any of you will already be aware that, when it comes into force in January 2027 as a replacement to the Machinery
Directive, the Machine Regulation will feature new requirements relating to cybersecurity. But are you aware of Regulation (EU) 2023/2854 which establishes harmonised rules on fair access to and use of data? Shortened to the ‘Data Act’, this covers a wide
range of products. But how will it impact machine builders and systems integrators?
Regulation (EU) 2023/2854 has been applied since 12 September 2025, though some aspects do not apply until September 2026 or September 2027. It covers ‘connected products’ and includes products with on-device access, products with wireless connectivity, and products that require a physical connection to be made when needed. ‘Data’ includes data generated by use of the product or related service, metadata necessary to interpret and use the data, and data created when users interact with the product. Even if data is only stored and not processed, then it still falls within the scope if it can be accessed. Paragraph 14 of the preamble lists
various types of connected product, with industrial machinery being one such type. This paragraph also states that prototypes do not fall within the scope of the Data Act, but machine builders should not assume that a one-off special-purpose machine is exempt, even though it could be argued that it is a prototype. Article 31 excludes custom-built data processing, as well as data processing services provided as a non-production version for test/evaluation over a limited time period. If any data can be accessed by the machine
builder, then it is covered by the Data Act. It must therefore be sharable with the end user and, by implication, third parties. On the other hand, information that has been derived from data is excluded from the scope of the Data Act and does not need to be sharable. If data, such as from sensors, is processed but not stored, then it does not need to be sharable. Personal data is covered by other EU legislation, though the Data Act covers personal data that has been anonymised. Article 7 states that the Data Act does not apply to products manufactured or designed by
microenterprises and small enterprises, provided they do not have a partner enterprise or linked enterprise and the enterprise is not subcontracted to design or manufacture the product. The same applies to an enterprise that has qualified as a medium-sized enterprise for less than one year, and to connected products for one year after the date on which they were placed on the market by a medium-sized enterprise.
The Data Act recognises the value of data for businesses, consumers and society, largely as a result of the ‘Internet of Things’ (IoT). Furthermore, the European Commission believes that high-quality and interoperable data increases competitiveness and innovation and, therefore, ensures sustainable economic growth. Consequently, the Data Act aims to make it easier for users to share data with third parties or use it themselves, rather than having the data restricted to being stored or processed by, for example, a machine builder. The situation is the same, whether the user has purchased, leased or rented the product. In common with many EU Regulations, the
18
Data Act contains essential requirements that must be met. In this case, the requirements relate to the form of the data and its usability. Data must always be accessible to a user easily, securely, free of charge, and in a comprehensive, structured, commonly used and machine-readable format. Clauses in the Data Act provide for harmonised
standards that, if complied with in full, would provide a presumption of conformity with the essential requirements. In the absence of such standards, ‘common specifications’ can provide a presumption of conformity. At the time of writing, no harmonised standards or common specifications have been published but these may follow in due course.
When a machine is placed on the market in the EU, whether for sale, lease or rent, information about sharable data must be provided before a contract is concluded. This includes the data functions available, how they can be accessed, the type, volume and format of the data, whether data is generated continuously and/or in real time, and the nature, location and retention period of data. A contract must cover the basis for a
manufacturer’s use of product data, and the terms could exclude or limit the user from accessing all or some of the data. Some data might be classified as trade secrets, in which case the data holder can require data users to treat it as trade secrets. Within the Data Act, there are clauses to
prevent product suppliers fromimposing unfair contractual terms on customers. The EC has published non-binding model contractual terms in a document ‘Final Report of the Expert Group on B2B data sharing and cloud computing contracts.’ Nevertheless, Article 1, Clause 6 of the Data Act states that it does not apply when voluntary agreements are in place for exchanging data.
If a data holder (such as a machine builder) is
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52
