Since the Data Act officially became applicable one month ago, it has aimed to strengthen the European data economy and foster innovation across the EU. Among other things, the new regulation promotes fair data sharing and improved data interoperability to facilitate switching between cloud providers and to give users the ability to share their data with third parties.

This particularly affects “connected products” — physical devices capable of generating and transmitting product data about their performance, usage, or environment, such as smartphones, smartwatches, smart refrigerators, washing machines, other smart household appliances, and industrial machinery.
This also includes drones and connected vehicles — in essence, all products that fall under the Internet of Things (IoT), provided that their primary function is not to store, process, or transmit data on behalf of someone other than the user.

Connected products = Physical devices that generate and transmit product data relating to their performance, use, or environment and are part of the Internet of Things (IoT), provided that their primary function is not the storage, processing, or transmission of data on behalf of someone other than the user.

So-called “related services” are services that are intrinsically linked to a connected product, are necessary for its essential functionality, and must already be provided when the connected product is purchased, leased, or rented.

New Data Access and Sharing Rights for IoT Users

The idea behind the Data Act is that users should no longer be merely passive providers of data but instead gain active control and freedom of choice over how their data is used. Therefore, connected products and related services must be designed so that product data and related service data—including the metadata required to interpret and use that data—are directly accessible to users by default, free of charge, in a comprehensive, structured, commonly used, machine-readable format, and, where relevant and technically feasible, through direct access.


If direct access to the data from a connected product or related service is not technically possible, the data holder must provide the user with the relevant product and related service data. However, this obligation only applies to data that the data holder lawfully obtains—or can obtain without disproportionate effort — from the connected product or related service.

The data must be provided without undue delay, free of charge, in a comprehensive, commonly used, machine-readable format and — where technically feasible — with the same quality, continuity, and real-time availability available to the data holder. The datasets must also include all metadata necessary to interpret and use the data correctly. If users choose not to use the data themselves, they may exercise their new right to instruct the data holder to share it directly with a third party.

Important: By default, users must be able to access their data easily, securely, free of charge, in a comprehensive, structured, commonly used, machine-readable format and — where relevant and technically feasible — with the same quality available to the data holder.

Owners of a smart refrigerator, for example, would have the right to access data relating to temperature, energy consumption, door openings, or food inventory and share that data with repair services, smart home optimization providers, or grocery companies to automate replenishment. While this may result in discounts or additional services, it is unlikely to make anyone rich.

A more compelling business case exists for companies operating connected refrigeration systems. Here, the data holder may be required to provide operational data such as temperature histories or energy consumption. The company can then share this information with an external energy consultant for analysis—or instruct the data holder to transfer the data directly to that consultant.

While these new rights create opportunities for increased efficiency and innovation, data access and sharing also introduce significant risks, particularly in sensitive sectors such as healthcare and insurance.

New Interfaces – New Attack Vectors

For data holders, the Data Act means that technical interfaces must be implemented to allow users and authorized third parties to access data.

From an information security perspective, it is essential that these interfaces are designed securely. They must neither compromise security requirements (particularly those introduced by the Cyber Resilience Act) nor expose confidential business information. Interfaces are frequently among the most critical attack surfaces, as programming errors, misconfigurations, or insufficient security controls can create entry points for cyber attacks. Insecure interfaces further increase the cyber risks already associated with IoT devices. Otherwise, your smart refrigerator might quickly become very expensive — by automatically ordering thousands of euros’ worth of groceries after receiving manipulated data.

Threat Modeling, Security Architecture Reviews, and Penetration Testing are proven methods for assessing and improving the security of interfaces.

Refrigerator Attack Vector

Data holders should also ensure that roles and responsibilities for data governance are clearly defined.

If certain categories of data do not need to be shared, their scope can be contractually agreed upon between the user and the data holder. This ensures that users know exactly which data they may share with third parties.

Furthermore, organizations must implement appropriate and proportionate authentication mechanisms that require only the information necessary to verify an authorized user while still being able to distinguish between multiple users of the same connected device.

Data protection also plays a crucial role. Where datasets contain the personal data of multiple individuals, only the personal data relating to the requesting user may be disclosed.

The General Data Protection Regulation (GDPR) and applicable national data protection laws continue to take precedence over the Data Act.

Regarding the requirement to provide users with direct access to product data and related service data, manufacturers and operators still have one year to prepare, as this obligation only applies to connected products and related services placed on the market after 12 September 2026.

Enough time, perhaps, to come up with a profitable business model for the data generated by a smart refrigerator…


Would you like to prepare your organization for the technical and organizational information security requirements of the Data Act? The experts at CERTAINITY are happy to support you with tailored consulting and implementation services covering Data Governance and IoT Security.