Complying with the EU Data Act in Automotive

What is the EU Data Act? 

The EU Data Act, adopted in 2023, came into full effect from 12th September 2025, establishing new requirements for data sharing, accessibility, and security in the digital economy. The EU Data Act is a comprehensive regulation designed to establish a harmonised framework for accessing and using data generated by connected devices and digital services across the European Union. This will change how vehicle manufacturers manage access to vehicle-generated data.

The Act aims to facilitate fair access to data, promote innovation, enhance competition, and allow businesses and public authorities to make better, data-driven decisions. As vehicles generate and process vast volumes of information, the EU Data Act carries major implications for the automotive industry. 

Here is a regulatory timeline according to appinventiv: 

• 11 January 2024: Data Act comes into force.
• 12 September 2025: Most obligations become applicable, including data access and sharing requirements.
• 12 September 2026: Design obligations apply; connected products must be able to direct user access to data.
• 12 September 2027: Certain obligations extend to contracts to conclude before September 2025.  

Sahas Katta, CEO & CO-Founder at smartcar, describes the EU Data Act as a catalyst for change. “The Act requires automakers to open their data ecosystems to third parties under fair and transparent conditions - fundamentally changing how many automakers manage vehicle-generated data. Ultimately, it empowers vehicle owners with sovereignty over their data, compelling automakers to embrace a more user-centric data landscape.  

We believe the EU Data Act is an essential step toward an accessible and standardized data ecosystem that benefits drivers, developers, and automakers alike.” 

What are the Key Provisions of the EU Data Act?

Key provisions of the EU Data Act include: 

• Data Accessibility: The Data Act grants users (e.g., vehicle owners, fleet operators) the right to access data generated by their products, including connected vehicles.  
• Data Sharing: Manufacturers may be required to share certain data with third parties, such as service providers, repair shops, and insurers, under specified conditions.  
• Data Security: The act imposes strict requirements for the protection of personal and non-personal data, including encryption, access controls, and incident response measures.  
• Interoperability: The Data Act promotes interoperability and standardised data formats to facilitate data sharing and reuse.

Strategies for Managing Data Accessibility, Security, and Compliance  

• Implement Data Governance Frameworks: Establish clear policies and procedures for data collection, storage, sharing, and deletion.  
• Enhance Cyber Security Controls: Deploy advanced encryption, access controls, and monitoring tools to protect vehicle data.  
• Develop User-Centric Data Portals: Provide users with secure, user-friendly interfaces for accessing and managing their data.  
• Engage with Third Parties: Establish contractual and technical frameworks for secure data sharing with authorised third parties.  
• Monitor Regulatory Developments: Stay informed about updates to the Data Act and related regulations to ensure ongoing compliance.

Implications of the EU Data Act

The EU Data Act requires OEMs to enhance data transparency, implement robust cybersecurity measures, and adapt to data-driven business models such as predictive maintenance and usage-based insurance. Compliance presents significant challenges, demanding substantial updates to IT systems, operational processes, and contractual frameworks to meet regulatory standards and ensure user control over vehicle-generated data. 

Bird & Bird highlights that these new obligations introduce considerable technical and commercial complexities for manufacturers and data holders. According to the firm, “Vehicles must be designed and manufactured in such manner that relevant data is, by default, available to EU user(s). If data cannot be directly accessed, data holders must make the data readily available without undue delay. Users are granted the right to access a wide range of data generated by their use of IoT products and related services and may even request that this data be made available to third parties of their choice. This may also require the disclosure of data considered trade secrets.  The EU Commission will publish non-binding model contractual terms.  

Manufacturers and data holders must ensure such access is provided under fair, reasonable and non-discriminatory terms (FRAND). Data holders are only permitted to make available data to non-EU public sector bodies under certain conditions. This necessitates inter alia, the conclusion of data sharing agreements with users and third parties (including competitors).” 

Achieving compliance with the EU Data Act in the automotive sector requires a comprehensive approach, one that combines robust data governance frameworks, the adoption of advanced technologies, and an organisational culture that prioritises transparency and data protection. By proactively addressing these dimensions, automotive companies can navigate the evolving regulatory landscape effectively, ensuring both legal compliance and sustainable competitive advantage.