Data Act — Regulation (EU) 2023/2854¶
The Data Act. It lays down harmonised rules on fair access to and use of data, with particular regard to data generated by connected products and related services (Internet of Things), to the making available of data to public sector bodies in the event of an exceptional need, to the switching between cloud data processing services and to the interoperability of data spaces. It applies alongside the GDPR (for personal data) and the AI Act (where data is used in the development or operation of artificial intelligence systems).
Identifiers¶
| Field | Value |
|---|---|
| Official title | Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act) |
| CELEX | 32023R2854 |
| ELI | http://data.europa.eu/eli/reg/2023/2854/oj |
| Publication | OJ L, 2023/2854, 22.12.2023 |
| Adoption | 13 December 2023 |
| Entry into force | 11 January 2024 |
| Application | 12 September 2025 |
| Legal basis | Article 114 TFEU |
| Type of act | Regulation — directly applicable in all Member States |
Structure¶
11 chapters · 50 articles · 119 recitals · no annexes.
| Chapter | Subject | Articles |
|---|---|---|
| I | General provisions | 1 – 2 |
| II | Business-to-consumer and business-to-business data sharing | 3 – 7 |
| III | Obligations for data holders obliged to make data available pursuant to Union law | 8 – 12 |
| IV | Unfair contractual terms related to data access and use between enterprises | 13 |
| V | Making data available to public sector bodies, the Commission, the European Central Bank and Union bodies on the basis of an exceptional need | 14 – 22 |
| VI | Switching between data processing services | 23 – 31 |
| VII | Unlawful international governmental access and transfer of non-personal data | 32 |
| VIII | Interoperability | 33 – 36 |
| IX | Implementation and enforcement | 37 – 42 |
| X | Sui generis right under Directive 96/9/EC | 43 |
| XI | Final provisions | 44 – 50 |
Scope of application¶
Material (Art. 1(1)-(2)): applies to rules on (a) the making available of product data and related service data to the user; (b) the sharing of data between data holders and data recipients; (c) the making available of data to the public sector in case of exceptional need; (d) facilitating switching between data processing services; (e) safeguards against unlawful third-party access to non-personal data; (f) the development of interoperability standards. Covers both personal and non-personal data.
Personal (Art. 1(3)): applies to manufacturers of connected products and providers of related services; users in the Union; data holders and data recipients; public sector bodies, the Commission, the ECB and Union bodies requesting data on grounds of exceptional need; providers of data processing services serving customers in the Union (regardless of place of establishment); participants in data spaces and vendors of applications using smart contracts.
Safeguards and coordination (Art. 1(5)-(9)): expressly without prejudice to Union law on the protection of personal data, privacy and confidentiality of communications (in particular the GDPR, Regulation (EU) 2018/1725 and Directive 2002/58/EC); complements the rights of access and portability under Articles 15 and 20 GDPR; without prejudice to Union acts on criminal investigations, customs and taxation, AML/CFT, intellectual property (Directives 2001/29/EC, 2004/48/EC and (EU) 2019/790) and consumer protection (Directives 93/13/EEC, 2005/29/EC and 2011/83/EU).
Quadripartite cross-references with the AI Act, GDPR and DGA¶
The Data Act intersects in a structural way with the GDPR (for the "personal data" dimension), operationally with the AI Act (because the data shared under the Data Act is often input for the training or operation of AI systems) and systemically with the DGA (sister act of the EU data package, which it complements). Literal cross-references are concentrated on the Data Act ↔ GDPR axis; intersections with the AI Act and DGA are mainly operational and systematic in nature.
Data Act ↔ GDPR axis (direct cross-references in the text)¶
| Data Act | GDPR | Nature of the intersection |
|---|---|---|
| Art. 1(5) | Whole GDPR; Arts. 15, 20 | Safeguard clause: the Data Act is without prejudice to the GDPR; in case of conflict, the GDPR prevails. The rights in Chapter II of the Data Act complement (do not replace) the GDPR rights of access and portability |
| Art. 2, point (3) ('personal data') | Art. 4(1) | Definition: direct definitional cross-reference |
| Art. 2, point (11) ('data subject') | Art. 4(1) | Definition: direct definitional cross-reference |
| Art. 2, point (20) ('profiling') | Art. 4(4) | Definition: direct definitional cross-reference |
| Recital 7 | Arts. 6, 9; Art. 5(3) Dir. 2002/58/EC | Processing of personal data under the Data Act requires a valid GDPR legal basis and, for special categories, the conditions of Art. 9. The ePrivacy Directive remains applicable to data in terminal equipment |
| Recital 8 | Art. 5(1)(c); Art. 25 | Data minimisation and data protection by design remain guiding principles also in Data Act sharing operations |
| Chapter II — Arts. 3-7 | Art. 20 | Right of access to and sharing of connected-product data: complementary to the GDPR right to portability, but with broader material scope (IoT data) and personal scope (the user, not only the data subject) |
| Recital 22 | Art. 4, points (7)-(8) | GDPR processors do not as such act as data holders (Data Act); they may, however, be instructed to do so by the controller |
Data Act ↔ AI Act axis (operational intersections)¶
| Data Act | AI Act | Nature of the intersection |
|---|---|---|
| Chapter II — Arts. 3-7 | Whole AI Act, in particular Art. 10 | Connected-product data made accessible by virtue of the Data Act constitutes a legitimate source for the data governance of high-risk AI systems (quality, representativeness, bias monitoring) |
| Chapter VI — Arts. 23-31 | Art. 25 (AI value chain) | The right to switch between cloud services affects the portability of trained AI models and the technical dependencies of the deployer on specific providers |
| Recitals 7-8 | Art. 2(7); Art. 10 | When the shared data is personal data, the training or operation of an AI system using it falls simultaneously under Data Act, GDPR and AI Act: the framework is cumulative, not alternative |
| Chapter VIII — Arts. 33-36 | Chapter VIII (EU database); common European data spaces | Interoperability of data spaces is a technical pre-condition for the data ecosystems on which many sectoral AI systems rely |
Data Act ↔ DGA axis (sister acts of the EU data package)¶
The DGA (Reg. (EU) 2022/868) and the Data Act are the two sister acts of the European data strategy: the DGA introduces a horizontal framework for governance of re-use, intermediation and altruism; the Data Act extends the scope to data from connected products (IoT) and regulates B2C, B2B, B2G data sharing and cloud switching. The two regulations operate cumulatively and are designed to be coherent.
| Data Act | DGA | Nature of the intersection |
|---|---|---|
| Recitals 1, 32, 90; whole framework | Whole DGA | The Data Act expressly states that it complements and does not replace the DGA: together they form the EU framework on data governance and access |
| Chapter II — Arts. 3-7 (B2C/B2B); Chapter VI — Arts. 23-31 (cloud switching) | DGA, Chapter III — Articles 10-15 (intermediation) | DGA intermediation services operate in coordination with B2C/B2B data sharing and cloud switching under the Data Act: requirements of interoperability, provider neutrality and portability apply consistently |
| Chapter II; Chapter V — Arts. 14-22 (B2G in exceptional need) | DGA, Chapter IV — Articles 16-25 (altruism) | DGA data altruism organisations can collect and make available data falling within Data Act mechanisms (e.g. data from connected products provided by the user with consent) |
| Chapter VIII — Arts. 33-36 (interoperability); Chapter IX (implementation and enforcement) | DGA, Chapter VI — Articles 29-30 (EDIB) | The EDIB (DGA Chapter VI) advises the Commission on interoperability standards for common European data spaces, which the Data Act operationalises through common standards, open interoperability specifications and codes of conduct |
| Art. 2, points (1), (16) ('data', 'metadata') | DGA, Art. 2, points (1), (6) ('data', 'permission') | The base definitions are aligned; the Data Act extends the vocabulary with operational concepts (connected product, related service, metadata) which presuppose the DGA framework |
Definitional quadrilateral (shared cross-references)¶
Three key definitions are identically referenced by Data Act, AI Act, GDPR and DGA, with the GDPR as the primary source:
| Concept | Data Act | AI Act | GDPR (source) | DGA |
|---|---|---|---|---|
| Personal data | Art. 2, point (3) | Art. 3(50) | Art. 4(1) | Art. 2, point (3) |
| Profiling | Art. 2, point (20) | Art. 3(52) | Art. 4(4) | n/a |
| Data subject | Art. 2, point (11) | (not redefined; refers to the GDPR) | Art. 4(1) | Art. 2, point (7) |
The table covers direct cross-references. Broader operational cross-references (interactions with DGA, DSA, Cyber Resilience Act, NIS2 and the Product Liability Directive) will be addressed in dedicated insights in the Soft law and Resources sections as the corresponding pages are published.
Amendments and corrigenda¶
The original text of 13 December 2023 entered into force on 11 January 2024 and applies from 12 September 2025. As of the publication date of this fact sheet, no corrigenda have been published in the Official Journal of the EU. Any future corrigenda or implementing/delegated acts adopted by the Commission will be incorporated in subsequent revisions of this page.
Application status¶
The Data Act entered into force on 11 January 2024, but most substantive obligations apply from 12 September 2025 (cf. Art. 50 and Recital 117). For some provisions further deadlines are foreseen, in particular:
- the data-by-default design obligations for connected products (Art. 3) apply to products placed on the market from 12 September 2026;
- some obligations on contracts between data holders and data recipients (Art. 13) have specific transitional regimes for pre-existing contracts;
- the provisions on switching between data processing services (Chapter VI) provide for a progressive transition on switching charges, with full elimination by 12 January 2027.
The regulation is directly applicable in all Member States with no need for implementing acts. National competent authorities are designated pursuant to Articles 37-38.
Related glossary terms¶
Entries from the AI-centric glossary relevant to this act:
Official sources¶
- EUR-Lex — Italian version (CELEX 32023R2854)
- EUR-Lex — English version (CELEX 32023R2854)
- EUR-Lex — European Legislation Identifier (ELI)
- European Commission — European data strategy
- European Commission — Data Act dedicated page
- European Data Protection Board (EDPB) and EDPS — joint opinion of 4 May 2022
Section index¶
- Recitals — full text of the 119 recitals in bilingual version, preceded by the introductory sentence of the preamble
- Text of the regulation — all articles organised by chapter:
- Chapter I — General provisions (Arts. 1-2)
- Chapter II — Business-to-consumer and business-to-business data sharing (Arts. 3-7)
- Chapter III — Obligations for data holders obliged to make data available pursuant to Union law (Arts. 8-12)
- Chapter IV — Unfair contractual terms related to data access and use between enterprises (Art. 13)
- Chapter V — Making data available to public sector bodies, the Commission, the European Central Bank and Union bodies on the basis of an exceptional need (Arts. 14-22)
- Chapter VI — Switching between data processing services (Arts. 23-31)
- Chapter VII — Unlawful international governmental access and transfer of non-personal data (Art. 32)
- Chapter VIII — Interoperability (Arts. 33-36)
- Chapter IX — Implementation and enforcement (Arts. 37-42)
- Chapter X — Sui generis right under Directive 96/9/EC (Art. 43)
- Chapter XI — Final provisions (Arts. 44-50)