Navigating EU Data Act Compliance in Healthcare

2025-08-15T12:03:00
European Union

Exploring how the EU Data Act mandates access and sharing of connected device data to drive innovation and patient outcomes

Navigating EU Data Act Compliance in Healthcare
August 15, 2025

The EU Data Act, which is set to come into effect on 12 September 2025, introduces a comprehensive legal framework governing access to and sharing of data generated by connected products and related services, including medical devices and health wearables, across the European Union. The regulation aims to foster a competitive data economy and accelerate innovation in healthcare by granting users — natural or legal persons — the explicit right to access and instruct the sharing of raw and pre-processed data generated by their devices, while balancing the protection of trade secrets and personal data under existing frameworks.

Organisations such as medical device manufacturers and service providers will face new transparency obligations in their contracts and product design requirements. The interplay with sector-specific legislation (i.e. the European Health Data Space Regulation), creates opportunities for enhanced public health research, but also poses potential challenges in terms of regulatory compliance and product recertification. Healthcare stakeholders are encouraged to assess the scope of their obligations, develop data-sharing agreements and implement internal procedures to comply with this new Regulation.

Transforming the healthcare data ecosystem

In response to the exponential growth of Internet of Things (IoT) products, the Data Act introduces rules to ensure fairness in the data economy and provide legal clarity on who can access and use data generated by connected devices. The overarching goal is to stimulate innovation, competitiveness and economic growth by unlocking data, particularly industrial and health-related data, for reuse in research, public services and new business models. The Data Act also addresses unfair contractual terms, protects SMEs from abusive clauses and establishes mechanisms to prevent third-country governments from unlawfully accessing non-personal data stored within the EU.

While the regulation applies to all sectors, it specifically mentions medical and health devices as connected products within its scope. Wearable devices, such as smartwatches, fitness trackers and ingestible sensors, collect vast quantities of raw, real-time data on physiological parameters, including heart rate, respiratory rate, sleep patterns and glucose levels. Until now, this data has largely remained within proprietary platforms. Under the Data Act, users of these devices will have the right to access their generated data in a structured, machine-readable format and instruct data holders — typically manufacturers or service providers — to share it with third parties, including healthcare professionals, researchers and policymakers. This paradigm shift promises to enhance personalised care, enable remote monitoring and support large-scale epidemiological studies by feeding high-quality, interoperable data into the EHDS and other research infrastructures.

The Data Act clarifies that data generated by the use of a product or related service includes not only data that users intentionally record, such as weight or meal logs, but also data that is passively collected by sensors. Importantly, the regulation excludes inferred or derived data, such as diagnostic conclusions or treatment recommendations, from mandatory sharing. This focus on raw or minimally processed data and basic metadata preserves incentives for investment in analytics and protects the intellectual efforts behind complex algorithms. This balance seeks to unlock the potential of device-generated data for public health benefits while safeguarding proprietary innovations.

Obligations for manufacturers and healthcare stakeholders

Data holders must provide users with transparent information before concluding a contract, including details of the nature, volume, format and frequency of the data generated, and how users can access and share it. Contracts must clearly outline whether the manufacturer or service provider intends to use the data for its own purposes and, if so, the specific objectives and conditions.

According to the design requirements of Article 3, connected products placed on the market after 12 September 2026 must be designed to allow access by design, providing direct access to user-generated data through open interfaces or data downloads by default. For products already on the market before that date, indirect access mechanisms must be provided upon request and may include online portals or API endpoints. Users will have the right to request direct or indirect access without undue delay and in real time where technically feasible.

Legal and regulatory interplay

The Data Act must be read in conjunction with the GDPR, which takes precedence in matters of personal data protection, as well as sector-specific regulations. Moreover, the obligation to grant access to additional data points must also be balanced against cybersecurity risks. For instance, opening real-time telemetry interfaces could expose devices to malicious interference, requiring integrated risk assessments under cybersecurity regulations.

Furthermore, the European Health Data Space will also impose additional requirements on top of the Data Act by establishing standardised data formats, consent management frameworks and secure processing environments for the secondary use of health data.

Challenges and next steps

The Data Act poses several implementation challenges for healthcare stakeholders. Many of them may be required to re-engineer products, update technical documentation and renegotiate contractual terms within a compressed timeline.

To navigate these complexities, industry actors should undertake early gap analyses to determine which products fall within the Data Act scope and assess necessary design modifications. Developing standardised data-sharing agreements that leverage the model contractual clauses from the European Commission will also help to protect organisation’s information and trade secrets while ensuring user rights.

Ultimately, the success of the Data Act in the healthcare sector depends on achieving the right balance between data accessibility, innovation incentives and protecting privacy and safety.

For more information, please contact with our specialists.

August 15, 2025