The EU Data Act, applicable in most parts since 12 September 2025, introduces a comprehensive framework governing how data generated by connected products and related services, such as connected medical devices and wearable health products, may be accessed, shared, and used. Applying to both personal and non-personal data, the Data Act aims to put users in control of data generated by their use of connected products and related services. Its scope of users extends across consumers, business users, and corporate customers.

Manufacturers and other companies acting as data holders must implement robust standards and procedures ensuring that users can, upon request, access data generated through the use of their connected products or related services, and, where requested by users, share such data with third parties. This includes establishing clear contractual terms governing data access and sharing, as well as maintaining comprehensive transparency documentation.

In addition, manufacturers of connected products and providers of related services will be required to design their connected products and services in a way that certain data generated by the use of the device or service will be, where relevant and technically feasible, by default, directly accessible to the user. These design requirements will apply for products and services placed on the market after 12 September 2026.

One less widely recognized dimension of the Data Act is that it not only imposes obligations to make data available, but also restricts how data holders may use non-personal, readily available data for themselves (beyond the scope of mere provision of the product/service). Under Article 4(13), data holders may only use such data based on a contract with the user (often so called "data license"). Article 4(14) further restricts data holders from making non-personal product data available to third parties for commercial or non-commercial purposes other than the fulfilment of their contract with the user.

These requirements, which have become applicable 12 September 2025, are generally considered to apply to data obtained from both new and, with some reservations, legacy products/services already placed on the market prior to such date. This introduces significant operational constraints, particularly affecting companies relying on such data for own business purposes, such as research and development, or product optimization and improvement.

To ensure compliance, data holders must not only implement data access and data‑sharing standards and procedures, but also adapt, implement, and update appropriate terms of use with users to secure and maintain the right to use such data for necessary business purposes. To navigate these regulatory requirements effectively, companies should proactively establish a comprehensive data governance framework – not only to ensure compliance but to preserve the ability to continue using data for their own business purposes. Key steps include:

• Conducting comprehensive data mapping to identify all data flows, categories, and processing activities.
• Performing impact and gap analyses comparing existing practices to Data Act obligations.
• Developing data governance strategies that support compliant data access, data sharing, and own data use.
• Integrating data licensing concepts into product design and contractual terms.
• Designing product and service architectures that facilitate secure and compliant user data access.