EU Data Act Applicability Test

The Data Act applies through different role and scenario tests. Article 1 covers manufacturers of connected products placed on the Union market, providers of related services, users in the Union, data holders making data available to data recipients in the Union, public-sector exceptional-need requests, providers of data processing services to customers in the Union, data-space participants, and vendors or deployers of smart contracts used to execute data-sharing agreements.

A single company can therefore be out of scope for one workflow and in scope for another. For example, a manufacturer may have Chapter II duties for a connected machine, Chapter IV exposure in a data-sharing contract, and Chapter VI duties only if it also provides a qualifying data processing service.

For Chapter II, ask whether the item is a connected product and whether the digital service is a related service. A connected product obtains, generates, or collects data about its use or environment and can communicate product data by electronic communications, physical connection, or on-device access. Its primary function must not be storing, processing, or transmitting data on behalf of another party.

A related service is not every digital service around a product. The Commission FAQ describes two practical indicators: there is bidirectional exchange of data between the connected product and service provider, and the service affects the connected product's functions, behaviour, or operation. Connectivity, power supply, auxiliary consulting, analytics, financial services, and ordinary repair or maintenance are not related services merely because they concern the product.

A user is a natural or legal person that owns a connected product, has temporary contractual rights to use it, or receives related services. The FAQ warns that ordinary use of a product inside a service, such as being a passenger, does not automatically make that person the Data Act user of the connected product.

A data holder is the person with the right or obligation to use and make available data under the Data Act or other applicable EU or national law. A data recipient is a business actor, other than the user, to whom the data holder makes data available. Data Act Chapter II third-party sharing is limited to recipients in the Union, and DMA gatekeepers cannot be the third party under that mandatory IoT data-sharing route.

Chapter II is about product data and related-service data that are readily available to a data holder. The Commission describes the core in-scope set as raw and pre-processed data, including metadata needed to understand and use it. Data does not leave scope simply because privacy-enhancing technologies such as anonymisation, pseudonymisation, or encryption were applied.

Do not treat all analytics as user-access data. The FAQ places highly enriched data, inferred or derived data, data resulting from additional investments, and content often protected by intellectual property rights outside the Chapter II access set. The test should therefore distinguish sensor measurements, status logs, usage events, and necessary metadata from proprietary scores, predictions, models, reports, or creative content.

Chapter II does not apply to data generated through connected products manufactured or designed, or related services provided, by a microenterprise or small enterprise, unless the enterprise is linked to a larger enterprise or is subcontracted to manufacture, design, or provide the service. A medium-sized enterprise has a narrower temporary carveout for products placed on the market during the first year after it first qualifies as medium-sized.

Even when Chapter II applies, access is not absolute. The Data Act preserves GDPR and privacy law, allows narrowly framed security restrictions, and protects trade secrets through proportionate technical and organisational measures. Article 50 also delays the Article 3(1) design-by-default duty for connected products and related services placed on the market after 12 September 2026.

Chapter VI does not depend on a connected product. It applies to providers of data processing services that provide qualifying services to customers in the Union, including cloud and edge models that enable on-demand network access to configurable, scalable, and elastic computing resources.

For cloud applicability, identify the source provider, customer, service type, exportable data, digital assets, switching route, and any custom-built or testing-only service status. Article 31 excludes non-production testing and evaluation services provided for a limited period, and gives certain custom-built services a lighter regime rather than removing every Chapter VI duty.

A public-sector request is in the Data Act's Chapter V route only where a public sector body, the Commission, the European Central Bank, or a Union body demonstrates an exceptional need for specific data to perform a statutory public-interest task. Non-emergency requests are limited to non-personal data and require the requester to show why other means were exhausted.

Data-space and smart-contract scope is a different test. Article 33 applies to participants in data spaces that offer data or data services to other participants. Article 36 applies to vendors of applications using smart contracts, or deployers of smart contracts for others, where the smart contract executes all or part of an agreement to make data available.

The final record should say exactly what is in scope, what is out of scope, what chapter applies, and which facts remain unresolved. A useful conclusion is specific enough for product, legal, procurement, cloud, security, and support teams to act without re-litigating the whole scenario.

Use exclusion labels carefully. The Data Act does not apply to areas outside Union law, certain criminal-law, customs, taxation, public-security, defence, and national-security matters, and it does not supersede GDPR, privacy, IP, consumer-protection, or sector-specific data-access rules. Those overlaps should be recorded as parallel legal checks, not as shortcuts around the Data Act.