Recently, the full text of the EU Data Act has been officially released. Hailed as a "milestone in the data economy," this regulation came into force on September 12, 2025. Its core goal is to completely break data monopolies and transfer data control from manufacturers back to users.

This article clearly outlines which manufacturers and devices are legally bound by the Act.

I. Core Objective: Your Data, Your Control

The Act’s core principle is unambiguous: You, not the device manufacturer, hold the ownership and right to use the data generated by your smart devices.

This means you have the right to access, use, and authorize third parties to use the data from your devices. This will foster more innovative services such as energy efficiency management and predictive maintenance .

II. Key Compliance Targets: Which Manufacturers Must Adhere?

The Act imposes clear compliance requirements on "data holders" and "manufacturers." The following types of manufacturers are the focus of the regulation:

1. Connected Product Manufacturers

All enterprises producing and selling connected products in the EU market, regardless of their place of registration.Examples: Smart home appliance brands (e.g., Haier, Midea), connected car manufacturers (e.g., Tesla, BYD), industrial equipment manufacturers (e.g., Siemens, KUKA).

2. Relevant Service Providers

Enterprises offering digital services (e.g., software, cloud services) closely tied to the functionality of connected products. Without these services, one or more core functions of the product cannot be realized.Examples: Operating system and content platform providers for smart TVs, cloud control platforms for smart homes, remote operation and maintenance software providers for industrial machinery.

3. Data Processing Service Providers (e.g., Cloud Service Providers)

Enterprises offering cloud services (IaaS, PaaS, SaaS), edge computing, and similar services must ensure customers can freely migrate data to other service providers .Examples: Amazon AWS, Microsoft Azure, Google Cloud, Alibaba Cloud, and various SaaS software providers.

Important Exemption

Micro and small enterprises (MSEs) may be exempt from certain obligations under Chapter II (B2C/B2B data sharing) under specific conditions. This applies only if they do not have non-compliant large enterprises as partners or affiliated enterprises .

III. Comprehensive Coverage: Which Devices Are Regulated?

The Act has an extremely broad scope, covering almost all physical objects that can connect to the internet and generate data.

Regulated device types include (but are not limited to):

Smart Consumer Electronics

• Smartphones, tablets, laptops
• Smart TVs, smart speakers, smart home appliances (refrigerators, air conditioners, washing machines)
• Wearables (smartwatches, fitness trackers)

Smart Home & Security Devices

• Smart thermostats, smart lighting systems
• Smart door locks, security cameras, sensors

Mobility Tools

• Connected smart cars, electric vehicles
• Smart bicycles, electric scooters
• Internet-enabled aircraft and ships (for those operating in the EU)

Healthcare Devices

• Connected medical devices (e.g., pacemakers, insulin pumps)
• Home health monitors (blood pressure monitors, blood glucose meters)

Industrial & Commercial Devices

• Industrial Internet of Things (IIoT) devices: Machine tools, robots, sensors
• Commercial devices: Smart vending machines, connected agricultural machinery (e.g., smart tractors)
• Public infrastructure: Smart meters, environmental monitoring devices (air quality sensors)

Key Definition

A "connected product" under the Act refers to a device whose primary function is not to store, process, or transmit data for manufacturers or other third parties . This means user-centric products like smartphones and smart TVs are covered, while dedicated data servers are excluded.

IV. Core Obligations for Manufacturers: What Must Be Done?

Faced with the Act, relevant manufacturers must act immediately to complete compliance reforms before September 2025.

1. Compliance by Design (Top Priority)

Products must, by default, allow users to access data easily, securely, and free of charge in a structured, common, and machine-readable format. Data accessibility must be integrated into the product design phase .

2. Transparency

Before sale, manufacturers must clearly inform users: the types of data the device generates, data format and volume, and how users can access the data .

3. Provide Data Interfaces

Must establish standardized API interfaces to enable users or authorized third parties to smoothly access data .

4. Support Data Portability (for Cloud Service Providers)

Must eliminate technical, commercial, and contractual barriers to allow customers to switch service providers freely. Data portability fees will be phased out and completely banned after January 2027 .

Summary & Warning

For manufacturers, this is not just a compliance challenge but also a strategic opportunity. Enterprises that act early will:

• Gain the trust of EU users and enhance brand reputation.
• Develop new business models and service revenues through data mobility.
• Avoid the risk of product removal from the EU market after September 2025.

The Act’s enforcement is already in the countdown. Relevant manufacturers should immediately launch:

1. Product line review: Identify which products require compliance.
2. Technical architecture assessment: Does the existing system support easy data export?
3. Legal clause revision: Update user agreements and service terms.

The rules of the data economy have changed—shifting from "data monopoly" to "data sharing" is inevitable. Only enterprises that actively adapt to this transformation can seize opportunities in future global competition.

Disclaimer

This article is only a summary interpretation of the EU Data Act and does not constitute legal advice. For specific compliance operations, refer to the full text of the regulation and consult professional legal counsel.

Security Upgrade! GTG Certification Guards the New Era of IoT Security

GTG Cybersecurity Laboratory

As a leading domestic IoT security certification expert, GTG Testing Group specializes in testing and certification for the EN 18031 standard (EU IoT security regulation)!

With the explosive growth of IoT devices, countries around the world have introduced stricter security regulations. EN 18031 is the core security standard developed by the EU for smart homes, Industrial IoT (IIoT), and smart cities . It covers key security requirements such as device authentication, data encryption, firmware security, and vulnerability management, ensuring the full-lifecycle security of IoT products from design to deployment.

How GTG Protects Your IoT Products?

✅ EN 18031 Compliance Certification: Ensure your products meet EU market access requirements .

✅ Penetration Testing & Vulnerability Assessment: Simulate hacker attacks to identify security risks in advance .

✅ Security Architecture Design Consulting: Optimize product security performance from the bottom up.

✅ Global Regulatory Adaptation: Assist enterprises in meeting IoT security standards of different countries (e.g., China’s GB/T, UK’s PSTI).

Why Choose GTG?

• Professional domestic IoT security testing institution.
• Has provided security certification services for many enterprises.
• Owns an offensive and defensive laboratory with a professional red team to simulate APT attack scenarios.