that is necessary for the connected product to perform one or more of its functions, such as an app that controls the device or a cloud backend that stores its data. The related service is in scope alongside the product.

Data holder: any person who has the right or obligation under the Regulation, or under applicable EU or national law, to use and make available data that is generated by a connected product or related service. In most cases this is the manufacturer or their cloud partner.

FRAND: Fair, Reasonable, and Non-Discriminatory. Data holders must share on these terms — they can charge compensation (at cost, for consumers), but they cannot charge extractive rates or discriminate between similarly situated recipients.

Interaction with GDPR

Where the data generated by a connected product is personal data (which is common — usage data often identifies the user), the Data Act operates alongside GDPR rather than replacing it. The access rights under the Data Act do not override GDPR restrictions, and sharing data with a third party still requires a lawful basis and a data-processing agreement. In practice, product lawyers need to map both frameworks simultaneously.

Timeline at a glance

  • 12 September 2025: most Data Act obligations begin to apply.
  • 12 September 2026: access-by-design requirement for newly designed connected products.
  • 12 September 2027: cloud-switching charges must be zero (progressive phase-out period).

Existing products placed on the market before September 2025 and not substantially modified may have extended transition periods for some obligations. Confirm the specifics for your product and role with a qualified legal adviser.