EU Data Act: Unlocking data in healthcare, life sciences, and beyond

Alert
|
11 min read
Dr. Katrin Helle |
Dr. Constantin Teetzmann |
Mathias Bogusch

The EU Data Act1 ushers in a sweeping new framework for access to and use of data from connected products and related services. Organizations, such as healthcare and life sciences companies, should prepare now, as many of the Data Act's obligations became applicable on 12 September 2025.

Background2

The Data Act is a cornerstone of the European Union's Data Strategy, 3designed to unlock the value of data across sectors and promote a competitive data economy. Adopted in June 2023 and in force since January 2024, the Act establishes rules on who can access and use data obtained, generated, or collected by connected products and related services. Its aim is to enhance innovation, ensure well-functioning data sharing, and reduce barriers to entry, particularly for small and medium-sized enterprises, while balancing the rights of users, manufacturers, and service providers. The Data Act affects companies based both in and outside the EU. Non-EU data holders must designate a legal representative in an EU Member State to ensure enforceability of obligations under the Data Act.

New Obligations

The Data Act introduces a broad set of obligations for companies, except for micro or small enterprises, that manufacture connected products and/or offer digital services.

  • Connected Products, often referred to as the "Internet of Things" (IoT) are items (i) that obtain, generate or collect data concerning their use or environment and that are able to communicate product data via an electronic communications service, physical connection or on-device access, and (ii) whose primary function is not storing, processing or transmission of data on behalf of any party other than the user.4
  • Related services means digital services, other than electronic communications services, including software, which (i) are connected with the product at the time of the purchase, rent or lease in such a way that their absence would prevent the connected product from performing one or more of its functions, or (ii) are subsequently connected to the product by the manufacturer or a third party to add to, update or adapt the functions of the connected product.5
  • Data processing services means digital services that are provided to a customer and enable ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralized, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction.6

Scope

The Data Act applies to manufacturers of connected products placed on the EU market and providers of related services and of data processing services to customers in the Union, irrespective of the place of establishment of those manufacturers and providers. It covers only users and data recipients in the EU.7

The rules for access to and the use of data address both "product data", meaning data generated by the use of a connected product, and "related services data", defined as "data generated by the use of a product or related service". The related services data include any data recorded intentionally by the user, as well as data generated as a by-product of the user's action, such as performance data, and without any action by the user, such as when the product is in standby mode. The new rules cover raw data in the form and format in which they are generated by the product, but do not pertain to data resulting from any software process that calculates derivative data from such data.

Key Areas of Impact and Requirements

  • Access to and Sharing of Data – Users of connected products gain extensive rights to access the personal and non-personal data their devices and the related services generate.8 Companies must provide clear information on data collection and make this data available to users on fair, non-discriminatory terms. In addition, the user has the right to transfer the data to third parties.9 Upon request by the user the data holder must submit readily available data, including the relevant metadata, to a third party. In cases where unrestricted access to and transfer of data would pose a risk to safety, public health, or the confidentiality of trade secrets, companies may impose proportionate contractual restrictions on data access and transfer. Notably, the data may not be used for the development of competing products.
  • Product Design – Manufacturers and service providers must consider data accessibility from the earliest stages of product and services development, ensuring that their products and services are designed to enable secure and interoperable data sharing without compromising safety or privacy. This includes the obligation to ensure that digital services allow switching between providers and export of data in interoperable formats, facilitating portability and competition in the digital market.10

  • Contractual Terms – Agreements with customers, partners, and service providers need to reflect the new data-sharing obligations, balancing the rights of users with the company's commercial and compliance interests. Where a data holder is obliged to transfer data to a data recipient, the agreement in B2B relationships must meet the FRAND criteria, i.e., be fair, reasonable and non-discriminatory.11 Additionally, the Data Act lists contractual terms in B2B relationships that are considered unfair and thus non-binding,12 similar to considerations in German regulations regarding the permissibility of general terms and conditions. While these standards under Article 13 of the Data Act only apply to B2B relationships, they could influence the assessment of clauses in B2C relationships as well. For provider switching (both in B2B and B2C relationships), the Data Act sets out minimum requirements for contractual terms such as switching periods and information obligations.13

    In order to support parties with their contractual rights and obligations under the Data Act, the Commission was to provide non-binding model contractual terms on data access and use as well as non-binding standard contractual clauses for cloud computing contracts by 12 September 2025.14 However, no contractual terms have been released yet. In its most recent FAQs on the Data Act,15 the Commission referred to the final report from an Expert Group which contains draft terms and clauses16 and its intention to adopt a Recommendation based on the report,17 which may provide a first guidance for companies alongside the text of the Data Act itself.

  • Technical and Organizational Measures – Companies will be required to take enhanced technical and organizational measures to secure shared data, with potential liability in case of security breaches or unauthorized data usage.18

Non-compliance and Enforcement

Non-compliance with the Data Act's requirements can result in significant fines, regulatory investigations and civil liability. Like other EU Regulations, the Member States will appoint authorities to enforce the Data Act. The Data Act also enables civil representative (class-style) actions for infringements, heightening companies' exposure to civil litigation claims.

Impact on the Healthcare and Life Sciences Industry

For the healthcare and life sciences industry, the Data Act could be transformative. According to Recital 14 of the Data Act, medical and health devices expressly fall within the scope of the Act. This includes medical devices, wearables, and digital health platforms that obtain, generate or collect vast amounts of patient and product data that, under the new rules, must be made readily accessible to users and, if requested by the user, to third parties. Data from wearables, connected implants, and clinical platforms, for example, is now expected to be accessible directly by patients, researchers and doctors. The software associated with these networked devices is referred to as related services and in-scope of the new regulations.

This shift will change how products need to be designed and how data flows will have to be managed. A glucose monitor, for example, will need to provide patients with direct access to their readings in a portable format. Manufacturers of connected implants or pumps may need to build secure mechanisms for patients or authorized third parties to retrieve operational data.

This creates opportunities for innovation in research, diagnostics, and treatment, but also raises questions about patient privacy, cybersecurity, and compliance with existing frameworks such as the General Data Protection Regulation (GDPR)19 and the sector-specific EU regulations on medical devices (MDR) and in vitro diagnostics (IVDR).20 Companies will need to carefully balance the new data-sharing obligations with their parallel responsibilities under other rules to safeguard sensitive health information. The applicable legal basis of processing health data would be (in most cases) consent. Furthermore, the obligation to access by design can lead to extensive changes to existing products which may be deemed a "substantial change" according to the MDR or IVDR and require a new cost-generating conformity assessment of the medical device.

European Health Data Space

For the healthcare and life sciences industry in particular, the Data Act comes hand in hand with the new European Health Data Space (EHDS) Regulation,21 which entered into force in 2025, with its primary-use obligations applying from 2027 and secondary-use provisions phased in gradually from 2029 onward. Companies should therefore design their processes now so that they meet the combined requirements of the Data Act and the EHDS Regulation.

The EHDS is the first common EU data space dedicated to a specific sector as part of the European Union's Data Strategy. The EHDS Regulation seeks to create a unified framework for the use and exchange of electronic health data across the EU. It strengthens individuals' rights by improving access to and control over their personal health data. At the same time, it permits the reuse of certain data for purposes such as public interest, policymaking, and scientific research. The Regulation aims to build a health-specific data ecosystem that supports a single market for digital health services and products. Furthermore, it introduces a harmonized legal and technical framework for electronic health record (EHR) systems, promoting interoperability, innovation, and the efficient functioning of the internal market.

Beyond Healthcare

While the healthcare and life sciences industry will certainly feel the impact of the new Data Act regulations, it is far from the only sector affected. The Regulation is broad in scope as connected products are found in all aspects of the economy and society, including not only in medical and health devices but as well in private, civil or commercial infrastructure, vehicles, ships, aircraft, home equipment and consumer goods, or agricultural and industrial machinery. Thus, it will have significant implications across various industries, including the automotive sector. 

The automotive industry has been integrating data-driven technologies into its vehicles for years, and the new Data Act will undoubtedly have an impact on the sector. Connected vehicles, classified as "connected products" under the Data Act, are particularly affected by the legislation, as they continuously record and transmit data, whether related to driver profiles, driving behavior, the environment, or the vehicle itself. At the same time, Original Equipment Manufacturers (OEM) and their suppliers are increasingly reliant on data as they transform their business models. Key examples where this will become especially relevant in the future include direct-to-consumer sales, the shift in dealership structures toward the agency model, and the expansion of business activities into mobility services.

Conclusion

The Data Act introduces significant new compliance obligations that will affect how healthcare and life sciences organizations, inter alia, design products, manage data flows, and structure contracts. With the first obligations already applicable from September 2025 and the European Health Data Space regulation following soon after, companies should move quickly to assess gaps, update governance frameworks, adapt product development accordingly at an early stage and prepare for greater regulatory scrutiny. Companies should note that the obligation to grant access to and transfer of data applies to connected products and related services that were placed on the market after 12 September 2026. Those companies that act early will be better positioned to reduce compliance risk and avoid disruption as enforcement begins.

Find out more on our website.

1 Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act).
2 Please also refer to our Client Alert with general information regarding the Data Act, [●].
3 Communication from the Commission – A European strategy for data of 19 February 2020, COM/2020/66 final.
4 See Article 2 no. 5 of the Data Act.
5 See Article 2 no. 6 of the Data Act.
6 See Article 2 no. 8 of the Data Act.
7 See Article 1(3) of the Data Act.
8 See Article 3 of the Data Act.
9 See Article 5 of the Data Act.
10 See Articles 33 et seqq. of the Data Act.
11 See Article 8(1) of the Data Act.
12 See Article 13 of the Data Act.
13 See Article 25 of the Data Act.
14 Article 41 of the Data Act.
15 FAQs Data Act, Version 1.3 of 12 September 2025, available here.
16 Final Report of the Expert Group on B2B data sharing and cloud computing contracts of 2 April 2025, available here.
17 See Section 74 of the abovementioned FAQs.
18 See Article 11 of the Data Act.
19 Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
20 Regulation (EU) 2017/745 of 5 April 2017 on medical devices and Regulation (EU) 2017/746 of 5 April 2017 on in vitro diagnostic medical devices.
21 Regulation (EU) 2025/327 of 11 February 2025 on the European Health Data Space.

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2025 White & Case LLP

Contacts

Dr. Katrin Helle (née Rübsamen)
Dr. Katrin Helle
Counsel|Berlin
Services
Regulatory & Compliance, Life Sciences and Healthcare, Artificial Intelligence (AI), Technology, Data, Privacy & Cybersecurity
Dr. Constantin Teetzmann
Dr. Constantin Teetzmann
Local Partner|Berlin
Services
Regulatory & Compliance, Media, Litigation, Business & Human Rights, Artificial Intelligence (AI)
Mathias Bogusch
Mathias Bogusch
Local Partner|Frankfurt
Services
Intellectual Property, Technology, Technology Transactions, Data, Privacy & Cybersecurity, Fintech

Service areas

Top