EU Data Act: a Swiss manufacturer’s guide

This blog post explains what the EU Data Act is, which products and data fall in scope, and how it might result in the end of trade secrets as we know them. We also focus on practical steps for Swiss companies to comply and protect their intellectual property in this new era of data transparency.

The EU Data Act (Regulation (EU) 2023/2854) establishes harmonised rules on data access and sharing in the European Union.

In broad terms, the Data Act aims to:

• Empower users of connected devices (IoT products) with rights to access data generated by their products and share it with third parties of their choice.
• Ensure fairness in data sharing contracts, mandating terms that are fair, reasonable and non-discriminatory (FRAND) and banning unfair “take-it-or-leave-it” clauses imposed by stronger parties.
• Allow public sector bodies to access private-sector data in emergencies or other exceptional needs, under defined conditions.
• Enable customers to switch between cloud/data processing services easily and without hefty fees, to prevent vendor lock-in (applying from 2027).

In essence, the Data Act establishes a new framework for who can access data and on what terms, especially in the context of the Internet of Things and data-driven services.

Connected products – also known as IoT devices – are in scope. The Act defines a connected product as “any item that obtains, generates or collects data concerning its use or environment and is able to communicate this data via an electronic communications service, physical connection or on-device access.” In simpler terms, if a device has sensors or software that gather data (about its usage, performance, surroundings, etc.) and can transmit that data (e.g. via internet, Bluetooth, etc.), it’s a connected product. Its primary function should not be storing or processing data for others. Common examples include smart appliances (fridges, thermostats), connected vehicles, industrial machines with IoT sensors, wearable devices like fitness trackers, medical devices and similar smart gadgets.

Related services – digital services that are linked to a connected product’s functionality – are also covered. For instance, an app that controls your smart home device, or a cloud service that analyses machine data, would be a “related service” if the product needs it to function or if it enhances the product’s features.

Data in scope: The Data Act’s user access rights apply to all data (personal and non-personal) generated by the use of a connected product or related service, provided it is “raw” or minimally processed data that is readily available. This typically means the direct output of sensors or user actions – e.g. a machine’s temperature readings, an appliance’s usage logs, a vehicle’s telemetry (range, location, usage time), or a smartwatch’s battery level and step count. Metadata is also included. Crucially, “highly enriched” or derived data is not covered.

Personal vs non-personal data: The Act covers both, but it does not override GDPR or other data protection laws. If the device data includes personal data (e.g. a user’s behaviour data), any sharing must still comply with GDPR – meaning you need a lawful basis, possibly user consent, and must apply data minimisation.

Which users get access? The law grants rights to users in the EU – a “user” can be either a consumer or a business that owns, rents, or leases the connected product (or subscribes to the service). There may be multiple co-users of one product, and all are entitled to access the data they contributed to generating. Data holders (typically the manufacturer or service provider) will need mechanisms to ensure each authorised user can retrieve the relevant data.

The EU Data Act brings a mix of technical duties, contractual obligations, and new rights.

Here are the most relevant requirements that manufacturers and data holders need to prepare for:

• Data access on request (B2C/B2B) – effective 12 September 2025: Starting this month, users (whether consumers or business customers) have the right to request access to the data generated by their use of a product or service. If the device itself doesn’t provide direct access, the data holder (usually the manufacturer or service provider who controls the data) must provide it “without undue delay” and free of charge, upon a simple request (e.g. via an online portal).
• “Access by design” – product design changes by 12 September 2026: The next phase is more proactive: manufacturers will have to build new products (where technically feasible) in a way that users can directly access their data “by design”.
• Pre-contract transparency – effective 12 September 2025: Manufacturers and sellers of connected products must inform customers at the point of sale about the device’s data capabilities. For Swiss companies drafting sales contracts or product documentation for the EU market, now is the time to update those materials to include clear, user-friendly data disclosures (likely in manuals, packaging, or online FAQs provided before purchase).
• Fair and non-discriminatory contract terms (B2B sharing) – effective 12 September 2025: If you’re structuring a data-sharing agreement with another company, be aware that the Act prohibits unfair contract terms in such agreements. The Act even provides a “blacklist” of clauses that are always void and a “grey list” of clauses presumed to be unfair.

The Data Act’s reach is “extraterritorial” – any company operating or offering connected products or related services in the EU must comply, regardless of where it’s based. So a Swiss manufacturer selling smart devices into the EU market is fully in scope.

One of the most controversial aspects of the EU Data Act is how it handles trade secrets. Companies have long guarded device data and machine logs as proprietary information – valuable assets not to be shared with competitors or sometimes not even with customers. Now, the Data Act essentially says: if the data comes from your customer’s use of a product, you must share it with them (or their chosen third party), even if that data reveals insights you’d rather keep secret.

Instead of allowing a blanket refusal, the Data Act provides that trade secret data should be shared if the requesting user or third party agrees to confidentiality measures to protect the secret. In practice, this means you, as the data holder, can and should require NDA-style agreements or other technical safeguards before handing over data that contains trade secrets. What if the user or third party refuses reasonable confidentiality terms, or if you catch them trying to misuse your secret data? In that case, you may withhold sharing the data to preserve the trade secret – trade secret protection remains “crucial,” and failure to agree on safeguards is a valid reason to say no.

Built-in protections against misuse: The law also seeks to prevent third parties from abusing shared data. Any third party receiving data via the Data Act at a user’s request must agree to strict use limitations. They cannot use the data to develop a competing product, cannot target the original data holder’s market position, and must respect all confidentiality and trade secret agreements.

With the Data Act’s start date imminent, here are some practical steps for companies to prepare and adapt:

1. Assess if you’re in scope: Map out which of your products or services qualify as “connected products” or “related services”. Also determine if you are the “data holder” for those products (i.e., you control the data).
2. Appoint an EU representative: As a non-EU company subject to the Data Act, designate a representative within the EU before September 2025. This could be an affiliate or a professional service provider.
3. Conduct a gap analysis: Review your current capabilities and policies against the Data Act requirements:
   • Do your products currently allow any form of user data access?
   • Is your data organised and stored in a way that you can extract and share it quickly upon request?
4. Develop a Data Access Request process: By September 2025, have a clear process for receiving and fulfilling data requests from users:
   • Create a user-facing channel (like a web form or portal) where customers can ask for their data.
   • Define internal roles: Who will receive these requests? Who will gather the data?
   • Prepare confidentiality agreements or terms for data sharing.
   • Train your support and account teams about these new rights. They should know that they cannot simply refuse a data request and how to guide customers through the process.
5. Update contracts and customer communications:
   • Pre-sale disclosures: Update user manuals, brochures, or online product pages with the required information about data generation and sharing.
   • User agreements: If you have terms of service or EULAs for your product, revise them to acknowledge the user’s Data Act rights. Remove or avoid any clause that would restrict the user from accessing or sharing data – such clauses will be unenforceable anyway.
   • B2B contracts: For contracts with business partners (e.g., a service provider who will get device data to deliver added services), bake in the FRAND principles and the specific obligations from the Act. Also include the third-party obligations (non-compete, confidentiality, no onward sharing without permission, etc.) as covenants – essentially mirroring the law’s requirements in your contracts to ensure partners are on the same page. Consider using the European Commission’s upcoming standard contractual clauses for data sharing.
   • Confidentiality and IP clauses: In any data sharing situation, include robust confidentiality provisions.
6. Plan product redesign for “access by design”: 2026 is not far off in product development terms. If you have new models in the pipeline, start integrating data accessibility features now.
7. Implement internal safeguards for trade secrets: As noted, you should identify which data points in your devices are sensitive trade secrets.
8. Seize the opportunity: Finally, try to see the upside. The Data Act, while imposing compliance burdens, also opens doors for new business models. By making data more accessible, you as a manufacturer can offer new data-driven services (e.g. proactive maintenance, usage-based offerings) in partnership with third parties – or even monetise data in fair ways if customers consent. It encourages a more vibrant aftermarket and could reduce customer lock-in resentment, potentially increasing brand loyalty. Companies that embrace data sharing early might gain a competitive edge in developing AI and analytics solutions around their products (since they’ll be organising and leveraging data more systematically).

The EU Data Act marks a turning point in the digital economy. It shifts the balance of power over data, giving users rights to access what used to be siloed in manufacturers’ servers. For companies, especially those outside the EU like in Switzerland, it challenges old habits of hoarding data. The era of absolute trade secrets in device data is ending – but not in chaos. Instead, a new paradigm is emerging: one of transparent data sharing, balanced by confidentiality and fair use obligations.