26 n EU LEGISLATION January 2026 www.drivesncontrols.com What does the EU Data Act mean for machine-builders? Machine-builders supplying customers in the European Union will already be aware of the Machinery Directive. Its replacement, the Machine Regulation, comes into force in January 2027 and introduces requirements relating to cybersecurity. However, there is another new piece of European legislation that has implications for machine-builders and system integrators. This is Regulation (EU) 2023/2854 on harmonised rules on fair access to, and use of, data – which can be shortened to the Data Act. Although the Data Act covers a wide range of products, here I am looking solely at how the legislation impacts machine-builders and systems integrators. For simplicity, I will refer only to machinebuilders. What does the Act cover? Regulation (EU) 2023/2854 has been in force since 12 September 2025, although some aspects do not apply until September 2026 or September 2027. It covers “connected products”. To avoid any doubt, this includes products with on-device access, products with wireless connectivity, and products that require a physical connection to be made when needed. “Data” includes data generated when using the product or a related service, metadata needed to interpret and use the data, and data created when users interact with the product. Even if data is only stored and not processed, it still falls within the scope if it can be accessed. Paragraph 14 of the preamble to the Act lists various types of connected product, with industrial machinery being one such type. This paragraph also states that prototypes do not fall within the scope of the Data Act, but machine-builders should not assume that a one-off special-purpose machine is exempt, even though it could be argued that it is a prototype. Article 31 excludes custom-built data processing, as well as data-processing services provided as a non-production version for test/evaluation over a limited period of time. If any data can be accessed by the machine-builder, it is covered by the Data Act. It must therefore be sharable with the end-user and, by implication, with third parties. On the other hand, information that has been derived from data is excluded from the scope of the Act and does not need to be sharable. If data – such as that from sensors – is processed but not stored, it does not need to be sharable. Personal data is covered by other EU legislation, although the Data Act covers personal data that has been anonymised. Article 7 states that the Data Act does not apply to products manufactured or designed by “microenterprises” and small enterprises, provided they do not have a partner enterprise or linked enterprise, and the enterprise is not sub-contracted to design or manufacture the product. The same applies to an enterprise that has qualified as a medium-sized enterprise for less than one year, and to connected products for one year after the date on which they were placed on the market by a medium-sized enterprise. Why is it needed? The Data Act recognises the value of data for businesses, consumers and society, largely as a result of the Internet of Things (IoT). Furthermore, the European Commission believes that high-quality and interoperable data increases competitiveness and innovation and, therefore, ensures sustainable economic growth. Consequently, the Data Act aims to make it easier for users to share data with third parties or use it themselves, rather than having the data restricted to being stored or processed by, for example, a machine-builder. The situation is the same, whether the user has purchased, leased or rented the product. In common with many EU Regulations, the Data Act contains essential requirements that must be met. In this case, the requirements relate to the form of the data and its usability. Data must always be accessible to a user easily, securely, free of charge, and in a comprehensive, structured, commonly used and machine-readable format. Clauses in the Data Act provide for harmonised standards that, if complied with in full, would provide a presumption of conformity with the essential requirements. In the absence of such standards, “common specifications” can provide a presumption of conformity. At the time of writing, no harmonised standards or common specifications have been published, but these may follow in due course. When a machine is placed on the market in the EU – whether for sale, lease or rent – information about sharable data must be provided before a contract is concluded. This includes the data functions available, how they can be accessed, the type and volume and format of the data, whether data is generated continuously and/or in real time, and the nature, location and retention period of data. A contract must cover the basis for a manufacturer’s use of product data, and the terms could exclude or limit the user from accessing all, or some of, the data. Some data might be classified as trade secrets, in which case the data-holder can require data users to treat it as such. There are clauses in the Data Act to prevent product suppliers from imposing unfair contractual terms on customers. The EC has published non-binding model contractual terms in a document called the Final Report of the Expert Group on B2B data sharing and cloud computing contracts. Nevertheless, Article 1, Clause 6 of the Data Act states that it does not apply when voluntary agreements are in place for exchanging data. A new piece of European legislation, known as the Data Act, has potential implications for UK machine-builders wanting to export equipment to the European Union. The compliance specialist Derek Coulson* examines these implications, and offers advice on what machine-builders need to do to ensure that they comply with the Act.
RkJQdWJsaXNoZXIy MjQ0NzM=