From 12 September 2026 the design duties of the EU Data Act (Regulation (EU) 2023/2854) apply to all newly placed connected products. Anyone selling smart-home devices, wearables, connected cars or other IoT products via an online shop must update data access rights, pre-contractual information duties and B2B contract clauses by that date. According to Statista, the German IoT market grows from EUR 32.74 billion (2025) to EUR 44.94 billion (2029) - the regulation's reach is correspondingly high. This guide shows what e-commerce operators must concretely implement, which deadlines apply and what a practical compliance plan looks like.
What the EU Data Act regulates
Regulation (EU) 2023/2854 - the EU Data Act - entered into force on 11 January 2024. Its main application started on 12 September 2025 with the data access rights under Art. 4 and 5, the B2B clause rules under Art. 13 and the cloud-switching provisions under Art. 23-31 (EUR-Lex).
The core aim of the Data Act is fairer access to data generated through the use of connected products. Manufacturers may no longer keep usage-generated data exclusively for themselves. Users - consumers as well as business users - gain the right to receive those data without undue delay, free of charge, in machine-readable format and where relevant in real time or to pass them on to third parties (Art. 3 para. 1).
For e-commerce operators this is more than a manufacturer topic. They sit at the interface between manufacturer, product and end customer and therefore take on information, notice and partly process duties.
The Data Act governs both personal and non-personal data generated through product use. Where there is overlap with the GDPR, the GDPR takes precedence for personal data. For sensor data, device logs or operating parameters without personal reference, the Data Act is the central legal basis.
Who is in scope: connected products
A connected product under the Data Act is any device that records, generates or communicates data about its use or environment - via Wi-Fi, mobile networks, Bluetooth or related services. Typical categories in online retail:
- Smart home - lighting, heating control, smart plugs, cameras, voice assistants (according to Bitkom 46 % of German households use smart-home applications, more than 30 million people)
- Wearables - fitness trackers, smartwatches, health gadgets
- Connected vehicles - connected bike and car components, telematics dongles (automotive is the largest German IoT sub-market at EUR 8.25 billion in 2025 per Statista)
- Smart industry & agriculture - connected tools, sensors, agricultural machinery
- Connected appliances - kitchen appliances, washing machines, robot vacuums
- Related services - apps, cloud back-ends and portals processing data from those devices
According to Bitkom, German smart-home usage is dominated by lighting (37 %), heating (31 %) and smart plugs (26 %). Globally the IoT installed base grew by 14 % in 2025 to 21.1 billion active endpoints (IoT Analytics). The EU share of the global IoT market is around 34.7 % in 2026 (MarketsandMarkets/Coherent); the EU IoT technology market expands from USD 246.63 to 272.11 billion between 2025 and 2030 (MarketsandMarkets).
Important for scoping: not every product with a chip falls under the regulation. What matters is whether it actually generates data about its use, environment or interaction and communicates those data in whole or in part. A plain household toaster without any interface is out of scope - a smart toaster with an app connection and temperature logging is in. Equally relevant are related services: a manufacturer app analysing device data, a cloud dashboard for maintenance or a portal for consumption analytics. As soon as a shop sells such bundles, information on those services becomes part of the pre-contractual duties.
Three deadlines that matter in 2026
The Data Act applies in staged phases. Four dates are relevant for IoT shops, three of them in the next twelve months:
| Date | Scope | Consequence for shops |
|---|---|---|
| 12 Sep 2025 | Main application: data access rights Art 4/5, B2B clauses Art 13, cloud switching | Already in force - T&Cs, information duties and manufacturer agreements must be up to date |
| 12 Sep 2026 | Design duties Art 3 for newly placed connected products | Adjust purchasing lists: only source products from manufacturers fulfilling Art 3 |
| 12 Jan 2027 | Cloud switching completely fee-free (Art 29) | Choose back-end and infrastructure providers without switching fees, review contracts |
| 12 Sep 2027 | Extension of Art 3 para 1 to existing product categories (via delegated acts) | Systematically bring legacy assortment into compliance by this date |
All connected products first placed on the market from this date must comply with Art. 3. Retailers should obtain early written confirmation from manufacturers that devices, apps and related services meet the regulation technically and in documentation.
Article 3: design-by-default
Article 3 is the heart of the Data Act on the product side. Connected products and their related services must be designed so that users can by default, easily and securely access the data generated during use - ideally directly on the device or via the manufacturer's app.
Design-by-default means data access cannot be hidden behind complex processes, paid unlocks or proprietary formats. Access must be provided as a factory setting, both technically and organisationally.
Direct access
Where technically feasible, data must be accessible directly on the device or through the app - not only via manufacturer support
Machine-readable formats
Structured, common formats (e.g. JSON, CSV, open APIs). Proprietary binary formats without export option are not permitted
Free of charge and real-time
Access to usage-generated raw data is free for the user and, where relevant, in real time
Metadata and context
Alongside the raw data, metadata (timestamp, unit, context) must be provided so the data are actually usable
For shops this means: your development side, with connected retailer apps or portals, must verify that your own interfaces or integrations (e.g. service portals, after-sales tools) do not undermine the rules through proprietary formats or media breaks. Visibility strategies such as Google AI Mode approaches or structured product data for the discovery phase can sit cleanly on top - as long as metadata remain accessible in an openly documented format.
A three-step approach has proven itself in practice: first data-type mapping per product family - which sensors, events, frequencies? Second an interface audit - which APIs, apps or portals grant access? Third a documentation pipeline - how does this information flow automatically into product pages, datasheets and T&Cs? Especially the third step is critical for large IoT assortments, so that maintenance is not done by copy & paste.
Articles 4 and 5: data access rights
Article 4 governs access by the user. Anyone lawfully using a connected product can request the data generated during use from the manufacturer. This applies to consumers as well as business users. Data must be provided without undue delay and, where technically feasible, in real time.
Article 5 extends this to sharing with third parties - e.g. an independent repair business, an analytics provider or an aftermarket competitor. At the user's request the manufacturer must pass the data on to the nominated third party. Important: the data must not be used to develop a product competing with the original product - a critical anti-reverse-engineering safeguard.
For third-party sharing the FRAND principle applies under Art. 8: manufacturers must grant access on fair, reasonable and non-discriminatory terms. Micro and small enterprises are explicitly exempt under Art. 7 - a relief for small shop operators with own brands.
Shop operators are typically not themselves manufacturers under the Data Act. Still, customer service should have documented processes to forward data requests to the correct manufacturer and to inform customers about their rights.
Pre-contractual information duties
Art. 3 para. 2 requires that the user is informed clearly and comprehensibly before entering into the contract about data processing. For shops this adds specific information to product pages and the checkout flow:
- Nature and format of the data generated by the product
- Estimated volume and frequency of data generation
- Whether data are captured in real time and generated continuously
- Where data are stored (device, manufacturer cloud, retention period)
- How the user accesses their data - technically and organisationally
- Contact details for complaints and the competent authority
In practice this can be implemented via a new product-page block, fed either from the PIM system or maintained per product group. An example snippet for Shopware 6 shows a structured representation:
<section class="data-act-info" aria-labelledby="da-heading">
<h3 id="da-heading">Data collection under the EU Data Act</h3>
<dl>
<dt>Type of data</dt>
<dd>{{ product.customFields.dataAct_type }}</dd>
<dt>Format</dt>
<dd>{{ product.customFields.dataAct_format }}</dd>
<dt>Collection</dt>
<dd>{{ product.customFields.dataAct_frequency }} (real time: {{ product.customFields.dataAct_realtime ? 'yes' : 'no' }})</dd>
<dt>Storage location</dt>
<dd>{{ product.customFields.dataAct_storage }}</dd>
<dt>Access to your data</dt>
<dd>{{ product.customFields.dataAct_access }}</dd>
<dt>Complaints contact</dt>
<dd><a href="{{ product.customFields.dataAct_contact }}">{{ product.customFields.dataAct_contact }}</a></dd>
</dl>
</section>The block should be visibly placed on the product detail page, not only in the T&Cs. The fields can be modelled in a programmatic category structure so that Data-Act fields are re-used per product group.
B2B contracts: blacklist and greylist
Art. 13 establishes a catalogue of prohibited (blacklist) and presumed-unfair (greylist) clauses for B2B data provision contracts. This affects both contracts between shops and manufacturers and between shops and data service providers (e.g. analytics for connected products).
| Clause type | Example | Assessment |
|---|---|---|
| Blacklist | One-sided exclusion of liability for intent or groß negligence | Not permitted - clause is void |
| Blacklist | Right to unilaterally change the contract without objective reason | Not permitted |
| Blacklist | Exclusion of data sharing with third parties without alternative | Not permitted |
| Greylist | Limitation of liability to foreseeable damage | Permitted if fairly justified - otherwise ineffective |
| Greylist | Setting long notice periods without reason | Suspicious - assessed case by case |
| Allowed | Individually negotiated, balanced data licence | Permitted |
Anyone onboarding connected products should go through master agreements with manufacturers and review clauses restricting access to user data against Art. 13. In parallel, B2B T&Cs should be updated - matching customer-specific B2B assortments for business customers.
Cloud switching: portability from 2027
Art. 23-31 govern switching between cloud and edge services. The rules apply to all providers of data-processing services - from hyperscalers to specialised cloud providers. Relevant for shop operators because practically every IoT platform runs on cloud infrastructure.
Switching deadlines under Art. 25: notice period for a switch is limited to a maximum of two months. The actual transition must be completed within a maximum of 30 days, extendable in justified cases up to seven months (Goodwin). Providers must allow functional parallel use during the transition and provide open interfaces.
From 12 January 2027, all switching fees are prohibited (Art. 29, Greenberg Traurig). Until then only pure cost-recovery charges under a defined decommissioning plan are permissible. For IoT shops this means reviewing contracts with back-end, analytics and monitoring providers. The question of functional parity also matters - providers must ensure technical equivalence at the target destination.
Fines and enforcement
Art. 40 refers to the GDPR sanctions framework for infringements concerning rights of natural persons: up to EUR 20 million or 4 % of global annual turnover, whichever is higher. For purely non-personal data, member states set their own fine ranges. Germany is moving towards a staged system (DLA Piper):
| Severity | Example infringement | Fine range |
|---|---|---|
| Minor | Missing or incomplete pre-contractual information | up to EUR 50,000 |
| Severe | Denial of data access, unfair B2B clauses | up to EUR 500,000 |
| Gatekeeper | Dominant provider breaches Art. 5/6 DMA | up to EUR 5m or 2 % global turnover |
| Personal data | Additional GDPR breach by data refusal | up to EUR 20m or 4 % global turnover |
Enforcement is carried out by the designated national competent authorities, which will take on their role throughout 2026. For shops this is not a side topic - when GDPR-relevant incidents occur, frameworks can stack in parallel.
8-point compliance plan for IoT shops
If you want a practical way to prepare your shop for 12 September 2026, the following order works. This is not legal advice but a pragmatic consulting checklist from projects:
- Audit the product catalogue - which items are connected products under the Data Act? Flag them in the PIM.
- Extend product pages - structurally display the mandatory information under Art. 3 para. 2 (type, format, volume, real time, storage, access).
- Review T&Cs and manufacturer agreements - Art. 13 clause check, update data protection addenda.
- Manufacturer query process - checklist to suppliers: does the product meet Art. 3? Direct access? FRAND conditions for third parties? In writing, up front.
- Extend recall and complaint processes - train customer service on handling Art. 4/5 data requests, document escalation path to the manufacturer.
- Update the DPIA - extend the data protection impact assessment for connected products to cover the Data Act dimension, including non-personal sensor data.
- Purchasing cut-off 12 September 2026 - after this date, source only from manufacturers with demonstrable Art. 3 conformity. Obtain a supplier declaration.
- Third-party access process Art. 5 - define how your shop handles data-sharing requests from third parties (e.g. repair shops, insurers) - process, form, documentation.
Retailers who transparently display Data-Act information on product pages build trust - especially in combination with topics like Digital Product Passport, Right to Repair and traceable Green Claims statements. According to Bitkom, 80 % of German citizens are open to AI-driven smart-home products, while 55 % worry about surveillance - clear data-rights information addresses exactly that scepticism.
Legal basis: Regulation (EU) 2023/2854 (EU Data Act, EUR-Lex). Market data: Statista IoT outlook DE (EUR 32.74 → 44.94 bn, CAGR 8.26 %), Bitkom smart-home study (46 % uptake, >30m users, lighting 37 %, heating 31 %, plugs 26 %), IoT Analytics (21.1 bn devices globally 2025, +14 %), MarketsandMarkets & Coherent Market Insights (EU IoT market share 34.7 % in 2026, technology market USD 246.63 → 272.11 bn 2025-2030), OMR IoT Report 2025. Legal analysis: Eversheds Sutherland (Art. 50 - 2026/2027 staging), Greenberg Traurig (Art. 29 - cloud switch fee-free 2027), Goodwin (Art. 25 - switching deadlines), DLA Piper (Art. 40 - sanctions), IT-Recht-Kanzlei (Art. 3 para. 2 - information duties).
Plan compliance now, not later
The Data Act is not an abstract compliance topic; it touches product data maintenance, checkout, T&Cs, cloud architecture and customer service alike. Setting 12 September 2026 as an internal project milestone - in parallel with topics such as withdrawal button rollout, SEPA instant payments, NIS2 and PPWR - creates a resilient compliance path instead of isolated measures.
We support you pragmatically: from product catalogue audit through the implementation of product-page blocks and Shopware adaptations to manufacturer communication and the integration with modern Shopware front-ends or first-party data strategies.
Primary addressees are typically manufacturers, providers of connected products and data-processing services. Retailers are still indirectly bound - especially the pre-contractual information duties under Art. 3 para. 2 that must be implemented in the shop, as well as forwarding data requests to the correct manufacturer. Anyone selling own brands or marketing products under their own name counts as a manufacturer and must meet Art. 3 themselves.
From that date all newly placed connected products and related services must meet the design duties of Art. 3: default, easy and secure data access for users, machine-readable formats, free access to raw data and metadata. Existing products follow on 12 September 2027 - and only for specific product categories identified by delegated acts.
Art. 3 para. 2 requires clear, comprehensible pre-contractual information on: type and format of generated data, estimated volume and frequency, real-time collection, storage location and duration, access path for the user and contact for complaints. Put this on the product detail page - not only in the T&Cs. A dedicated accordion or tab with structured presentation has proven effective.
Art. 7 explicitly exempts micro and small enterprises, unless they are part of a larger group or work as commissioned providers. Thresholds follow the EU SME definition (fewer than 50 staff, annual turnover up to EUR 10m). Anyone above this - including own-brand retailers - must implement the duties in full. Regardless, general unfair competition law may still require pre-contractual transparency.
All providers of data-processing services (cloud, edge, platform services) must make switching to another provider technically and organisationally possible. Notice period up to two months, transition up to 30 days (in exceptional cases up to seven months), open interfaces and functional parity are mandatory. From 12 January 2027 all switching fees are banned. For IoT shops this is a reason to actively review contracts with back-end, analytics and monitoring providers against these rules.
For infringements affecting personal data the GDPR framework applies: up to EUR 20m or 4 % of global annual turnover. For purely non-personal data member states set their own frames; in Germany a staged approach is emerging - up to EUR 50,000 for minor breaches, up to EUR 500,000 for serious breaches of data access rights and unfair B2B clauses, up to EUR 5m or 2 % global turnover for gatekeeper platforms. Early, documented implementation significantly reduces risk.