With the increasing digitalisation and connectivity of medical products and applications, significant volumes of usage data are generated, whether in the operation of medical devices, within laboratory diagnostic systems, or in conjunction with digital health services. The European Data Act (Regulation (EU) 2023/2854), applicable since September 2025, addresses this development and establishes a comprehensive legal framework for access to such product data and related service data. The aim is to facilitate the use of these data, in particular for those who use devices or services in everyday practice.
The Regulation contains specific requirements regarding the technical design of products, the contractual structuring of data access, and the obligation to make data available to users and third parties. It therefore affects key areas of product development, contract drafting and data-processing practice.
The following brief article explains selected provisions of Articles 3 to 6 of the Data Act and places them in the regulatory context of the Life Sciences sector. After clarifying key concepts, it presents the rights of users, the obligations of data holders, and the main protective mechanisms. This is followed by selected brief practical examples.
1. Key Concepts and Regulatory Framework
The Data Act defines which categories of data fall within the scope of the new access rights. The focus is on:
- Product data: data generated by the use of a connected product and that can be retrieved from the product in accordance with its intended purpose, such as sensor readings, duration of use, or status or error messages of a medical device. A connected product is an item that generates data concerning its use or environment and is able to communicate such data, for example via the internet, by cable, or through an interface.
- Related service data: data generated in connection with a connected product when using a digital service that enables or enhances the functions of the product—such as interactions within a health app.
- Metadata: accompanying information necessary to interpret the actual usage data, such as timestamps, device ID, or format specifications.
- “Readily available” data: product data or related service data (including the necessary metadata) that a data holder can lawfully obtain from the product or service without disproportionate effort. In essence, this refers to raw data that the connected product or the related service generates in any event and that are accessible by simple means (at most minimally pre-processed). By contrast, data that are obtained only through extensive further processing or analysis are not covered.
2. Rights of Users and Obligations of Data Holders
The Data Act grants users extensive rights in relation to the data generated through their use. Specifically, they may access the product data and related service data defined above that arise from the use of their device or service and, in principle, use them for their own purposes. They may also share these data with third parties of their choice, such as external service providers, other software platforms, or research institutions.
This in detail:
Article 3 (1) of the Data Act already applies at the product design and development stage. Connected products must be designed so that the relevant usage data are, by default, easily and directly accessible. This principle—so to speak, “data access by design”—means, for example, that a medical device should ideally have a data interface or export function, rather than keeping usage data only internally. In addition, there is a pre-contractual information obligation: Before purchasing, renting or leasing a connected product (or concluding a service contract), the provider must inform the user in a clear and comprehensible manner which data the product or service generates, how and where those data are stored, whether they are generated in real time where applicable, and how the user can access, retrieve, or delete them. Users should therefore already know at the time of contract conclusion what they are agreeing to in terms of data flows, in order to be able to compare offers. A clinic could, for example, learn already from the purchase offer that a diagnostic device stores certain usage data in a manufacturer cloud and then make an informed decision for or against that device. In addition, the data holder may use such data only on the basis of a contract with the user.
Where the data are not already directly accessible on the product or within the application, users may request, pursuant to Article 4 of the Data Act, that the data holder—generally the manufacturer of the connected product or the provider of the related service—make the readily available data available. This provision must be made without undue delay, easily, securely, free of charge, in a comprehensive, commonly used and machine-readable format, and—where relevant and technically feasible—in the same quality as for the data holder, continuously and in real time. The data holder must not place unnecessary obstacles in the user’s way. The transmission should take place by simple electronic means, for example via a web portal or an API. Any artificial restriction of data quality or depth of access is prohibited.
In addition to direct data access under Article 4 of the Data Act, users also have the right under Article 5 of the Data Act to request that the relevant data be made available to a third party of their choice, for example an independent service provider or another company with which they cooperate. The generated usage data are, in principle, subject to the user’s free disposal. Importantly, making the data available to the respective users is always free of charge, regardless of whether the user is a consumer, a small business or a large corporation. Only where the data are made available to a third party may remuneration be requested in a B2B context. However, such remuneration must be transparent, fair and non-discriminatory and must essentially be based on the actual costs of making the data available. Excessive fees or hidden access barriers are prohibited.
Contractual arrangements that restrict or circumvent the statutory data access rights of users are likewise prohibited. Under Article 13 of the Data Act, any term that limits the statutory right to data provision to the detriment of the user is null and void. Manufacturers should take this into account when drafting their contractual terms and standard terms and conditions.
In addition, Article 4 (13) of the Data Act obliges the data holder to use non-personal readily available data of the user only on a contractual basis. In particular, any use of such data to obtain commercial insights that could undermine the user’s economic position is prohibited, for example by drawing conclusions about financial situation, production processes or market behaviour. Here too, the protection of users’ interests lies at the heart of the new data regime.
3. Limits to the Use of Data
However, the Data Act also sets limits on users’ use of data in order to prevent misuse. Users are prohibited from using the data they receive to develop a competing product or from sharing them with third parties for that purpose. Users must also not employ unfair means to obtain access to data, such as hacking or exploiting technical vulnerabilities. The new rights are to be exercised by lawful means, not through unauthorised interference with device software. In other words, those who use a device should be able to obtain the usage data, but must not bypass security mechanisms.
A sensitive issue is the handling of trade secrets and security-critical information. Especially in high-tech medical products, certain datasets could allow inferences to be drawn about internal processes or the manufacturer’s algorithms, which from the manufacturer’s perspective are worthy of protection. In the view of numerous critics, the Data Act addresses this rather inadequately: It first provides that the data holder must not refuse the user access to the usage data on the grounds that they (also) contain trade secrets. Before trade secrets contained in the data have to be disclosed, the user and the data holder must agree on appropriate safeguards (Article 4 (6) of the Data Act). This may mean, for example, that the user must sign a non-disclosure agreement (NDA), comply with certain security protocols, and/or grant access only to authorised persons. For its part, the data holder must identify which of the requested data contain a trade secret so that it is clear what must be treated as confidential. If no agreement is reached on this, or if the user later fails to comply and jeopardises confidentiality, the data holder may refuse or temporarily suspend the provision of the data (Article 4 (7) of the Data Act). The data holder must justify this step in writing and notify the competent authority.
However, the Data Act permits a permanent refusal to provide data containing trade secrets only in very limited exceptional cases. Such a case exists where the data holder can demonstrate that, even taking appropriate safeguards into account, the disclosure of certain information would be likely to result in serious economic damage (Article 4 (8) of the Data Act). When this threshold is actually met will likely be left to future clarification by the courts. This could be conceivable, for example, in the case of particularly sensitive, unique information that constitutes an essential distinguishing feature of the product and whose disclosure could cause the manufacturer substantial disadvantages. However, the requirements for such proof are high: The data holder must substantiate the threatened risk in the individual case in a comprehensible and objective manner, for example with regard to the limited enforceability of trade secret protection in certain third countries or the particularly high level of innovation of the product concerned. A refusal based on this exception must also be notified to the competent authority. It is clear that a complete refusal to provide the data remains a measure of last resort.
The Data Act also takes account of specific security interests. Users and manufacturers may agree not to make certain data accessible where making data available would jeopardise health, safety or public order (Article 4 (2) of the Data Act). This clause targets, for example, scenarios in which sharing device data could create serious IT security risks. In such cases, data access may be restricted or prohibited, but only on the basis of existing relevant laws and with strict documentation. If a manufacturer refuses data sharing by referring to security requirements, it must also notify the supervisory authority of this. In addition, users have a right to lodge a complaint if they consider the restriction to be unfounded (Article 4 (3) and (4) of the Data Act).
A look as well at third parties to whom users make their data available: These data recipients are also placed under obligations by the Data Act to ensure responsible handling. An external service provider that receives device data from the user (for example for analysis or maintenance) may use the data only for the purpose agreed with the user and must delete them as soon as they are no longer necessary for that purpose (Article 6(1) of the Data Act). In particular, it must not simply pass on the data received: Making the data available to further third parties is permitted only where the user has consented and the third party complies with all safeguard requirements agreed with the data holder in order to preserve the confidentiality of trade secrets (Article 6 (2), point (c), of the Data Act). Profiling of users is prohibited unless it is strictly necessary for the provision of the service (Article 6 (2), point (b), of the Data Act). The third party must also not make the data available to a powerful platform operator (a so-called gatekeeper within the meaning of the Digital Markets Act) and must not use them to develop a competing product to the manufacturer’s device itself (Article 6 (2), points (d)–(e), of the Data Act). This prevents large tech companies or direct competitors from indirectly gaining valuable know-how via usage data and copying the manufacturer. Likewise, the third party must ensure that its use of the data does not create security risks for the originating system, for example by facilitating the introduction of malware or bypassing protective settings (Article 6 (2), points (f)–(g), of the Data Act). Finally, a service provider must not contractually prevent a user who is a consumer from making their data available to other parties as well (Article 6 (2), point (h), of the Data Act). All these requirements aim to create a trustworthy data ecosystem: The user should be able to freely choose who receives their data, without fear that the data will be misused or fall into the wrong hands in an uncontrolled manner.
4. Use Cases from Life Sciences Practice
How do these abstract requirements work in practice? In the Life Sciences environment, there are numerous scenarios in which connected devices and digital services are used, for example:
- Hospital operations: Hospitals increasingly use connected medical devices, such as infusion pumps, ventilators or monitoring systems. These devices continuously generate product data, for example on operating status, error messages or frequency of use. Under the requirements of the Data Act, manufacturers must enter into arrangements with users regarding the use of usage data and must ensure that entities such as hospitals, as users, obtain access to these data. A typical example is a hospital requesting maintenance data in order to make them available to an independent service provider. Even where the data are stored in a manufacturer’s cloud service, they must be made available upon request and shared in an appropriate form. For manufacturers, this means planning technical interfaces early and organising data access in a legally compliant manner. At the same time, hospitals are required to integrate the additional data access sensibly into their existing systems. In doing so, they must comply with requirements relating to data protection, IT security and other regulatory obligations.
- Laboratory environment: Connected systems are also increasingly used in laboratory diagnostics, such as automated analyzers, sequencers or robot-assisted sample processing units. These systems record not only raw measurement values, but also calibration information, device statuses and usage logs. Users such as laboratory operators can, on the basis of the Data Act, request that these data be made available to them, for example for evaluation in their own systems or for the consolidated use of cross-device information. In addition, there are related service data generated in connected online services of the manufacturer, such as automatically generated result reports or log files. This information may also fall within the obligation to make data available. For providers, this results in the need to maintain clear distinctions between standard and additional data while at the same time protecting their trade secrets. For laboratories, data access can mean new flexibility, but at the same time may bring new requirements for infrastructure and data management.
- Digital aftercare: In outpatient care, digital health applications are becoming increasingly important, in particular for follow-up care after hospital stays. In this context, connected wearables or therapy-supporting apps are increasingly used, which capture both product data, for example on movement patterns or vital parameters, and related service data such as medication documentation or symptom diaries. The Data Act obliges providers of such applications to make these data accessible to the respective users and, at the users’ request, to transmit them to external entities as well, for example to rehabilitation facilities or other care platforms. For manufacturers, this results not only in an obligation to provide the data technically, but also in a responsibility to establish clear processes for authentication, data formatting and security. Institutional users such as hospitals or care centres benefit from the possibility of systematically incorporating aftercare data, but must at the same time ensure that the transfer takes place in compliance with data protection and healthcare regulatory requirements.
5. Takeaways and Outlook
With the Data Act, the European Union is establishing for the first time a comprehensive regime for mandatory data access for connected products and related services. In the Life Sciences sector as well, the Regulation creates new legal and economic framework conditions that are likely to have significant effects on established structures and business models. Manufacturers of medical devices, software providers, and hospitals as data-processing entities are confronted with a paradigm shift: In future, usage data will no longer be regarded as the provider’s exclusive resource, but rather as a kind of shared right of use for the customer.
For manufacturers, this means in particular that they should fundamentally review their data handling, the design of their products and interfaces, and their contractual documentation. Technical systems should be set up so that relevant data can in fact be made accessible. In addition, legally robust procedures must be established to identify and delineate protected content such as trade secrets or security-relevant information. In practice, the question often arises whether certain information is to be classified as “readily available” or instead as protected.
In addition, it is to be expected that third parties—such as competitors, technical service providers or new market entrants—will in future specifically attempt to obtain access to product data and related service data via users in order to penetrate existing value chains. The economic impact of the new obligations, for example with regard to margins, customer retention or data monetisation, is currently hardly foreseeable.
At the same time, new perspectives are likely to open up for larger organisations such as hospital groups or laboratory networks, which can now work more actively with their system data and integrate external solutions more efficiently. Early technical, legal and strategic engagement with the requirements of the Data Act therefore appears indispensable.
