The European Union (EU) data law comes into force today (September 12, 2025), giving citizens control over the data generated by their connected devices, such as smartwatches and cars, the European Commission says . It also says it opens up opportunities for small businesses to use that data to develop “innovative after-sales services.”
Business and consumer connected device users will now be able to access, use and share the raw data generated by their devices.
Among its provisions, the EU AI law will allow manufacturing or agricultural companies to access data about the operation of industrial equipment, which can improve their efficiency and performance. It will also allow cloud users to switch between cloud providers in parallel or use services from multiple providers. It will also prohibit unfair contracts that could prevent data sharing.
Chris Gove, senior director of EU public policy and head of the Brussels government affairs office at Cisco, told Computer Weekly on the eve of the “Big Day” that the novelty of the law should be noted.
“I see a lot of regulations around the world, and this is quite unique,” he said. “There are many types of data governance shops, and they are either looking at organizing data so that it can be shared with other parties or organizing it in a way that it is protected… but this is unique in that it is about sharing private sector data. This is really new ground, and I think companies and enforcement agencies are still figuring out how we are being seen, that
Linzi Penman, head of the UK technology practice at law firm DLA Piper, said the law was a victim of a sense of regulatory fatigue from a British perspective. “There is definitely a sense that the EU data law is a regulation that has ‘slipped through the net’ for many organisations, through a combination of a certain digital regulatory fatigue and a scope that is both complex and widely underestimated,” she said.
“The fact that no Member State has yet adopted laws setting out the enforcement regime for the Data Protection Act, despite today’s deadline for application, is a telling example of how challenging the EU’s digital regulatory environment is to manage from both sides – noting in particular the delays with the NIS2 local transport and the delays with the DorA rTSS
A complex and nuanced scope
Penman drew attention to how “the combination of a complex and nuanced scope, a lack of technical guidance compared to the General Data Protection Regulation (GDPR) and EU AI law, and a common underestimation of how far-reaching EU data law is, is causing headaches for many organizations.”
“The extension of data access and portability rights beyond personal data is a seismic shift,” she said. “We’ve spent years building processes around GDPR, and now companies in scope are being asked to apply similar rigor to non-personal data, including trade secrets. And if GDPR and Data Protection Act enforcement are applied simultaneously, the stakes of compliance are huge.”
Regarding the aspect of the law that makes it easier to switch cloud providers, Penman added, “The ambition of the law—to increase competition and prevent vendor lock-in—is laudable, but the unintended consequence could be an increase in complexity and cost to the cloud services business, and that is a potential issue that has been overlooked.”
Brenton O’Callaghan, chief product officer at Avantra, a supplier that automates SAP processes, said: “It can only be a good thing to enable more cost-effective reporting of data transfers between clouds when you choose to move cloud providers.”
“However, be under no illusion that this won’t necessarily make it easier or faster – the major cloud providers’ migration services and commitments have fine print and requirements, meaning it will still be a drag and will only be available if you comply with their requirements,” he said. “For example, transfers must be inter-company only and must be between the same type of service on different cloud platforms.
“EU regulation is useful in forcing companies to classify and understand the risks in their AI systems. The danger is that if the scope expands too widely, it risks slowing down innovation under layers of compliance. The balance should be risk-based and focus on high-risk use cases. If done right, it will prevent regulation from becoming an administrative tax or a barrier to market entry.”
The law does not apply directly to the UK, but, like similar EU legislation, it affects UK companies that manufacture products or provide services in the EU that fall within the scope of the law, such as connected devices, and with EU operations, customers or data flows that fall within the scope of the law.
The UK Data Use and Access Act 2025, which came into force on 19 June 2025, is also designed to simplify the processing and sharing of data by organisations.
At the time, technology secretary Peter Keel outlined the government’s ambitions to harness data in a similar way to the European Commission’s Data Act. “For too long, previous governments have sat on a goldmine of data, wasting a powerful resource that could be used to help families juggle food costs, reduce the tedious administrative burden of life and make our NHS and police work smarter,” he said.
“These new laws will finally unleash that power.”
