Scope

The Data Act targets connected products within the Internet-of-things ecosystem, namely products capable of gathering, generating or collecting data communicated via various means. The key subjects of the act are “data holders”, including natural or legal persons with the right or obligation to use and make available data (typically manufacturers of connected products and providers of related services).

The Act also imposes obligations on providers of data processing services (e.g. IaaS-, PaaS- and SaaS-providers) in relation to the end-users right to switch between providers of data processing services.

NOTE: On 19 November 2025, the Commission proposed major amendments to the Data Act under the Digital Omnibus package, where the Data Act will become the EU’s single, consolidated legal instrument for access to and use of data, absorbing and replacing three major legal acts:

• Regulation (EU) 2018/1807 (Free Flow of Non-Personal Data Regulation)
• Regulation (EU) 2022/868 (Data Governance Act)
• Directive (EU) 2019/1024 (Open Data Directive)

Relevance

The Data Act seeks fostering a competitive and fair data market, stimulating data-driven innovation, and ensuring data accessibility. The Act will most likely lead to increased data transfers across national borders. Norwegian businesses should therefore ensure that they have the right to use the data they hold, for example, through explicit agreements. Furthermore, businesses should secure that their data can be effectively shared, by making it available in real-time, is continuously in a machine-readable format, and that sharing is done free of charge. Businesses should also implement procedures on how to initiate access to and deliver data to third parties.

Read more about the Data Act in this Article (Norwegian only).

Key obligations

The Data Act empowers users of IoT-products to access data from data holders under fair, reasonable and non-discriminatory terms (i.e. through a right to access data generated by the products, and a right to portability allowing users to migrate to third party services). The Act further limits an encompassed entity’s possibility to discriminate against data recipients, and introduces a “policing of reasonableness” with respect to standard terms used towards micro-, small-, and medium enterprises. Additionally, data holders are under an obligation to share data with governmental bodies upon further defined conditions.

Providers of data processing services are obliged to take measures to enhance end-user switching between providers of data processing services. These measures include mandatory contractual terms granting end-users a right to initiate a switching process upon no more than two months’ written notice or terminate the contract with the same notice if the end-user does not wish to proceed with the switching process. The Act also imposes information obligations regarding switching, requirements to technical aspects of switching, e.g. compliance with (expected) data sharing format standards, and a gradual ban of switching charges (fully banned from 12 January 2027).

With the proposed amendments in the Digital Omnibus Package, the expanded Data Act is now also expected to govern

(i) re-use of public sector data, including “high-value datasets” and research data.
(ii) New, streamlined rules for access to data held by public sector bodies, including both “open” and “protected” data.
(iii) Voluntary (rather than mandatory) schemes for data intermediation services and data altruism organisations.
(iv) Prohibition of unjustified localisation requirements for non-personal data, with harmonized conditions across the EU.

The proposed amendments also extend to the original scope of the Data Act, and include:

• A right for data holders to refuse to disclose trade secrets if there is a high risk of unlawful acquisition/use/disclosure in third countries or by entities under their control.
• Business obligations to provide data to public sector bodies are limited to ‘public emergencies’ (no longer broader cases of ‘exceptional need’).
• Lighter regime for switching/egress charges for custom-made cloud/data services (provided via contracts before 12 September 2025, and data processing services offered by SMEs and Small Mid-Caps (SMCs) under similar contracts. Proportionate early-termination penalties are also proposed to be allowed in fixed-term contracts.