Skip to main content

2025 Data law trends

8. New EU data access regulations are shaping the future

By Davide Borelli, Estella Dannhausen, Enrico De Jong, Mark Egeler, Theresa Ehlen, Gernot Fritz, Daniel KlingenbrunnJulia Utzerath, Christoph Werkmeister 

IN BRIEF

The European Commission’s Data Strategy 2020 has paved the way for new data access regulations that will significantly impact businesses across Europe. In this chapter, we dive into the data access rights established by the EU’s Data Act, along with two pivotal Common European Data Spaces: the European Health Data Space (EHDS) and the Financial Data Access (FIDA) framework.

These new regulations are set to affect many businesses operating in the EU market. If you offer connected products in the EU (eg smart devices) or software that connects to devices being used there and that enables the devices to perform their functions (eg certain apps), the Data Act applies to you, regardless of where your organization is based. The EHDS and FIDA introduce complex obligations for various stakeholders in the health data and financial services ecosystems.

We’ll explore the challenges and opportunities these data access regulations present for businesses and provide practical advice to help you navigate the new compliance landscape.

Title

The primary objective of the new data access rights under the Data Act, EHDS and FIDA is to foster the development of a unified data market in the EU. This entails making all data produced in this unified data market, whether personal or non-personal, accessible to all market participants, irrespective of their size or influence, in accordance with fair, transparent, proportionate and non-discriminatory access rules. Entities and individuals possessing data, such as data generated via connected products or digital services, will be empowered to share this data for reuse, either freely or for compensation.

However, while all three laws contribute to a major shared objective, the Data Act aims to enhance data access across sectors, particularly for Internet of Things (IoT)-generated data, while the Common European Data Spaces create a framework for data sharing in key areas like health (EHDS) and finance (FIDA).

Data Act obligations

The Data Act, being a key pillar of the European Data Strategy, aims to create a horizontal framework for the access to, and sharing of, data generated through smart products and digital services. It also introduces new requirements for redistributing data access and use.

Right

Requirements

Data access by design

  • Manufacturers must ensure that connected products and digital services in relation to the connected products are designed to allow users easy and secure access to product data. Such data needs to be provided in a comprehensive, structured, commonly used and machine-readable format.
  • Manufacturers may decide to make product/digital services data ‘directly’ available, ie so that the user is able to access the data without the intervention of any other party.

Data access by request

  • While manufacturers must design their connected products to provide direct access to data, the Data Act recognizes this may not always be feasible. When direct access is unavailable, businesses that have lawfully obtained the data (ie data holders) must promptly make it available to users of relevant products or services upon request, at the same quality as they receive it themselves.
  • Users of relevant products or services are prohibited from utilizing the data to create a competing product or sharing it with third parties for that purpose. They must also refrain from using the data to gain insights into the economic status, assets or production methods of the manufacturer or the data holder.

Data sharing by request

  • The Data Act requires businesses to share data with third parties, even competitors, if a user of a relevant product or service requests so, highlighting the EU's aim to promote a competitive digital environment. However, so-called ‘gatekeepers’ are excluded from receiving such data.
  • When both the data holder and the third party are businesses, they must establish a contract that governs the data-sharing arrangement under fair, reasonable and non-discriminatory (FRAND) terms.
  • The data holder may charge a non-consumer data recipient a fee for accessing data. The fee should be FRAND, possibly varying based on the data's volume, format and nature, and may include a margin.

B2G data sharing

  • In cases of exceptional need, businesses will be required to make data available to a national public sector body or an EU body. This covers data from connected products, related services and any other business data.
  • In general, the data will have to be made available free of charge, but under certain conditions businesses are entitled to fair compensation.

QuoteMarks_34x25px_Blue.png

With the Data Act, the EU addresses the rapid growth in the use of connected products, leading to enhanced data utilization, flexibility in service selection, and new business opportunities.

Gernot Fritz, Counsel

EHDS obligations

The EHDS imposes a complex array of obligations on various actors within the health data ecosystem, including health data holders and users, and manufacturers, importers and distributors of Electronic Health Records (EHR) systems. Key requirements in relation to data access rights include:

Actor

Requirements

Health data holders

  • Health data holders – such as hospitals, healthcare providers, public health authorities, pharmaceutical companies and research organizations – will have certain responsibilities under the EHDS.
  • Upon request, they must provide relevant electronic health data to designated health data access bodies, which are public sector organizations designated by each EU Member State that are responsible for the operationalization and oversight of the EHDS within their respective jurisdictions. Data holders are required to supply the requested data within a period not exceeding three months from the date of the request.
  • Regardless of data permits or data requests, data holders are also required to proactively disclose to the health data access body a detailed catalogue of all the datasets they maintain.

Health data users

  • Health data users – such as academic research institutions, public health authorities, governmental agencies, private sector entities involved in health research and innovation and non-governmental organizations focused on public health – are also subject to various obligations under the EHDS.
  • They may only access and process electronic health data for secondary use, like research or innovation, after they have obtained data permits, data requests or data access approvals.
  • Upon obtaining access, health data users are required to make public the results, findings or outputs derived from their secondary use of electronic health data.
  • They must notify the relevant health data access body immediately of any significant findings or results that have the potential to impact the health of individuals whose data was included in the analysis.
  • In addition to these specific obligations, health data users must also comply with a range of privacy and data protection requirements, and cooperate with health data access bodies.

The FIDA obligations

The FIDA aims to grant effective control to customers over their financial data and to give the opportunity to benefit from new business models and products based on data sharing. As the FIDA is still under negotiation, this chapter summarizes the European Commission proposal of June 28, 2023.

The FIDA applies to credit institutions, insurance firms and most other EU financial sector entities. All of them can act as ‘data holder’ or ‘data user.’ Among others, the FIDA applies to customer data on loans, (non-payment) accounts, savings, investments, crypto-assets, real estate, non-life insurance products and data forming part of creditworthiness assessments of firms for loan application processes. Data on sickness and health insurance products, including data collected for related assessments, and data that forms part of creditworthiness assessments of consumers are excluded from the FIDA.

Important requirements in relation to data access rights include:

Actor

Requirements

Data holder

  • Financial sector entities storing customer data (data holders) are required to share financial data with customers and with third parties upon a customer’s request. They must maintain a ‘permission dashboard’ so that customers can monitor and manage the permissions.
  • The data holder and data user must establish or join financial data sharing schemes. Scheme members must agree the main parameters for sharing of data (eg technical interfaces, maximum compensation and liability). Scheme rules are subject to review by financial sector authorities.

Data user

  • Financial data can only be shared with other licensed entities (data users), either a financial sector entity or a ‘financial information service provider,’ a type of license established under the FIDA.
  • Data users will become subject to legal restrictions when they intend to process data they have received to offer consumer products related to credit scoring or to life, health and sickness insurance; this is intended to protect consumers and their fundamental rights.

QuoteMarks_34x25px_Blue.png

With the obligation to exchange data in real-time and mandatory membership in data sharing schemes, many financial sector entities will be entering uncharted territory.

Daniel Klingenbrunn, Principal Associate

New opportunities for data-based business models

The Data Act, EHDS and FIDA open up new possibilities for different stakeholders, as summarized below:

Data Act

Stakeholder

Benefit

Users of connected products

Can leverage data for various purposes, while (third-party) data recipients also benefit from gaining access to diverse, high quality data sources.

Small and medium-sized enterprises (SMEs)

Benefit from fair contractual terms for data access, encouraging their participation in the data economy.

Businesses investing in data-generating products

Data collected by a user or (third-party) data recipient cannot be utilized to create a competing connected product. The Data Act does not, however, restrict competition in related or aftermarket services.

New business models, such as aftermarket services

The Data Act provides access to more data to improve product support and drive service innovation.

 

EHDS

Stakeholder

Benefit

Businesses in the healthcare and pharmaceutical sectors

Will benefit from easier access to health data across the EU, potentially leading to more efficient drug and vaccine research and faster development of other medical products. This may be especially true for companies specializing in healthcare analytics and AI-driven tools, which can leverage the harmonized health data pool for their initiatives, enhancing the effectiveness of their projects and reducing costs associated with data access.

SMEs

Can access and reuse high-quality health data for innovation and research, contributing to broader health research, improved health outcomes and greater innovation.

Providers of telehealth services

Will be able to expand their services to a broader customer base thanks to more standardized data practices across EU countries.

Individuals

Individuals will have secure, direct access to their personal health data across all EU Member States. They will also be able to provide feedback and file complaints regarding the use and handling of their health data.

New business models, such as aftermarket service

The Data Act provides access to more data to improve product support and drive service innovation.

QuoteMarks_34x25px_Blue.png

All businesses within the health data ecosystem must explore the relevant opportunities and obligations arising out of the EHDS and other new EU data laws.

Davide Borelli, Counsel

FIDA

Stakeholder

Benefit

Businesses in the financial sector

Establishing standardized and safe means of financial data-sharing may open up new opportunities for data sharing business models – beyond payment account related models – due to increased trust from the customers who may be willing to share more financial data.

Customers

The use of financial data by data-driven tools can help customers to compare offered products that match their preferences based on their data and support them to make informed choices.

SMEs

SMEs may benefit from a particularly favorable regulation regarding compensation for financial data.

Preparing for the Data Act

  • Establish robust data governance processes and, in particular, evaluate existing product designs and contractual frameworks to ensure alignment with the Data Act’s provisions.
  • Identify key datasets affected by the legislation and developing a comprehensive data strategy are critical steps towards compliance. By doing so, businesses can explore possible avenues for opening access to data and adapt manufacturing and design processes accordingly.
  • In addition to risk mitigation, businesses could also explore the potential opportunities presented by the Data Act. By strategically leveraging the Data Act’s provisions, businesses may uncover new possibilities for growth and innovation.

Preparing for the EHDS

  • Data holders must find effective ways to separate data that is commercially sensitive or subject to intellectual property restrictions from other health data to prevent unauthorized disclosure. This segregation is crucial to comply with transparency and privacy obligations under EU data protection law and the EHDS, which mandates robust mechanisms for safeguarding sensitive information while still allowing health data to be shared for broader purposes such as research and innovation.
  • Data users should familiarize themselves with the processes and prerequisites set out in the EHDS for obtaining data permits, data requests and data access approvals. They should also set up a process for the timely publication of the results or output of their secondary use that complies with the anonymization requirements of the EHDS and aligns with data protection law.
  • Manufactures, importers and distributors of EHR systems should ensure that their products meet the comprehensive requirements laid down in the EHDS. This is necessary to guarantee their systems comply with EU market standards and can be legally sold and used across EU Member States. Additionally, importers, distributors and users of an EHR system should also assess whether they might be considered a manufacturer of an EHR system according to the EHDS and thus subject to the obligations set out for manufacturers.

Preparing for the FIDA

While most details on the FIDA must still be settled during the legislative process, it has already become clear that the FIDA will (after the EU’s Digital Operational Resilience Act) be the next fire drill for financial sector entities in which IT and data departments will need to collaborate with their legal and compliance counterparts to ensure day-one readiness.

  • IT and data departments should focus on the availability of IT assets that permit compliance with the ambitious data sharing standards.
  • Legal and compliance will be involved in selecting or negotiating key terms of financial data sharing schemes.
  • As part of their risk management, financial sector entities will need to consider strategies to shield themselves from liability risks due to loss or incorrect handling of financial data, including customer data that falls within the remits of data protection law.

QuoteMarks_34x25px_Blue.png

FIDA will be the next fire drill for financial sector entities who must ensure day-one readiness.

Christoph Werkmeister, Partner

Looking ahead

Now is the perfect time to embark on your compliance journey and get ready for the upcoming data access requirements under the Data Act, which will take effect on September 12, 2025 (though keep an eye out for certain provisions with different application dates). Recent guidance from the EU Commission has clarified some of the previously ambiguous terms in the Data Act, making practical implementation more straightforward (check out our Freshfields blog post for more insights).

The EHDS is nearing its final stages, with adoption expected in autumn or winter 2024. This gives affected stakeholders two more years to work towards compliance.

On the other hand, the FIDA is still in the early stages of its legislative journey. It’s definitely one to watch, as it holds great potential for new data business models in the financial sector – something that’s a key aspect of all the new data access regulations coming out of Brussels across various industries.

Back to top