European Commission Publishes Updated FAQ (v. 1.3) on the Data Act

On 12 September 2025, the European Commission published version 1.3 of the FAQ on the Data Act (Regulation 2023/2854).

Click here to read the latest FAQ in its entirety.

Click here to read our article on notable findings from the previous version.

As with earlier iterations, the FAQ is not legally binding, but it serves as a practical guide to assist stakeholders in applying the rights and obligations established under the Data Act. The new version builds on the previous version published in February 2025 and introduces new questions as well as expanding answers to certain existing questions.

Some of the notable changes include the following:

  • Edge processing (Q5a): Local device data can trigger obligations if externally accessible
  • Anonymisation (Q13a): Anonymisation cannot bypass sharing obligations
  • Technical requirements (Q22a): Data must be timely, high-quality, convenient, secure and usable
  • Pre-existing connected products (Q34a): Legacy connected products also require user agreements for continued data use

Edge processing

Many connected products are designed to process data locally (i.e., on the device itself) rather than in a cloud environment. This “edge processing” reduces delays, improves efficiency and often reflects privacy by design choices that limit unnecessary data transfers. The Data Act respects these design principles and does not require that products be redesigned in a way that undermines them.

The data sharing obligations pursuant to the Data Act apply where raw or pre-processed data goes beyond instant local use. This includes situations where the data was stored (even if only briefly), retrievable (e.g., by a local memory, a port, or a user interface), or transmittable externally (capable of being sent outside the device through a SIM card, Wi-Fi, Bluetooth or similar connection). What matters is whether the in-scope data was at any point accessible or transmittable in this way. If that threshold is met, it qualifies as ‘readily available’ and must be made accessible to the user or to a third party authorised by the user in accordance with the Data Act.

Where a device is technically capable of external storage or transmission, proportionate and feasible solutions should be considered. This could involve giving the user a copy of the data while it is also used internally, providing short-term storage that can be accessed later, or creating secure local storage that the user can unlock.

The intention is to prevent situations where manufacturers are the only ones who benefit from insights generated by edge processing. At the same time, the guidance recognises that compliance should remain realistic and consistent with the actual design of the product.


Anonymisation

Anonymisation or pseudonymisation cannot be used to bypass obligations under the Data Act. If data is transferred from a connected product to the manufacturer’s backend, users and authorised third parties must be given a reasonable chance to obtain a copy of the raw or pre-processed data before it is anonymised or encrypted.

Data remains “readily available” where there are reasonable means to reconnect it to a user or a specific product without substantial changes or costs. Techniques such as anonymisation, encryption or severing the link between stored data and the product may be valuable for protecting privacy or trade secrets, but they do not in themselves remove data from the scope of the Data Act.


Technical and practical requirements

The Data Act sets out concrete requirements on how data must be shared. A data holder must provide information in a structured, commonly used and machine-readable format that allows interoperability. Formats such as XML, JSON or CSV are expected to meet this standard, while proprietary formats that require licences or special tools do not. The data must be of the same quality as that which the data holder makes available to itself, to another entity within its corporate group, or in line with recognised industry practices.

The rules require that data is delivered without undue delay. In practice, this means a data holder should implement automated request handling, self-service portals or APIs rather than relying on manual processes. In cases where continuous or real-time sharing is relevant and technically feasible, latency must be minimised. This is especially important in industrial monitoring or connected mobility, where even minor delays can undermine the usefulness of the data.

Access must also be convenient and secure. A user or an authorised third party should not face unnecessary hurdles such as being forced to attend specific service centres (possibly allowed in exceptional cases), being restricted to narrow time slots, or having to pay disproportionate fees. At the same time, the data holder must protect against unauthorised access or misuse by implementing appropriate safeguards such as encrypted transfer channels and strong authentication.


Pre-existing connected products

The Data Act applies not only to products placed on the market after 12 September 2025 but also to those sold before that date. Data holders who can identify the user of an existing product must either adapt existing contracts or conclude new ones to secure the user’s agreement to continued data use.

Where a user cannot be identified despite reasonable efforts, the holder may continue using data from the product. In such cases, there is no risk of breaching the prohibition on using data to derive insights into a user’s economic situation or production methods. However, once a user comes forward and requests access, a contractual basis must be put in place for the holder to continue using the data.

See All News Here

Related News

Swedish Supreme Court Adds Nuance to Previous Ruling on Bulk Requests for Court Judgments and Decisions

NIS2 and the Swedish Regulation Jungle

EU Commission Proposes Tech Sovereignty Package with New Rules for Chips, Cloud Services and AI infrastructure