Today, Friday, September 12, 2025, Regulation (EU) 2023/2854, known as the Data Act, comes into effect. This represents a significant regulatory milestone for manufacturers of data-driven technologies employed across various sectors.
The Data Act governs fair, secure, and free access to data produced by so-called "internet-connected products", a category that includes many modern medical devices capable of collecting, processing, and transmitting health data, usage data, and metadata.
The Data Act aims to revolutionize the digital economy by removing barriers to data use. It clearly defines who can use data, how, and under what conditions. The goal is to eliminate obstacles within the European single data market, promoting transparency, competitiveness, and innovation.
What are the new obligations for manufacturers?
Firstly, it is essential to determine which devices fall within the definition of connected products, necessitating a redesign of the software architecture to ensure “by design” and “by default” data accessibility. This entails implementing APIs, data export interfaces, and authentication systems to enable secure, simplified access in standard formats easily integrable with commonly used healthcare IT systems.
Specific contractual transparency obligations towards users should also be ensured by providing detailed information on the type of data collected, methods of data updates and access, and any applicable limitations. Medical device manufacturers must guarantee the continuous and free provision of data to users without additional costs, which requires significant investment in data management infrastructure and cybersecurity.
What are the new rights and responsibilities?
The Data Act recognizes new rights for medical device users — which may include patients, healthcare facilities, and physicians — such as:
- The right to full access to generated data,
- The right to transparency regarding data collection and usage methods,
- The right to transfer data to authorized third parties,
- The right to data interoperability through European standards.
These new rights require a comprehensive review of manufacturers' production processes and data management practices implemented by data controllers. This may involve revising or updating protections for trade secrets and renegotiating contracts to avoid non-negotiable (“take-it-or-leave-it”) and abusive data-sharing clauses imposed by stronger parties.
In particular, the Data Act introduces specific protections against abusive clauses in business-to-business contracts, especially safeguarding SMEs that must access data under non-discriminatory conditions. Standard Contractual Clauses (SCCs), developed by the European Commission in collaboration with the European Data Protection Board (EDPB), provide model contract terms that promote transparency, accountability, legal compliance, and harmonization of agreements, including cross-border data transfers.
SCCs prevent unfair or unilateral restrictions that could hinder access rights and data usage under the Data Act by balancing bargaining power and facilitating technical and legal interoperability across SaaS platforms, IoT devices, and digital services. Essentially, they are key instruments translating the Data Act's regulatory principles into effective and standardized contractual practices within the European data market.
These standard contractual clauses (non-binding) are expected to be finalized by autumn 2025 to ensure a harmonized legal framework supporting interoperability and compliance, both contractual and infrastructural, across involved organizations, significantly impacting IoT and cloud service business models.
What are the concrete implications for the healthcare sector?
The Data Act imposes stringent requirements on access, sharing, and portability of data generated by connected products and digital services, redefining contracts and operational modalities for manufacturers and service providers.
It complements the Data Governance Act and aligns with the broader European Strategy for Data. Additionally, it requires integration with existing Medical Device legislation, such as MDR and IVDR, potentially increasing design and regulatory compliance burdens. This will have an economic impact on manufacturers producing digital devices. Ensuring secure and accessible data for users demands heightened attention and frequent updates.
To assist companies in navigating these new rules, the European Commission has published a comprehensive Fact Page and an FAQ section on its website, outlining the objectives and practical functioning of the Data Act.
In conclusion, the Data Act establishes a harmonized data governance framework that, despite presenting regulatory and technical challenges, offers an opportunity to enhance medical devices and improve health data management and usage for the benefit of users and the entire Life Sciences ecosystem.