The EU Data Act (Regulation 2023/2854) requires that data generated by connected products and related services be made accessible to users and, in certain cases, to third parties, directly affecting AI systems that rely on IoT data, industrial data, or cloud-hosted datasets.
EU Data Act and AI: Data Sharing Obligations and Access Rights
What the EU Data Act Means for AI
The EU Data Act (Regulation 2023/2854), which applies from 12 September 2025, creates new rights and obligations around access to and use of data generated by connected products and related services. For AI developers and deployers, the Data Act reshapes the data supply chain by mandating that users can access and share data generated by their devices, potentially disrupting proprietary data advantages that underpin many AI business models.
The regulation operates alongside the GDPR, the Data Governance Act (Regulation 2022/868), and the EU AI Act, creating an increasingly dense data regulatory framework. AI practitioners must understand how these instruments interact.
Key Provisions Affecting AI Systems
| Data Act Provision | AI Impact | Effective Date |
|---|---|---|
| Chapter II: B2C data sharing | Users can extract and port IoT data, reducing data lock-in for AI training | 12 September 2025 |
| Chapter III: B2B data sharing | Users can share product data with third parties, including AI service providers | 12 September 2025 |
| Chapter IV: Unfair contractual terms | Data access terms in AI service contracts may be voided if unfair to SMEs | 12 September 2025 |
| Chapter V: Public sector data access | Government bodies can compel data access in emergencies | 12 September 2025 |
| Chapter VI: Cloud switching | Elimination of switching charges affects AI-as-a-service models | 12 September 2025 |
| Article 35: Trade secret protection | Data holders may protect trade secrets but cannot use them to refuse access entirely | 12 September 2025 |
Data Access Rights and AI Training
Article 4 of the Data Act requires that products be designed to make data generated by their use accessible to the user by default, easily, securely, and free of charge. Article 5 extends this by allowing users to share that data with third parties. For AI companies, this means that proprietary data pipelines built on IoT data from connected products may be challenged if users demand access to or portability of their data.
However, Article 4(6) explicitly states that data made available under the Data Act shall not be used to develop a competing connected product. This carve-out protects hardware manufacturers but does not prevent using such data to train AI models that provide services rather than competing products. The boundary between a competing product and a complementary AI service will be a significant area of enforcement interpretation.
Trade Secrets and AI Model Protection
Article 35 permits data holders to apply reasonable measures to preserve trade secrets when making data available. For AI providers, this is relevant in two directions: first, when receiving data from connected products, the data holder may impose technical protection measures that limit how the data can be used for model training. Second, when AI providers themselves hold data that users request access to, they must balance access obligations against protecting proprietary model architectures and training methodologies.
The Data Act explicitly states that trade secret protection cannot be used as a blanket refusal to provide data access. Disputes are resolved through a combination of contractual mechanisms, model contractual terms (to be published by the Commission under Article 41), and national dispute resolution bodies.
Cloud Switching and AI Service Portability
Chapter VI mandates that cloud service providers, including AI-as-a-service providers, must eliminate switching charges by 12 January 2027. Providers must ensure functional equivalence during switching periods and support data portability in machine-readable formats. This directly affects AI platforms that host models, training data, or inference pipelines on behalf of customers.
AI service providers should prepare by documenting their data export formats, ensuring model portability where technically feasible, and reviewing contracts to remove switching penalties. The practical challenge is that AI model portability is fundamentally more complex than data portability: a model trained on one infrastructure may not perform identically on another due to hardware-specific optimizations.
Interaction with GDPR and EU AI Act
The Data Act does not override GDPR. Where data generated by connected products contains personal data, GDPR processing grounds must be established independently. The Data Act adds a right of access to non-personal data that complements but does not replace GDPR data subject rights.
For high-risk AI systems under the EU AI Act, the Data Act may facilitate compliance with Article 10 data governance requirements by making training and validation data more accessible. Conversely, the Data Act's access requirements may complicate the data protection impact assessments required for AI systems processing personal data.
Compliance Priorities for AI Organisations
- Audit all data pipelines that incorporate IoT or connected product data to assess Data Act exposure
- Review contracts with data suppliers for unfair terms that may be voided under Chapter IV
- Prepare data export capabilities for cloud-hosted AI services before the switching charge ban takes effect
- Implement trade secret protection measures that comply with Article 35 without refusing legitimate access requests
- Coordinate Data Act compliance with existing GDPR and EU AI Act programs to avoid duplication
Check your AI compliance readiness — free.
Take the Readiness Check 3 minutes · 10 questions · no signup requiredThis article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.