In just a few days, on 12 September 2025, the EU Data Act becomes applicable across Europe. This regulation transforms how businesses share data from connected products – and it doesn’t just affect EU companies. Swiss manufacturers should take note: if you sell or operate “smart” devices in the EU, the Data Act’s obligations apply to you too.
This blog post explains what the EU Data Act is, which products and data fall in scope, and how it might result in the end of trade secrets as we know them. We also focus on practical steps for Swiss companies to comply and protect their intellectual property in this new era of data transparency.
The EU Data Act (Regulation (EU) 2023/2854) establishes harmonised rules on data access and sharing in the European Union.
In broad terms, the Data Act aims to:
In essence, the Data Act establishes a new framework for who can access data and on what terms, especially in the context of the Internet of Things and data-driven services.
Connected products – also known as IoT devices – are in scope. The Act defines a connected product as “any item that obtains, generates or collects data concerning its use or environment and is able to communicate this data via an electronic communications service, physical connection or on-device access.” In simpler terms, if a device has sensors or software that gather data (about its usage, performance, surroundings, etc.) and can transmit that data (e.g. via internet, Bluetooth, etc.), it’s a connected product. Its primary function should not be storing or processing data for others. Common examples include smart appliances (fridges, thermostats), connected vehicles, industrial machines with IoT sensors, wearable devices like fitness trackers, medical devices and similar smart gadgets.
Related services – digital services that are linked to a connected product’s functionality – are also covered. For instance, an app that controls your smart home device, or a cloud service that analyses machine data, would be a “related service” if the product needs it to function or if it enhances the product’s features.
Data in scope: The Data Act’s user access rights apply to all data (personal and non-personal) generated by the use of a connected product or related service, provided it is “raw” or minimally processed data that is readily available. This typically means the direct output of sensors or user actions – e.g. a machine’s temperature readings, an appliance’s usage logs, a vehicle’s telemetry (range, location, usage time), or a smartwatch’s battery level and step count. Metadata is also included. Crucially, “highly enriched” or derived data is not covered.
Personal vs non-personal data: The Act covers both, but it does not override GDPR or other data protection laws. If the device data includes personal data (e.g. a user’s behaviour data), any sharing must still comply with GDPR – meaning you need a lawful basis, possibly user consent, and must apply data minimisation.
Which users get access? The law grants rights to users in the EU – a “user” can be either a consumer or a business that owns, rents, or leases the connected product (or subscribes to the service). There may be multiple co-users of one product, and all are entitled to access the data they contributed to generating. Data holders (typically the manufacturer or service provider) will need mechanisms to ensure each authorised user can retrieve the relevant data.
The EU Data Act brings a mix of technical duties, contractual obligations, and new rights.
Here are the most relevant requirements that manufacturers and data holders need to prepare for:
The Data Act’s reach is “extraterritorial” – any company operating or offering connected products or related services in the EU must comply, regardless of where it’s based. So a Swiss manufacturer selling smart devices into the EU market is fully in scope.
One of the most controversial aspects of the EU Data Act is how it handles trade secrets. Companies have long guarded device data and machine logs as proprietary information – valuable assets not to be shared with competitors or sometimes not even with customers. Now, the Data Act essentially says: if the data comes from your customer’s use of a product, you must share it with them (or their chosen third party), even if that data reveals insights you’d rather keep secret.
Instead of allowing a blanket refusal, the Data Act provides that trade secret data should be shared if the requesting user or third party agrees to confidentiality measures to protect the secret. In practice, this means you, as the data holder, can and should require NDA-style agreements or other technical safeguards before handing over data that contains trade secrets. What if the user or third party refuses reasonable confidentiality terms, or if you catch them trying to misuse your secret data? In that case, you may withhold sharing the data to preserve the trade secret – trade secret protection remains “crucial,” and failure to agree on safeguards is a valid reason to say no.
Built-in protections against misuse: The law also seeks to prevent third parties from abusing shared data. Any third party receiving data via the Data Act at a user’s request must agree to strict use limitations. They cannot use the data to develop a competing product, cannot target the original data holder’s market position, and must respect all confidentiality and trade secret agreements.
With the Data Act’s start date imminent, here are some practical steps for companies to prepare and adapt:
The EU Data Act marks a turning point in the digital economy. It shifts the balance of power over data, giving users rights to access what used to be siloed in manufacturers’ servers. For companies, especially those outside the EU like in Switzerland, it challenges old habits of hoarding data. The era of absolute trade secrets in device data is ending – but not in chaos. Instead, a new paradigm is emerging: one of transparent data sharing, balanced by confidentiality and fair use obligations.
Joscha Milinski