EU Data Act Enforcement Accelerates: Germany Designates Federal Network Agency, Sets 4% Turnover Fines as September 2026 Deadline Looms

As manufacturers of connected products race toward the critical September 12, 2026 compliance deadline for the EU Data Act’s “data access by design” requirements, Germany is finalizing implementation legislation that designates the Federal Network Agency (Bundesnetzagentur) as the central enforcement authority and establishes fines of up to 4% of annual EU turnover for violations. The Data Act, which became applicable across the EU on September 12, 2025, represents a fundamental shift in data governance—moving beyond personal data protection to regulate access, use, and portability of all data generated by IoT devices, connected products, and cloud services.

Executive Summary

The EU Data Act (Regulation (EU) 2023/2854) introduces far-reaching rules on access to and use of data generated by connected products and related services. Unlike the GDPR, which focuses exclusively on personal data, the Data Act covers all types of data—including industrial, machine-generated, and non-personal data—creating obligations for manufacturers, service providers, and cloud platforms that extend well beyond traditional privacy compliance.

Key developments include:

September 12, 2025: General Data Act provisions became applicable across the EU- September 12, 2026: Critical deadline for “data access by design” obligations for new connected products placed on the market- Germany’s implementation: Expected in 2026, designating Federal Network Agency as enforcement authority- Penalties: Up to 4% of annual EU turnover for gatekeepers; significant fines for other violations- Scope: Affects IoT manufacturers, cloud service providers, SaaS platforms, data holders, and data recipients

The Data Act fundamentally alters business models built on data exclusivity, requiring manufacturers to make product-generated data directly accessible to users and enabling data sharing with third parties at users’ request. For cloud service providers, the regulation mandates switching mechanisms that reduce vendor lock-in—a provision tech giants unsuccessfully lobbied to weaken.

What is the EU Data Act?

Legislative Context

The Data Act forms part of the European Union’s broader data strategy, which includes:

GDPR (personal data protection)- Data Governance Act (data sharing frameworks and data altruism)- Data Act (access and use of industrial/IoT data)- AI Act (regulation of artificial intelligence systems)- Digital Markets Act (regulation of digital gatekeepers)- Digital Services Act (platform liability and content moderation)

Together, these regulations create a comprehensive digital governance framework positioning the EU as the global standard-setter for technology regulation.

Core Objectives

The Data Act aims to:

Enable users to access and use data generated by connected products they own or use2. Facilitate data sharing between businesses through contractual agreements3. Grant public sector bodies access to data in exceptional circumstances (public emergencies, official statistics)4. Prevent unfair contract terms in business-to-business data sharing agreements5. Enable cloud switching by reducing technical and contractual barriers6. Promote interoperability through data standards and formats

Aspect GDPR Data Act

Scope Personal data only All data (personal, non-personal, industrial)

Focus Protection of natural persons Fairness in data access and use

Primary Concern Privacy and data subject rights Economic value and data sharing

Obligations Controllers and processors of personal data Manufacturers, data holders, cloud providers

Rights Data subject rights (access, erasure, etc.) User rights to access product data; switching rights for cloud customers

Penalties Up to €20M or 4% of global turnover Up to 4% of EU turnover for gatekeepers; member state-specific for others

Critical Point: The Data Act complements but does not replace GDPR. When data generated by connected products includes personal data, both regulations apply, creating layered compliance obligations.

Key Provisions of the Data Act

Chapter II: Data Generated by Connected Products (Articles 3-7)

Article 3: Duty of Data Holders to Make Data Available to Users

Obligation: Data holders (typically manufacturers of connected products) must make data generated by the product directly available to users:

In a timely manner- Free of charge- In an easily accessible, structured, commonly used, and machine-readable format

Who is affected:

IoT device manufacturers (smart home devices, wearables, connected vehicles)- Industrial equipment manufacturers (sensors, machinery, logistics trackers)- Consumer electronics makers (smart appliances, fitness trackers, connected toys)

User rights: Users can:

Access data continuously and in real-time (where technically feasible)- Request data be made available to third parties of their choice- Use the data for any lawful purpose

Article 4: Data Access by Design (Critical September 2026 Deadline)

Requirement: From September 12, 2026, all connected products and related services placed on the market must be designed and manufactured in a way that data generated by their use is easily, securely, and directly accessible to users.

Design obligations include:

Technical interfaces enabling data access- Clear identification of data categories available- Secure transmission methods- Documentation for users on how to access data- Interoperable data formats

Enforcement: Products failing to comply with data access by design requirements after September 12, 2026 may face:

Market surveillance actions- Product recalls- Prohibition of sales- Financial penalties

Critical implications: Manufacturers must redesign product architectures to enable direct user data access. This is not a privacy policy update—it requires engineering changes to hardware and software systems.

Article 5: Prohibition of Exclusive Data Access Rights

Key rule: Contracts or terms of service cannot grant manufacturers or service providers exclusive rights to access or use data generated by connected products.

Practical impact:

End of proprietary data lock-in for IoT ecosystems- Users can authorize competitors to access product data- Third-party service providers can build services using product data

Example: A smart home device manufacturer cannot contractually prevent users from sharing device data with competitor platforms or third-party automation services.

Article 6: Requirements for Making Data Available to Third Parties

Process: When a user requests data be shared with a third party:

Data holder must make data available without undue delay2. Access must be equivalent to what the data holder has3. Data holder can charge reasonable compensation for making data available4. Third party must not use data to develop competing products (without consent)

Technical requirements:

APIs or other technical interfaces for data transmission- Security measures to protect data in transit- Authentication of authorized third parties- Logging of data access for audit purposes

Article 7: Compensation for Data Access

Principle: Data holders can charge reasonable compensation for making data available, based on:

Costs incurred for making data available- Complexity of technical implementation- Volume and frequency of data requests- Nature of data requested

Prohibited:

Fees based on the value derived from data use by third party- Excessive charges designed to discourage data sharing- Discrimination between similar third-party requests

Chapter V: Switching Between Cloud Services (Articles 23-34)

Article 23: Facilitating Switching

Obligation: Cloud service providers must enable customers to:

Switch to another provider with minimal disruption- Export all customer data including metadata and configurations- Complete switching within a reasonable timeframe- Use interoperable and portable data formats

Affected providers:

Infrastructure-as-a-Service (IaaS)- Platform-as-a-Service (PaaS)- Software-as-a-Service (SaaS)- Data processing services

Article 24-25: Contractual and Commercial Barriers

Prohibited practices:

Exit fees that discourage switching- Long minimum commitment periods without justification- Technical obstacles to data export- Incompatible data formats that trap customers- Refusal to provide switching assistance

Required:

Self-service switching tools (for smaller customers)- Switching support (for enterprise customers)- Transition assistance (configuration export, data migration)

Article 26: Functional Equivalence During Switching

Requirement: During the switching period, customers must be able to:

Continue operating normally on both old and new provider- Run workloads in parallel- Test new infrastructure before full transition- Gradually migrate without service interruption

Timeline: Maximum switching period specified based on service complexity (typically 30 days for standard services).

Chapter VI: Unlawful Third-Country Access (Articles 35-37)

Protection: Data holders and cloud providers must take all reasonable measures to prevent access to non-personal data by third-country governments, unless based on:

International agreement between EU and the third country- Mutual legal assistance treaty (MLAT)- Legal basis compatible with EU law

Implications: Providers must assess and document:

Risk of third-country government access requests- Technical and organizational measures to resist unlawful access- Procedures for handling government data requests- Customer notification obligations when legally possible

Context: This provision targets concerns about U.S. CLOUD Act and Chinese National Intelligence Law, both of which can compel domestic companies to provide data to government authorities.

Chapter VIII: Penalties and Enforcement (Articles 46-47)

Article 46: Enforcement by Member States

Requirement: Each EU member state must:

Designate one or more competent authorities- Ensure authorities have adequate resources and powers- Establish procedures for complaints and investigations- Coordinate with other member state authorities

Germany’s approach: Draft implementation legislation designates the Federal Network Agency (Bundesnetzagentur) as the central enforcement authority, leveraging its experience regulating telecommunications and energy sectors.

Article 47: Penalties

Maximum penalties vary by violation type:

For gatekeepers (designated under Digital Markets Act):

Up to 4% of annual EU turnover for systematic infringements- Up to 2% of annual EU turnover for supply of incorrect information

For other entities:

Member states must ensure penalties are effective, proportionate, and dissuasive- Germany’s draft: Significant administrative fines, with specifics TBD in final legislation

Calculation basis:

EU turnover (not worldwide) for consistency with other EU digital regulations- Annual revenue in preceding financial year- Consideration of violation severity, duration, and intent

Germany’s Implementation: Bundesnetzagentur Takes the Lead

Why the Federal Network Agency?

Germany’s choice of Bundesnetzagentur as the Data Act enforcement authority is strategic:

Existing regulatory expertise:

Telecommunications sector regulation (decades of experience)- Energy sector oversight (complex technical systems)- Postal services regulation (logistics and data flows)- Railway infrastructure oversight

Technical capacity:

Staff with engineering and technical backgrounds- Experience assessing compliance of complex systems- Established processes for market surveillance- Cross-border coordination experience (EU regulatory networks)

Enforcement credibility:

History of imposing significant fines- Established relationships with industry- Procedures for investigations and remediation- Track record of enforcing EU regulations domestically

Draft Implementation Act Provisions

Enforcement powers:

Authority to conduct investigations- Power to request documentation and information- Ability to issue compliance orders- Right to impose fines for violations- Market surveillance responsibilities

Penalty structure: Germany’s draft legislation provides for:

Administrative fines up to specified amounts (exact figures in final legislation)- Enhanced penalties for gatekeepers (4% of EU turnover)- Consideration of aggravating/mitigating factors- Public disclosure of enforcement actions

Complaint mechanism:

Users and businesses can file complaints- Bundesnetzagentur must investigate credible complaints- Obligation to inform complainant of outcome- Judicial review of decisions available

Timeline for German Implementation

Expected legislative process:

Early 2026: Draft legislation finalized and introduced- Mid 2026: Parliamentary review and amendments- Late 2026: Final passage and presidential signature- Early 2027: Full implementation and enforcement begins

Practical effect: Even before German legislation is final, the Data Act already applies directly as an EU regulation. Germany’s implementation act primarily:

Designates enforcement authority (Bundesnetzagentur)- Establishes national penalty framework- Creates procedural rules for investigations- Provides details on complaint mechanisms

September 2026: The Critical Deadline

Why September 12, 2026 Matters

Data Access by Design (Article 4) becomes mandatory:

All connected products and related services placed on the market on or after September 12, 2026 must comply with design obligations:

Built-in technical interfaces for data access- Documentation for users on accessing data- Secure transmission mechanisms- Interoperable data formats- Clear identification of available data categories

What “Placed on the Market” Means

In scope:

New products introduced after September 12, 2026- Existing product models if substantially redesigned after the deadline- Products first made available for distribution or use in the EU after the deadline

Potentially out of scope:

Products already on the market before September 12, 2026 (though general data access obligations still apply)- Second-hand products- Products imported for personal use (not commercial distribution)

Ambiguity: What constitutes “substantial redesign” is not clearly defined, creating uncertainty about when existing product lines must be updated to comply with design obligations.

Industry Readiness: A Mixed Picture

Survey findings (various industry sources):

Only 30-40% of IoT manufacturers report being fully prepared for September 2026 deadline- Many companies have begun technical assessments but not implementation- Lack of technical standards creates compliance uncertainty- Cross-functional coordination (legal, engineering, product) is often inadequate

Common gaps:

Technical architecture: Many products were designed without data access in mind; retrofit is expensive2. Data identification: Companies struggle to document what data their products generate3. Security measures: Enabling direct user access without compromising security is challenging4. Documentation: User-facing materials explaining data access are often missing5. Testing: Few companies have validated data access functionality with actual users

Consequences of Missing the Deadline

Enforcement actions:

Market surveillance authorities can prohibit non-compliant products- Products may be recalled from market- Importers and distributors may face liability- Brand reputation damage from regulatory action

Commercial impact:

Competitive disadvantage vs. compliant competitors- Loss of customer trust- Potential contract breaches with B2B customers requiring compliance- Disruption to product launch timelines

Financial risk:

Fines for non-compliance- Costs of emergency compliance retrofits- Revenue loss from delayed product launches- Litigation from business partners or customers

Compliance Challenges and Strategies

Challenge 1: Technical Implementation

Problem: Many IoT and connected products were designed with proprietary data ecosystems. Opening data access requires fundamental architectural changes.

Solution strategies:

APIs for data access: Develop RESTful APIs or similar interfaces for standardized data retrieval- Data catalogs: Create machine-readable inventories of available data- Authentication systems: Implement OAuth 2.0 or similar for secure third-party access- Rate limiting: Protect systems from excessive data requests while complying with access obligations- Monitoring and logging: Track data access requests for audit and security purposes

Technical standards: While the Data Act doesn’t mandate specific technical standards, industry groups are developing:

Data format recommendations (JSON, XML schemas)- API design patterns for IoT data access- Security protocols for data transmission- Interoperability frameworks

Challenge 2: Defining “Reasonable Compensation”

Problem: Article 7 allows charging reasonable compensation but doesn’t define it precisely, creating uncertainty about permitted pricing.

Factors to consider:

Direct costs (infrastructure, bandwidth, processing)- Development costs (API creation, security measures) - amortized appropriately- Administrative overhead (customer support, account management)- Volume and complexity of data requests

Prohibited pricing:

Charging based on value third party derives from data- Excessive fees designed to discourage data access- Price discrimination without objective justification

Best practice:

Document cost basis for any fees charged- Offer free access for reasonable individual user requests- Charge only for high-volume or complex commercial requests- Review pricing regularly against actual costs

When data includes personal data: Both GDPR and Data Act apply, creating layered obligations:

Aspect GDPR Requirement Data Act Requirement Resolution

Legal basis Required for processing personal data Not explicitly required for non-personal data Apply GDPR legal basis for personal data elements

User consent Required for certain processing Not required for data access Consent may be needed for subsequent personal data processing

Right to erasure Data subject can request deletion User can access data Erasure rights override data access obligations

Third-party sharing Requires legal basis and notice User can authorize sharing Ensure GDPR compliance when sharing includes personal data

Security Appropriate technical measures required Secure data access required Implement security measures satisfying both regulations

Practical approach:

Conduct GDPR DPIA for data access functionality- Implement technical separation of personal/non-personal data where feasible- Provide clear privacy notices about data access and sharing- Honor GDPR rights (erasure, objection) even in Data Act context- Ensure third parties receiving data comply with GDPR when applicable

Challenge 4: Cloud Provider Switching

For cloud service providers:

Contractual review:

Eliminate or justify exit fees- Reduce minimum commitment periods- Remove technical lock-in provisions- Clarify switching assistance obligations

Technical implementation:

Develop self-service data export tools- Create standardized configuration export formats- Implement APIs for automated migration- Test switching processes with diverse customer scenarios

Documentation:

Publish switching guides and timelines- Document data formats and dependencies- Provide migration assistance procedures- Clarify what is/isn’t portable (e.g., provider-specific features)

Competitive implications: Cloud switching provisions fundamentally challenge business models built on customer lock-in. Providers must compete on:

Service quality and reliability- Innovation and feature development- Customer support and partnership- Price-performance rather than exit friction

Challenge 5: Third-Country Data Access

For multinational corporations:

Risk assessment:

Identify jurisdictions where government data access laws pose risks (US CLOUD Act, China National Intelligence Law)- Document legal obligations to provide data to foreign governments- Assess likelihood and impact of access demands- Evaluate technical feasibility of resisting demands

Technical measures:

Encryption with EU-held keys- Data localization for sensitive information- Contractual commitments from non-EU affiliates- Legal challenge procedures for unlawful demands

Customer transparency:

Disclose third-country access risks in contracts- Provide notice of access requests when legally permissible- Document measures taken to resist unlawful access- Offer EU-only hosting options where commercially viable

Industry-Specific Implications

Manufacturing and Industrial IoT

Affected equipment:

Connected machinery (CNC machines, 3D printers)- Logistics and supply chain trackers- Building management systems- Fleet management devices

Compliance priorities:

Identify all data generated by equipment (sensor readings, performance metrics, usage patterns)2. Develop technical interfaces for customer data access3. Document data access procedures for customers4. Train sales/support teams on data access obligations5. Update terms and conditions to address data sharing

Business model implications: Many equipment manufacturers derive revenue from proprietary data analytics and predictive maintenance services. Data Act obligations may:

Enable third-party competitors in these service markets- Require manufacturers to compete on service quality rather than data exclusivity- Create opportunities for new service business models built on manufacturer-provided data

Automotive Sector

Connected vehicle data:

Diagnostics and performance- Location and travel patterns- Driving behavior and style- Maintenance needs and alerts- Infotainment system usage

Compliance challenges:

Safety implications of third-party access to vehicle systems- Personal data (location, behavior) vs. non-personal data (technical performance)- Dealer network data access (authorized vs. independent repair shops)- In-vehicle software updates and configuration

Regulatory intersection:

Type-approval regulations (vehicle safety)- Motor Vehicle Block Exemption Regulation (MVBER)- GDPR (personal data in vehicle systems)- Data Act (access to vehicle-generated data)

Smart Home and Consumer IoT

Devices affected:

Smart thermostats and HVAC systems- Security cameras and doorbells- Connected appliances (refrigerators, washing machines)- Wearables and fitness trackers- Smart speakers and assistants

Compliance priorities:

Simplify data access for non-technical consumers2. Provide clear privacy controls when data includes personal information3. Enable voice assistant and smart home platform interoperability4. Document what data third parties can access and for what purposes5. Implement parental controls for children’s devices

Market implications:

End of closed ecosystems (Apple HomeKit, Google Home, Amazon Alexa competing for exclusive control)- Rise of interoperable smart home platforms- Third-party innovation opportunities- Shift from hardware to service revenue models

Cloud and SaaS Providers

Switching obligations:

Export all customer data including configurations- Provide migration assistance tools- Enable parallel operation during transition- Support common data formats

Business model adaptation:

Reduce dependence on lock-in for customer retention- Compete on innovation and service quality- Offer value-added services that transcend platform switching- Build ecosystem partnerships rather than walled gardens

Technical debt: Many cloud platforms have accumulated proprietary formats, APIs, and dependencies that create lock-in. Compliance requires:

Standardizing data formats- Documenting platform-specific dependencies- Developing export/import tooling- Testing migration scenarios

Enforcement Expectations for 2026

Initial Focus Areas

Bundesnetzagentur and other EU enforcement authorities are likely to prioritize:

1. High-visibility consumer products Early enforcement targets will likely include:

Smart home devices with large installed bases- Wearables and fitness trackers- Connected vehicles- Consumer electronics (smart TVs, appliances)

These products affect millions of consumers and generate media attention, making them ideal for establishing enforcement precedents.

2. Cloud platform switching Tech giants’ cloud platforms will face scrutiny:

Amazon Web Services (AWS)- Microsoft Azure- Google Cloud Platform (GCP)- SaaS providers (Salesforce, Adobe, etc.)

Cloud switching provisions directly challenge these companies’ business models, making enforcement both economically significant and politically contentious.

3. B2B data access disputes Initial complaints are likely to come from:

Businesses seeking access to data from equipment manufacturers- Competitors blocked from accessing product data- Service providers unable to build on product data- Customers facing excessive data access fees

Enforcement Approach

Expected regulatory strategy:

Education phase (early 2026): Guidance, workshops, FAQ documents2. Complaint handling (mid 2026): Response to user and business complaints3. Targeted investigations (late 2026): Focus on specific sectors or companies4. Enforcement actions (2027+): Fines and compliance orders for violations

Likely enforcement priorities:

Refusal to provide data access- Excessive fees for data access- Technical obstacles preventing data portability- Cloud exit fees and lock-in practices- Inadequate data access by design (post-September 2026)

Potential Defense Strategies

For companies facing enforcement:

Technical infeasibility defense:

Document genuine technical limitations- Show good-faith efforts to enable data access- Demonstrate security or safety risks from access- Propose alternative access mechanisms

Proportionality arguments:

Excessive compliance costs relative to data value- Disproportionate burden on small manufacturers- Competitive disadvantage vs. non-EU competitors- Request transition periods or phased compliance

GDPR conflict claims:

Data access conflicts with privacy obligations- Risk of personal data breaches from mandatory access- Lack of legal basis for third-party data sharing- Data subject rights superseding access obligations

Likely success: Limited. The Data Act was negotiated with awareness of these concerns, and regulators will expect companies to have addressed them during the extended implementation periods.

Strategic Recommendations

For IoT Manufacturers

Immediate actions (Q1-Q2 2026):

Conduct data inventory: Document all data generated by your products2. Technical assessment: Evaluate current architecture’s compliance gaps3. Roadmap development: Plan design changes for September 2026 deadline4. Cross-functional alignment: Bring together legal, engineering, product, sales teams5. Customer communication: Prepare to explain data access capabilities and limitations

Medium-term (Q3-Q4 2026):

Implement data access: Deploy APIs or interfaces for user data access2. Security validation: Test that data access doesn’t create vulnerabilities3. Documentation: Create user guides for data access functionality4. Compliance verification: Validate that design obligations are met5. Training: Educate customer support and sales on data access processes

Long-term (2027+):

Monitor enforcement: Track regulatory actions and adjust practices2. Continuous improvement: Refine data access based on user feedback3. Innovation: Develop new services leveraging open data ecosystem4. Standards participation: Engage in industry standards development5. Competitive analysis: Understand how competitors are leveraging data access

For Cloud Service Providers

Immediate actions:

Contract review: Identify and eliminate prohibited exit provisions2. Export tooling: Develop or enhance customer data export capabilities3. Migration guides: Document switching procedures and timelines4. Cost analysis: Understand economic impact of reduced lock-in5. Competitive strategy: Define how to retain customers without exit friction

Medium-term:

Technical implementation: Build self-service switching tools2. Format standardization: Support common data formats for portability3. Partner ecosystem: Enable third-party migration tools and services4. Testing: Validate switching processes with diverse customer scenarios5. Pricing adjustments: Adapt pricing models to new competitive dynamics

Long-term:

Service differentiation: Compete on innovation rather than lock-in2. Value-added services: Develop offerings that transcend platform switching3. Open ecosystem: Build partnerships that increase rather than decrease portability4. Regulatory engagement: Shape future cloud regulation through industry participation5. Global strategy: Balance EU requirements with other market approaches

For Data Recipients (Third-Party Service Providers)

Opportunities:

Access to product data previously unavailable- Ability to build services on IoT/connected product data- Reduced barriers to entering markets dominated by product manufacturers- Level playing field for competing with manufacturer’s proprietary services

Obligations:

Respect contractual limitations on data use (no competing product development without consent)- Comply with GDPR when accessing personal data- Implement security measures to protect received data- Respect user rights to withdraw data access authorization

Conclusion: A Fundamental Shift in Data Governance

The EU Data Act represents a paradigm shift in how data generated by products and services is governed. By moving beyond the GDPR’s focus on personal data protection to address economic fairness in data access and use, the regulation fundamentally challenges business models built on data exclusivity and customer lock-in.

Key takeaways:

1. September 2026 is Critical The data access by design deadline creates a hard compliance requirement for manufacturers. Products that don’t comply face market prohibition, recalls, and enforcement action.

2. Germany’s Strong Enforcement Signal Designating Bundesnetzagentur as enforcement authority and authorizing 4% turnover fines demonstrates Germany’s commitment to serious Data Act enforcement.

3. Cloud Switching Transforms Competition Reduced switching costs will fundamentally alter cloud provider competitive dynamics, shifting competition from exit friction to service quality and innovation.

4. Compliance Requires Cross-Functional Effort Data Act obligations span legal (contract review), technical (API development), product (design changes), and commercial (business model adaptation) functions.

5. Intersection with GDPR is Complex When data includes personal information, navigating both GDPR and Data Act requirements requires careful legal and technical design.

The companies that will thrive under the Data Act are those that embrace open data ecosystems, compete on service quality rather than lock-in, and view data portability as an opportunity for innovation rather than a compliance burden. Those clinging to proprietary data moats will face both regulatory pressure and competitive disadvantage.

As Bundesnetzagentur prepares to begin enforcement and the September 2026 deadline approaches, the time for strategic decision-making and technical implementation is now. The Data Act isn’t coming—it’s already here.

About This Analysis This report is published by Compliance Hub and CISO Marketplace, providing European data governance and technology compliance professionals with in-depth analysis and strategic guidance.

Sources:

Regulation (EU) 2023/2854 (EU Data Act)- Grünecker Patent- und Rechtsanwälte- German Federal Network Agency (Bundesnetzagentur)- European Commission Data Strategy documents- Industry compliance surveys and analysis