Table of content
Compliance Connected systems
17 Jul 2026

Who owns machine-generated data under the EU Data Act

Quick summary

The EU Data Act, applicable since September 2025, gives users the right to access and share the data their connected products generate. For makers of industrial IoT equipment, it ends the era of exclusive control over device data and introduces design obligations that take effect in 2026. This article explains what changes and what to do about it.

Introduction

For most of the connected-equipment era, the data a machine generated belonged, in practice, to whoever built the machine. Sensor readings, performance telemetry and operational data flowed into the manufacturer's cloud, where they were packaged with dashboards and analytics that customers could buy back. If a factory wanted its own raw data, it often had to accept the vendor's terms to get it.

The EU Data Act changes that default. Applicable since 12 September 2025, it gives users, both businesses and consumers, the right to access and use the data generated by their connected products, and to share it with third parties of their choosing (European Commission, 2025). For makers of industrial IoT equipment, this is not a minor compliance update. It reallocates control of machine-generated data and reshapes the business models built on top of it.

What the Data Act actually requires

At its core, the Data Act establishes a user-centric regime for data generated by connected products and related services. The obligations fall into a few clear themes.

Users gain a right of access. They must be able to obtain the data their connected products generate, free of charge, in a structured, commonly used, machine-readable format, and in real time where technically feasible. This covers both personal data, where the GDPR continues to apply, and non-personal machine data.

Users also gain a right to share. They can direct a data holder to transmit their product data to a third party, on fair, reasonable and non-discriminatory terms. A factory could, for example, allow an independent maintenance provider to access equipment data rather than relying solely on the original manufacturer.

The regulation also has extraterritorial reach. It applies to manufacturers and service providers that place connected products or related services on the EU market, regardless of where they are based, and the obligations can flow up supply chains through distributors and integrators (Fenwick, 2025).

The reason this is a structural shift rather than a procedural one is that it moves the right to use and commercialise non-personal machine data from the manufacturer to the user, overturning the default that has underpinned many connected-equipment business models. That is a change in who holds the value, not just who holds the data.

Takeaway: The Data Act gives users the right to access and share their machine-generated data, reallocating control away from manufacturers by default.

The 2026 deadline that changes product design

The September 2025 application date set the access and sharing rights in motion, but the obligation that most affects engineering teams arrives a year later. From 12 September 2026, new connected products and related services placed on the EU market must be designed so that operational data and metadata are easily, securely and directly accessible, by default (European Commission, 2025).

This is access by design, and it cannot be retrofitted cheaply. Much industrial machine data today originates in proprietary automation and control systems that were never built to expose data through open interfaces. Meeting the 2026 obligation means designing data accessibility into the product from the outset, with documented data structures, standardised interfaces and the security controls to make access safe.

Enforcement is becoming concrete. Member states are establishing national authorities and penalty regimes, with proposed fines reaching into the millions of euros for serious breaches, and industry guidance suggests complex IoT products typically need many months to reach compliance.

For manufacturers, the practical implication is that the 2026 deadline should be treated as a product-design milestone, not a documentation exercise. Products in development now will still be on the market then.

Takeaway: From September 2026, new connected products must provide accessible data by design, which is an engineering obligation that cannot be bolted on later.

Turning obligation into advantage

It is tempting to read the Data Act purely as a loss of control, and for business models built on data lock-in, some disruption is real. But the regulation also opens opportunities for manufacturers who approach it constructively.

Open, accessible data lowers the barrier for building modern data platforms and new digital services on top of equipment. Manufacturers who design genuinely useful, well-documented data access can compete on the quality of their services and analytics rather than on controlling access to the raw data. The role shifts from gatekeeper to enabler, and the manufacturers best placed are those who treat data accessibility as a product feature rather than a grudging compliance cost.

There is also a trade-secret balance to manage deliberately. The Data Act allows manufacturers to protect genuine trade secrets, but the exceptions are limited and require notification, so engineering and legal teams need to decide carefully what is genuinely protectable and design accordingly rather than relying on opacity.

The interpretive point is that the Data Act rewards manufacturers who build for data accessibility deliberately, because clean, well-documented, secure data access becomes both a compliance asset and a foundation for the services that increasingly differentiate connected products. The same engineering investment serves both ends.

For industrial equipment makers selling into the Nordics, DACH and Benelux markets, where industrial buyers are already sophisticated about data, demonstrating Data Act readiness is increasingly likely to become a procurement expectation rather than just a legal requirement.

Takeaway: The Data Act favours manufacturers who design for accessible data, turning a compliance obligation into a foundation for differentiated digital services.

How the Data Act fits the wider EU data rulebook

The Data Act does not exist in isolation. It is one piece of a broader European framework governing how data is shared, secured and used, and understanding the connections helps manufacturers avoid treating each regulation as a separate, unrelated project.

It works alongside the Data Governance Act, which sets up trusted mechanisms for voluntary data sharing, while the Data Act provides the legal clarity on access and use rights. For personal data, the GDPR continues to apply in full, so connected products that generate personal data sit under both regimes at once and have to satisfy each. And for connected products, the security obligations of the Cyber Resilience Act and, for radio equipment, the Radio Equipment Directive shape how data access must be made secure rather than merely available.

The framework also continues to evolve. The Commission proposed a Digital Omnibus package in late 2025 aimed at simplifying and aligning several data-related rules, which signals that the detail will keep shifting even as the underlying direction, towards user control and accessible data, stays constant.

The interpretive point is that the Data Act is best addressed as part of a coordinated response to the EU data and product rulebook, because the same engineering work, secure and well-documented data access, serves obligations that would be wasteful to tackle in isolation. A manufacturer that builds accessible, secure, well-governed data once satisfies several regimes at lower total cost than treating each separately.

For equipment makers selling across the Nordics, DACH and Benelux markets, aligning Data Act work with existing GDPR and product-security programmes is the efficient path, rather than standing up a parallel compliance track.

Takeaway: The Data Act sits within a connected EU data and product framework, so coordinated engineering of secure, accessible data serves several regimes at once.

Conclusion

The EU Data Act ends the assumption that machine-generated data belongs to the machine's maker. Users now have the right to access and share it, and from September 2026 new products must be built to make that access straightforward by design.

For industrial IoT manufacturers, the response is to treat data accessibility as a design requirement now, while products are still in development, and to build the documentation, interfaces and security to support it. Done well, that work satisfies the regulation and lays the groundwork for the data-driven services that will increasingly define competitive connected products.

FAQ

What is the EU Data Act?

The EU Data Act, Regulation (EU) 2023/2854, is an EU regulation that establishes rules on access to and use of data generated by connected products and related services. Applicable since 12 September 2025, it gives users the right to access and share the data their devices generate, covering both personal and non-personal data, and aims to create a fairer, more competitive data economy.

Who does the Data Act apply to?

It applies to manufacturers of connected products, providers of related services, data holders, data recipients and cloud service providers that place products or services on the EU market. Its reach is extraterritorial, so it applies regardless of where a company is based, and obligations can extend up supply chains through distributors, OEMs and integrators.

What changes on 12 September 2026?

From that date, new connected products and related services placed on the EU market must be designed so that operational data and metadata are easily, securely and directly accessible by default. This access-by-design obligation affects product engineering directly, since much machine data currently comes from proprietary systems not built to expose data through open interfaces.

Does the Data Act protect trade secrets?

Yes, but the protection is limited. Manufacturers may refuse or restrict data access where it would disclose genuine trade secrets, but the exceptions are narrow and generally require notifying regulators when invoked. Companies need to identify what is genuinely protectable and design their data access accordingly, rather than relying on general opacity to withhold data.

Sources

About Author Wirtek is a Danish tech company with 25 years of experience, specialising in three core domains: energy, connectivity & automation and digital engineering. We build, connect and operate digital solutions through software development, Internet of Things (IoT), quality assurance and ready-made products. Founded as a Nokia spin-off, we combine deep know-how with EU compliance to partner with companies on their journey to modernise systems and extend capabilities while reducing risk. Since 2022, we have focused strongly on shaping solutions that power the sustainability transition.

Got a project in mind?

Who owns machine-generated data under the EU Data Act
11:59