Starting September 12, 2026, connected products sold in the EU must be built with data access functionality. This alert discusses the new access-by-design obligation and provides practical steps for compliance.

The New Access-by-Design Obligation

The EU Data Act (Regulation (EU) 2023/2854) became applicable on September 12, 2025. Among other things, it requires data holders to provide users, upon request, with access to certain product data and related service data generated by connected products and related services.

From September 12, 2026, an additional obligation will apply. Connected products and related services placed on the market after that date must be designed so that relevant data are, by default, easily, securely and directly accessible to users, free of charge, where relevant and technically feasible. The “technically feasible” condition gives some leeway to businesses to design a product or service so that all or part of the relevant data is directly or indirectly accessible, taking into account technical feasibility, costs, trade secrets, intellectual property, security concerns, and the relevance of direct access in the specific scenario. Where indirect access is relied on, businesses should be able to justify their decision.

Once access is enabled, the relevant data must be made available in a comprehensive, structured, commonly-used and machine-readable format, together with the information necessary to understand and use it.

Impact of the Digital Omnibus Proposal

The European Commission recently proposed changes to several EU digital regulations, including the Data Act (the Digital Omnibus Proposal). For instance, the proposal provides greater flexibility for data holders to refuse data access requests for reasons of trade secret protection. However, the proposal does not impact the Data Act’s core rules on data access, and it is currently unclear if/when the proposal could be adopted. Businesses should continue developing their compliance programs under the current version of the Data Act.

For more information about the European Commission's Digital Omnibus Proposal, please refer to our previous alert.

Next Steps

With the September 2026 deadline approaching, businesses should:

• identify if they have any products or related services in scope of the Data Act;
• identify the data elements that qualify as product data or related service data to which users have rights under the Data Act, which includes both B2B and B2C users;
• update their pre-contractual information and user terms to describe users’ data access rights, as necessary to comply with the Data Act; and
• determine whether direct access is relevant and technically feasible for in-scope products and services.

EU countries are putting national Data Act enforcement frameworks in place, including designating competent authorities and setting penalties for noncompliance. For example, Finland, Germany, the Netherlands, and Poland have adopted or advanced local implementing legislation. Although no major enforcement actions have been reported to date, the coming year is likely to bring closer scrutiny by regulators. Businesses should monitor regulatory enforcement across relevant jurisdictions.

Wilson Sonsini will host a webinar on September 9, 2026, examining the state of play of the Data Act one year on, including the status of implementation across EU countries and emerging market practices. Registration is available here.

Wilson Sonsini Goodrich & Rosati routinely advises clients on EU data regulatory issues. For more information about the Data Act and other data regulations, please contact Laura De Boel, Laura Brodahl or any attorney from Wilson Sonsini's EU Data, Privacy, and Cybersecurity practice.

Yaron Moszynski contributed to the preparation of this alert.