The EU Data Act reshapes how data is accessed, shared, and governed across Europe. The act came into effect this month (September 2025), though there is further roll out to take place in the coming years. In essence, the new legislation introduces firmer rights for users of smart devices and machinery and stricter obligations for manufacturers, service providers, and cloud companies to provide fair access to ‘their’ data.
Some months ago, we discussed the new UK Data Use and Access Bill. Given the timing, one could be forgiven for assuming the two pieces of legislation would be similar or even interchangeable, but in fact they have distinctly different focuses.
A summary of the EU Data Act
The EU Data Act is designed to prevent “data hoarding” by powerful manufacturers and service providers in Europe. Owners of smart products, anything from phones and fitness trackers to connected fridges and heavy industrial machinery, now have the right to access and share the data those devices generate. The law also obliges EU businesses to make their data available to users and to third parties on ‘fair, reasonable, and non-discriminatory’ terms. Worth noting, there is no such stipulation in the UK Data Use and Access Act which focuses on public services, identity verification, smart data schemes, research access, and regulation rather than manufacturers and service providers.
At MetadataWorks, many of our clients are public sector organisations, so I’m particularly interested in the EU Act from this point of view. Unlike the UK Data Use and Access Act, public sector is not the main focus of the EU law, but there are some EU public sector implications. This new push for ‘fair, reasonable’; sharing, could be good news for European innovation and research in the public sector space. Public bodies will gain rights to request private-sector data in emergencies (like natural disasters or pandemics) and, in some cases, for other public-interest uses when data is not otherwise available. The public interest caveat here can include areas such as town planning, environmental monitoring and transport optimisation where the data cannot be accessed via other sources. In other words, meaningful access to private sector data for EU public sector organisations, which has the potential to accelerate research for the public good – good news. It is worth mentioning here for completists, that while the UK Data Act does not mandate data sharing by private sector organisations in this way, it creates an environment that encourages voluntary participation.
Looking back at the private sector, the EU Act also bans ‘unfair’ terms in data-sharing contracts and makes switching between cloud providers easier for the consumer.
There is certainly more to be said in terms of the pros and cons of the act (both in terms of public and private sector organisations), security and compliance concerns for one – perhaps we’ll cover this debate another day. For now though, we’ll stick to the potential impact of the new law.
The EU Data Act and the Question of Data Catalogues
At MetadataWorks, one of the most common questions we hear about the EU Data Act is whether it requires every manufacturer or service provider to publish a full “data catalogue.” The short answer is: no — not in the strict, public sense. The regulation doesn’t impose an obligation to create a comprehensive, browsable list of every dataset a company holds. But it does require organisations to think much more systematically about how they document, structure, and communicate the data their products and services generate.
At the heart of the EU Data Act is the principle of access by design. Connected products and related services must be built so that data they generate — along with the metadata needed to interpret that data — are readily accessible to the user. This is a significant shift. Instead of manufacturers having exclusive control, users now have the right to request and receive “readily available” data about how their devices perform, how services are used, and the environment in which they operate. To make this work, EU companies will need clear internal processes for identifying what data exists, what counts as “readily available,” and how it can be shared securely.
Points of Difference
So, what are the key differences between UK and EU law now the new EU Act has been introduced? In layman’s terms there are three main areas of the new law to be aware of. Where the EU now creates mandatory rights to access and share smart data, the UK leaves such arrangements to individual contracts. Where the EU compels cloud providers to support interoperability and user switching, the UK relies on market competition and has no formal laws in place. And while the EU lays down specific rules against unfair data-sharing terms, the UK looks to general consumer and contract law, such as the Consumer Rights Act 2015.
The situation in the UK
Given this is EU legislation, UK organisations way well ask, ‘If we’re already aware of the UK data laws, do we need to pay any attention to the EU Data Act?’
The UK, of course, is no longer bound by EU regulations so the EU Data Act does not, in theory, effect UK organisations (both private and public sector) and citizens. The UK’s framework centres on the UK GDPR and the Data Protection Act 2018 as well as the new Data Use and Access Act.
A trickle down effect?
So, does that mean UK businesses and organisations can ignore the legislation? In my view, certainly not, especially with one eye on the future. Firstly, and most obviously, any company currently selling connected products or cloud services into the EU will need to comply for its EU customers. Even though the UK has its own privacy laws, organisations handling EU personal data still need to follow the EU Data Act.
In practice, this means a UK manufacturer of connected devices may need to redesign how users can access their data, or a UK-based cloud provider may have to adjust terms to allow seamless customer switching within the EU market.
That said, the majority of our clients are more likely to be concerned with research projects than private sector ‘selling’. It’s still not as black and white as one might assume though; If you’re a UK researcher simply collaborating with an EU partner and using shared datasets, you do not automatically need to make the data accessible under the Data Act. But if the collaboration involves IoT or product-generated data, and you are acting as a "data holder" under an EU contract, then yes — you may have to provide access according to the Data Act rules. It’s certainly an area in which due diligence is now necessary, if only applying in these outside use cases in which there is a contractual collaboration with an EU partner.
What it could mean for the future
For most businesses and organisations operating only in the UK, the EU Data Act has little direct effect at this time. However, there may well be longer term consequences. As how we manage and use data evolves, the worlds eyes are watching as this new legislation launches. Policymakers will continue to debate the merits of these types of laws and there may well be increased pressure on the UK to take steps to replicate the law if there turn out to be meaningful and quantifiable ‘pros’ e.g. accelerated research.
Similarly, in terms of private organisations, EU customers may begin to expect similar rights to data portability and fair access across the board, putting pressure on UK providers to adapt voluntarily.
So far, the (UK) government has not proposed its own “UK Data Act” focusing on the use of data generated by connected devices. Its own new data legislation, The Data Use and Access Act has an entirely different focus, reforming the UK’s data framework for public services, smart data schemes, researcher access, and regulation.
In summary
For now, the EU Data Act means little for UK consumers and businesses that operate solely within the UK. But for those with customers, devices, researchers or services in Europe, compliance or at the very least due diligence will be necessary. If you're a UK or EU organisation and you aren't sure how to comply, feel free to book a session with MetadataWorks for a free consultation and some technical recommendations.
With one eye on the future, the implications could be more significant as the impact of the legislation is felt in the EU and possible pressure begins to build this side of the channel.