Big changes are coming for any startup, scaleup, or small and medium-sized enterprise (SME) in the EU’s connected products (e.g. connected cars, medical and fitness devices), services (i.e. anything that would make a connected product operate in a specific way, such as an app to adjust the brightness of lights), or cloud markets (e.g. servers or cloud infrastructure). On 12 September 2025, the EU Data Act will begin to apply in full, reshaping how data is accessed, shared, and used across the European digital economy. For startups and SMEs, particularly those working with connected products, related services, or cloud infrastructure, the Data Act represents both an operational challenge and a philosophical shift in how the law treats data ownership and access.

At ACT | The App Association, we share the EU’s goal of promoting innovation and competition through greater data availability. But some of the Data Act’s obligations, especially the broad, mandatory data-sharing requirements, raise important questions, especially for startups, about privacy, security, and the long-term viability of current business models.

What the Data Act requires 

The Data Act imposes the following binding obligations on companies that manufacture connected products, provide related services, or operate as cloud or data processing service providers:

  1. Mandatory Data Sharing

Companies that offer connected products must make usage-generated data available, free of charge, to the customer, and, at the customer’s request, to third parties, including competitors. This includes data used for after-sales services. Many industrial companies may not realise that the online interfaces for their products mean they must comply with this rule. The requirement applies to raw data and certain pre-processed data, meaning product designs and systems may need to be adapted to foster a competitive data market, encourage data-driven innovation, and increase data availability. For startups, this can be a costly and risky shift, potentially forcing disclosure of valuable information that currently underpins their competitive position.

  1. Pre-Contractual Transparency

Before selling a connected product or service, companies must clearly explain what data will be generated, who will have access to it, and for what purposes it will be used. This will require reviewing and updating sales contracts, terms of service, and marketing materials to meet the new transparency standard. It’s important to explain to customers exactly what data you collect and how it’s used, before they buy.

  1. Data Licensing for Non-Personal Data

Certain non-personal data must be licensed under terms compliant with the Data Act. Think operational metrics, device usage stats (not personal information) that may still hold commercial value. This adds contractual complexity and may require legal restructuring of how data rights are granted and managed.

  1. Cloud and Data Processing Portability

Providers must remove barriers to switching services and, from January 2027, will no longer be able to charge switching fees. Technical systems will need to support migration in structured, machine-readable formats without unreasonable delay.

  1. Safeguards and Limits

While companies can withhold data if sharing would reveal trade secrets or create security risks, these refusals can be challenged. The Data Act sets a high bar for such exceptions, creating uncertainty for businesses relying on sensitive data.

The startup perspective

For startups, scaleups, and SMEs, the Data Act is more than a compliance checklist; it has the potential to reshape core parts of your business model. A connected product you’ve built as your competitive edge could now require you to hand over customer-generated usage data to a rival. ‘Transparency’ obligations might mean rethinking how you pitch and sell. Even your contractual terms for non-personal data could need a full overhaul.

The App Association has consistently urged the European Commission to avoid overly prescriptive, one-size-fits-all mandates for data access. We recommend scalable, risk-based rules that recognise the operational realities of small and medium-sized companies. Voluntary, incentive-based models, rather than compulsory handover of data to competitors, would better protect innovation while still increasing access for users and fostering interoperability. Where data sharing is required, it must be balanced with strong safeguards for sensitive business information, contractual freedom, and proportionality in implementation.

Moving forward

Most obligations will apply from 12 September 2025, but some will phase in later, such as the ‘access by design’ rule for connected product manufacturers (2026) and the ban on cloud switching fees (2027). Enforcement will be handled at the national level, with penalties potentially reaching €20 million or 4 per cent of global turnover.

The Data Act is no longer a distant policy on the horizon, it’s about to reshape the playing field for connected products, data services, and cloud providers in the EU. For startups and SMEs, this isn’t just about ticking compliance boxes. It’s about making smart, strategic choices now to protect your competitive edge while adapting to a new regulatory reality.

At the same time, implementation across Member States is still evolving, and the way national authorities interpret and enforce the Act will shape its real-world impact. This creates both uncertainty and opportunity: uncertainty in how the rules will apply in practice, and opportunity for startups and SMEs to make their voices heard before the enforcement landscape solidifies.

The rules aren’t set in stone across EU Member States, and we will continue to advocate for policies that promote innovation and ensure SMEs have a fair shot at success in the EU market. Your input can help shape how authorities interpret and enforce them. To join our advocacy efforts, email Brad Simonich here.