New EU Battery Passport rules: What’s changing for OEMs?

The European Commission issued definitive guidance in September 2025 clarifying which vehicle data automotive manufacturers must share under the EU Data Act.

With enforcement beginning September 2026, OEMs must provide access to raw and pre-processed vehicle data while protecting proprietary algorithms. Direct user access is free, but B2B data sharing can be monetized under reasonable compensation rules.

As the September 2026 deadline nears, the European Commission has issued comprehensive guidance that clarifies exactly which vehicle data must be shared and how. For automotive manufacturers still planning their compliance strategy, it’s now essential to understand these details.

Why this guidance matters for automotive OEMs?

EU Data Act becomes enforceable in September 2026, requiring all connected vehicle manufacturers to provide direct data access to end users and their chosen third parties. While the regulation itself established the legal framework, the Commission's guidance document - published September 12, 2025 - provides automotive specific interpretation that removes much of the ambiguity manufacturers have faced.

This is no longer just a paper exercise. If you fall short, expect:

•  Heavy financial consequences
•  Serious business risk and reputational damage
•  Potential legal exposure across EU markets
•  A competitive disadvantage as compliant competitors gain market access

For OEMs without appropriate technological infrastructure or clear understanding of these requirements, the deadline is rapidly approaching.

At Grape Up, our expert team and  Databoostr platform have already helped multiple OEMs achieve compliance before the September deadline.  Learn more about our solution .

What vehicle data must be shared?

The September 2025 guidance establishes clear boundaries between data that falls within and outside the Data Act's scope, resolving one of the most contested issues in implementation planning.

In-scope data: Raw and pre-processed vehicle data

Manufacturers must provide access to data that characterizes vehicle operation or status. The guidance defines two categories that must be shared:

 Raw Data Examples:

•  Sensor signals: wheel speed, tire pressure, brake pressure, yaw rate
•  Position signals: windows, throttle, steering wheel angle
•  Engine metrics: RPM, oxygen sensor readings, mass airflow
•  Raw image/point cloud data from cameras and LiDAR
•  CAN bus messages
•  Manual command results: wiper on/off, air conditioning usage; component status: door locked/unlocked, handbrake engaged

 Pre-Processed Data Examples:

•  Temperature measurements (oil, coolant, engine, battery cells, outside air)
•  Vehicle speed and acceleration
•  Liquid levels (fuel, oil, brake fluid, windshield wiper fluid)
•  GNSS-based location data
•  Odometer readings
•  Fuel/energy consumption rates
•  Battery charge level
•  Normalized tire pressure
•  Brake pad wear percentage
•  Time or distance to next service
•  System status indicators (engine running, battery charging status) and malfunction codes and warning indicators

 Bottom line is this: If the data describes real-world events or conditions captured by vehicle sensors or systems, it's in scope - even when normalized, reformatted, filtered, calibrated, or otherwise refined for use.

The guidance clarifies that basic mathematical operations don't exempt data from sharing requirements. Calculating current fuel consumption from fuel flow rate and vehicle speed still produces in-scope data that must be accessible.

Out-of-scope data: Inferred and derived information

Data excluded from mandatory sharing requirements represents entirely new insights created through complex, proprietary algorithms:

•  Dynamic route optimization and planning algorithms
•  Advanced driver-assistance systems outputs (object detection, trajectory predictions, risk assessment)
•  Engine control algorithms optimizing performance and emissions
•  Driver behavior analysis and eco-scores
•  Crash severity analysis
•  Predictive maintenance calculations using machine learning models

 The main difference is this: The guidance emphasizes that exclusion isn't about technical complexity alone - it's about whether the data represents new information beyond describing vehicle status. Predictions of future events typically fall out of scope due to their inherent uncertainty and the proprietary algorithms required to generate them.

However, if predicted data relates to information that would otherwise be in-scope, and less sophisticated alternatives are readily available, those alternatives must be shared. For example, if a complex machine learning model predicts fuel levels, but a simpler physical fuel sensor provides similar data, the physical sensor data must be accessible.

How must data access be provided?

The Data Act takes a technology-neutral approach as of September 2025, allowing manufacturers to choose how they provide data access - whether through remote backend solutions, onboard access, or data intermediation services. However, three essential requirements apply:

1. Quality equivalence requirement

Data provided to users and third parties must match the quality available to the manufacturer itself. This means:

•  Equivalent accuracy - same precision and correctness
•  Equivalent completeness - no missing data points
•  Equivalent reliability - same uptime and availability
•  Equivalent relevance - contextually useful data
•  Equivalent timeliness - real-time or near-real-time as per manufacturer's own access

The guidance clearly prohibits discrimination: data cannot be made available to independent service providers at lower quality than what manufacturers provide to their own subsidiaries, authorized dealers, or partners.

2. Ease of access requirement

The "easily available" mandate means manufacturers cannot impose:

•  Undue technical barriers requiring specialized knowledge
•  Prohibitive costs for end-user access
•  Complex procedural hurdles

 In practice: If data access requires specialized tools like proprietary OBD-II readers, manufacturers must either provide these tools at no additional cost with the vehicle or implement alternative access methods such as remote backend servers.

3. Readily available data obligation

The guidance clarifies that “readily available data” includes:

•  Data manufacturers currently collect and store
•  Data they “can lawfully obtain without disproportionate effort beyond a simple operation”

For OEMs implementing extended vehicle concepts where data flows to backend servers, this has significant implications. Even if certain data points aren’t currently transmitted due to bandwidth limitations, cost considerations, or perceived lack of business use-case, they may still fall within scope if retrievable through simple operations.

When assessing whether obtaining data requires “disproportionate effort,” manufacturers should consider:

•  Technical complexity of data retrieval
•  Cost of implementation
•  Existing vehicle architecture capabilities

What are vehicle-related services under the Data Act?

The September 2025 guidance distinguishes between services requiring Data Act compliance and those that don’t.

Services requiring compliance (vehicle-related services)

Vehicle-related services require bi-directional data exchange affecting vehicle operation:

•     Remote vehicle control:    door locking/unlocking, engine start/stop, climate pre-conditioning, charging management
•     Predictive maintenance:    services displaying alerts on vehicle dashboards based on driver behavior analysis
•     Cloud-based preferences:    storing and applying driver settings (seat position, infotainment, temperature)
•     Dynamic route optimization:    using real-time vehicle data (battery level, fuel, tire pressure) to suggest routes and charging/gas stations

Services NOT requiring compliance

Traditional aftermarket services generally aren't considered related services:

•  Auxiliary consulting and analytics services
•  Financial and insurance services analyzing historical data
•  Regular offline repair and maintenance (brake replacement, oil changes)
•  Services that don't transmit commands back to the vehicle

 The key distinction: services must affect vehicle functioning and involve transmitting data or commands to the vehicle to qualify as "vehicle-related services" under the Data Act.

Understanding the cost framework for data sharing

The guidance issued in September 2025 draws a clear line in the Data Act's cost structure that directly impacts business models.

Free access for end users

When vehicle owners or lessees request their own vehicle data - either directly or through third parties they've authorized - this access must be provided:

•  Easily and without prohibitive costs
•  Without requiring expensive specialized equipment through user-friendly interfaces or methods

Paid access for B2B partners

Under Article 9 of the Data Act, manufacturers can charge reasonable compensation for B2B data access. This applies when business partners request data, including:

•  Fleet management companies
•  Insurance providers
•  Independent service providers
•  Car rental and leasing companies
•  Other commercial third parties

 For context: The Commission plans to issue detailed guidelines on calculating reasonable compensation under Article 9(5), which will provide specific methodologies for determining fair pricing. This forthcoming guidance will be crucial for manufacturers developing their data plans to monetize data while ensuring compliance.

 Key Limitation: These compensation rights have no bearing on other existing regulations governing automotive data access, including technical information necessary for roadworthiness testing. The Data Act's compensation framework applies specifically to the new data sharing obligations it creates.

Practical implementation considerations for September 2026

Backend architecture and extended vehicle obligations

The extended vehicle concept, where data continuously flows from vehicles to manufacturer backend servers, creates both opportunities and obligations. This architecture makes data readily available to OEMs, who must then provide equivalent access to users and third parties.

Action items:

•  Audit which data points your current architecture makes readily available
•  Ensure access mechanisms can deliver this data with equivalent quality to all authorized recipients
•  Evaluate whether data points not currently collected could be obtained "without disproportionate effort"

Edge processing and data retrievability

Data processed "on the edge" within the vehicle and immediately deleted isn't subject to sharing requirements. However, the September 2025 guidance encourages manufacturers to consider the importance of certain data points for independent aftermarket services when deciding whether to design these data points as retrievable.

Critical data points for aftermarket services:

•  Accelerometer readings
•  Vehicle speed
•  GNSS location
•  Odometer values

Making these retrievable benefits the broader automotive ecosystem and may provide competitive advantages in partnerships.

Technology choices and flexibility

While the Data Act is technology-neutral, chosen access methods must meet quality requirements. If a particular implementation - such as requiring users to physically connect devices to OBD-II ports - results in data that is less accurate, complete, or timely than backend server access, it fails to meet the quality obligation.

Manufacturers should evaluate access methods based on:

•  Data quality delivered to recipients
•  Ease of use for different user types
•  Cost-effectiveness of implementation
•  Scalability for B2B partnerships
•  Integration with existing digital infrastructure

Databoostr: Purpose-built for EU Data Act compliance

Grape Up's Databoostr platform was developed specifically to address the complex requirements of the EU Data Act. The solution combines specialized legal, process, and technological consulting with a proprietary data sharing platform designed for automotive data compliance.

 Learn more about Databoostr and how it can help your organization meet EU Data Act requirements.

Addressing the EU Data Act requirements

Databoostr's architecture directly addresses the key requirements established in the Commission's guidance:

 Quality Equivalence: The platform ensures data shared with end users and third parties matches the quality available to manufacturers, with built-in controls preventing discriminatory access patterns.

 Ease of Access: Multiple access methods—including remote backend integration and user-friendly interfaces - eliminate technical barriers for end users while supporting sophisticated B2B integrations.

 Readily Available Data Management : The platform handles both currently collected data and newly accessible data points, managing the complexity of determining what constitutes "readily available" under the guidance.

 Check our case studies :  EU Data Act Connected Vehicle Portal and  Connected Products Data Sharing Platform

Modular architecture for compliance and monetization

Databoostr's modular design addresses both immediate compliance needs and strategic opportunities. Organizations implementing the platform for EU Data Act requirements can seamlessly activate additional modules for data monetization:

•  Data catalog management for showcasing available data products
•  Subscription and package sales for B2B partners
•  Automatic usage calculation tracking data sharing volumes
•  Billing infrastructure supporting the Article 9 reasonable compensation framework

This setup supports both compliance and revenue growth from a single platform, reducing IT complexity while meeting the guidance's technical requirements.

Comprehensive implementation methodology

The Databoostr implementation approach aligns with the guidance's requirements through:

 Legal Consulting

•  Analyzing regulatory requirements specific to your vehicle types
•  Translating Data Act provisions into specific organizational obligations
•  Interpreting the September 2025 guidance within your business context
•  Creating individual implementation roadmaps

 Process Consulting

•  Designing compliant data sharing workflows for end users and B2B partners
•  Determining which data points fall in-scope based on your architecture
•  Establishing quality equivalence controls
•  Planning for reasonable compensation structures

 Technical Consulting

•  Pre-implementation analysis of existing data infrastructure
•  Solution architecture tailored to your extended vehicle implementation
•  Integration planning with backend systems
•  Addressing readily available data retrieval requirements

 Platform Customization

•  Integration with existing digital ecosystems
•  Custom components for specific vehicle architectures
•  Access method implementation (backend, onboard, or hybrid)
•  Quality assurance mechanisms

 Comprehensive Testing

•  Quality equivalence validation
•  Integration verification with existing IT infrastructure
•  Security testing ensuring compliant data sharing
•  Functional testing confirming alignment with guidance requirements

Post-implementation support

With the extended vehicle concept creating readily available data obligations, manufacturers need ongoing platform management. Databoostr provides:

•  Continuous monitoring of platform operation
•  Response to technical or functional issues
•  Supervision of ongoing compliance with Data Act requirements
•  Platform updates reflecting evolving regulatory interpretations

Timeline: What automotive OEMs should do now

 Now - March 2026: Complete data inventory, classify according to guidance definitions, design technical architecture, begin platform implementation

 March - July 2026: Finalize platform integration, conduct comprehensive testing, establish B2B partnership frameworks, train internal teams

 July - September 2026: Run parallel systems, validate compliance, prepare documentation for regulatory authorities, establish monitoring processes

 September 2026 and Beyond: Full enforcement begins, ongoing compliance monitoring, response to Commission's forthcoming compensation calculation guidelines

The path forward: Clear requirements, fixed deadline

The Commission's September 2025 guidance removes ambiguity that has delayed planning for some organizations. With regulatory requirements now precisely defined and less than eleven months until enforcement begins, manufacturers should be finalizing their compliance plans and beginning implementation.

The guidance encourages affected industry stakeholders to engage in dialogue achieving balanced implementation. The Commission also emphasizes coordination between Data Act enforcement authorities and other automotive regulators, including those overseeing type approval and data protection, to ensure smooth interplay between regulations.

For automotive manufacturers, three facts are now clear:

1.     The requirements are defined:    The September 2025 guidance specifies exactly which data must be shared, at what quality level, and through what access methods
2.     The deadline is fixed:    September 2026 enforcement is approaching rapidly
3.     The consequences are significant:    Non-compliance risks financial penalties, business disruption, and competitive disadvantage

Organizations that haven't yet begun implementation should treat the Commission's guidance as a final call to action.

The EU Data Act is about to change the rules of the game for many industries, and automotive OEMs are no exception. With new regulations aimed at making data generated by connected vehicles more accessible to consumers and third parties, OEMs are experiencing a major shift. So, what does this mean for the automotive space?

First, it means rethinking  how data is managed, shared, and protected . OEMs must now meet new requirements for data portability, security, and privacy, using software compliant with the EU Data Act.

 This guide will walk you through how they can prepare to not just survive but thrive under the new regulations.

                   The EU Data Act deadlines OEMs can’t miss                
   
    -          Chapter II         (B2B and B2C data sharing) has a deadline of September 2025.    
    -          Article 3         (accessibility by design) has a deadline of September 2026.    
    -          Chapter IV         (contractual terms between businesses) has a deadline of September 2027.          

Compliance requirements for automotive OEMs

The EU Data Act establishes  specific obligations for automotive OEMs to ensure secure, transparent, and fair data sharing with both consumers (B2C) and third-party businesses (B2B). The following key provisions outline the requirements that OEMs must fulfill to comply with the Act.

B2C obligations

1.     Data accessibility for users:    
    
   •    Connected products, such as vehicles, must be built in a way that makes data generated by their use accessible in a structured, machine-readable format. This requirement applies from the manufacturing stage, meaning the design process must incorporate data accessibility features.  
    
2.     User control over data:    
    
   •    Users should have the ability to control how their data is used, including the right to share it with third parties of their choice. This requires OEMs to implement systems that allow consumers to grant and revoke access to their data seamlessly.  
    
3.     Transparency in data practices:    
    
   •    OEMs are required to provide clear and transparent information about the nature and volume of collected data and the way to access it.  
    
   •    When a user requests to make data available to a third party, the OEM must inform them about:  
    

a) The identity of the third party

b) The purpose of data use

c) The type of data that will be shared

d) The right of the user to withdraw consent for the third party to access the data

B2B obligations

 1. Fair access to data:

•  OEMs must ensure that data generated by connected products is accessible to third parties at the user’s request under fair, reasonable, and non-discriminatory conditions.
•  This means that data sharing cannot be restricted to certain partners or proprietary platforms; it must be available to a broad range of businesses, including independent repair shops, insurers, and fleet managers.

 2. Compliance with security and privacy regulations:

•  While sharing non-personal data, OEMs must still comply with relevant data security and privacy regulations. This means that data must be protected from unauthorized access and that any data-sharing agreements are in line with the EU Data Act and GDPR.

 3.  Protection of trade secrets

•  OEMs have a right and obligation to protect their trade secrets and should only disclose them when necessary to meet the agreed purpose. This means identifying protected data, agreeing on confidentiality measures with third parties, and suspending data sharing if these measures are not properly followed or if sharing would cause significant economic harm.

Understanding the specific obligations is only the first step for automotive OEMs. Based on this information, they can build software compliant with the EU Data Act. To navigate these new requirements effectively, OEMs need to adopt an approach that not only meets regulatory demands but also strengthens their competitive edge.

Thriving under the EU Data Act: smart investments and privacy-first strategies

 Automotive OEMs must take a strategic approach to both their software and operational frameworks,  balancing compliance requirements with innovation and customer trust. The key is to prioritize solutions that improve data accessibility and governance while minimizing costs. This starts with redesigning connected products and services to align with the Act’s data-sharing mandates and creating solutions to handle data requests efficiently.

Another critical focus is  balancing privacy concerns with data-sharing obligations . OEMs must handle non-personal data responsibly under the EU Data Act while managing personal data in accordance with GDPR. This includes providing transparency about data usage and giving customers control over their data.

To achieve this balance, OEMs should identify which data needs to be shared with third parties and integrate privacy considerations across all stages of product development and data management. Transparent communication about data use, supported by clear policies and customer controls, helps to reinforce this trust.

Opportunities under the EU Data Act

The EU Data Act presents compliance challenges, but it also offers significant opportunities for OEMs that are prepared to adapt. By meeting the Act’s requirements for fair data sharing, OEMs can expand their services and build new partnerships. While direct monetization from data access fees is limited, there are numerous opportunities to leverage shared data to develop new value-added services and improve operational efficiency.

Next steps for automotive OEMs

To move to implementation, OEMs must take targeted actions that address the compliance requirements outlined earlier. These steps lay the groundwork for integrating broader strategies and turning compliance efforts into opportunities for operational improvement and future growth.

 Integrate data accessibility into vehicle design

Start integrating  data accessibility into vehicle design now to comply by 2026. This involves adapting both front and back-end components of products and services to enable secure and seamless data access and transfer according to the EU Data Act.

 Provide user and third-party access to generated data

Introduce easy-to-use mechanisms that let users request access to their data or share it with chosen third parties. Access control should be straightforward, involving simple user identification and making data accessible to authorized users upon request. Develop dedicated data-sharing solutions, applications, or portals that enable third parties to request access to data with user consent.

 Implement trade secret protection measures

OEMs should protect their trade secrets by identifying which vehicle data is commercially sensitive. Implement measures like data encryption and access controls to safeguard this information when sharing data. Clearly communicate your approach to protecting trade secrets without disclosing the sensitive information itself.

 Implement transparent and secure data handling

Provide clear information to users about what data is collected, how it is used, and with whom it is shared. Transparent data practices help build trust and align with users' data rights under the EU Data Act.

Remember about the non-personal data that is being collected, too. Apply appropriate measures to preserve data quality and prevent its unauthorized access, transfer, or use.

 Enable data interoperability and portability

The Act sets out essential requirements to facilitate the interoperability of data and data-sharing mechanisms, with a strong emphasis on data portability. OEMs need to make their data systems compatible with third-party services, allowing data to be easily transferred between platforms.

For example, if a car owner wants to switch from an OEM-provided app to a third-party app for vehicle diagnostics, OEMs must not create technical, contractual, or organizational barriers that would make this switch difficult.

 Prepare the data

Choose a data format that fulfills the EU Data Act’s requirement for data to be shared in a “commonly used and machine-readable format.” This approach supports data accessibility and usability across different platforms and services.

Moving forward with confidence

The EU Data Act is bringing new obligations but also offering valuable opportunities. Navigating these changes may seem challenging, but with the right approach, they can become a catalyst for growth.

‍

Cars used to just get us from point A to point B. Today, they function more like high-tech hubs that track GPS locations, store phone contacts, and gather details about our driving habits. This shift hasn’t escaped the attention of lawmakers and regulators. In Canada,  conversations about data privacy have become louder and more urgent , especially with the Consumer Privacy Protection Act (CPPA) on the way.

Even though the CPPA is designed to handle personal data in general, it still lays down important rules for handling personal information. In other words, if you’re in the automotive business, you’ll want to pay close attention. Understanding how this new legislation applies to the  data you collect and protect is critical for maintaining trust with customers and staying on the right side of the law.

The CPPA at a glance

Think of the Consumer Privacy Protection Act as the next chapter in Canada’s privacy story. Currently, the Personal Information Protection and Electronic Documents Act (PIPEDA) guides how companies handle personal data. But as online services grow more complex, the government wants to give Canadians stronger rights and clearer protections.

CPPA aims to refine or replace key parts of PIPEDA, focusing on three main things: giving people more control over their data, making sure businesses are upfront about what they do with it, and creating tougher consequences for those who violate the rules.

 Key provisions

•     Consent  

Under the CPPA, organizations must get informed, meaningful permission before collecting or using someone’s personal data.

•     Data portability and erasure  

The CPPA allows individuals to direct the secure transfer of their data, which simplifies switching providers. Plus, you can request that a company delete your information if it’s no longer needed or you no longer agree to its use.

•     Algorithmic transparency  

Companies using  AI and machine learning must be prepared to explain how they arrive at certain conclusions if they rely on personal information. No more mystery algorithms making big calls without any explanation.

•     Penalties and enforcement  

In the past, fines for privacy violations could be sizable, but the CPPA raises the stakes. Businesses that break the rules could face penalties of up to 5% of their global revenue or CAD 25 million, whichever is greater.

CPPA implications for the automotive sector

Modern vehicles collect a surprising amount of personal information, from real-time locations to driver preferences. Although the CPPA doesn’t single out car manufacturers or dealers, it covers any organization that handles personal data. That puts the  automotive industry on notice for meeting these new standards, and here’s what that might look like:

 1. Consent and transparency

•  Drivers should know exactly what data their vehicle is collecting, how it’s being used, and who sees it. Clearer privacy notices are needed to avoid complex legal language whenever possible.
•  While the CPPA emphasizes explicit consent, it doesn’t require opt-in or opt-out choices for every single scenario. Still, offering these options shows respect for drivers’ control over their own data and helps build trust.

 2. Data minimization and retention

•  If certain information isn’t essential for safety alerts, maintenance reminders, or other valid functions, OEMs shouldn’t gather it.
•  Rather than holding onto everything, develop guidelines that clearly define how long data is stored and destroy it once it’s no longer needed.

 3. Data security measures

•  Connected cars face cyber threats just like computers and smartphones. Strong safeguards (encryption, firewalls, regular audits) help prevent breaches.
•  Be prepared to show regulators you have solid security strategies in place, such as incident response plans and routine vulnerability checks.

 4. Rights to erasure and portability

•  When a driver requests that you remove their personal data, it shouldn’t be a struggle. Have a clear process for swift and permanent deletion.
•  Whether it’s transferring service history to another dealership or updating digital profiles, make sure customers can take their data elsewhere with minimal friction.

 5. Enforcement and fines

•  The CPPA ties potential fines to a company’s global revenue, which means large automotive players could face steep financial hits if they fall short.
•  Privacy regulators will have more power to investigate, so expect them to keep a closer eye on your data practices.

                   Privacy compliance isn’t the only area automakers need to watch.        
   
    Bill C-27 introduced the CPPA, but it also includes the Artificial Intelligence and Data Act (AIDA), which sets rules for AI-powered systems. While the CPPA focuses on protecting personal data, AIDA applies to high-impact AI applications like those used in autonomous driving, predictive maintenance, and driver behavior analysis.    
   
    If AI plays a role in setting insurance rates, making in-car recommendations, or adjusting vehicle safety settings, companies may need to document AI training methods, track potential biases, and provide explanations for automated decisions that affect individuals.    
   
    The CPPA already requires transparency when personal data feeds into AI-driven outcomes, but AIDA adds another layer of oversight.          

6 practical steps to keep automotive data privacy on track

The future of vehicle information exchange

The Consumer Privacy Protection Act already affects modern vehicles, which capture everything from location data to driver habits and phone contacts.

However, because the CPPA is designed for all businesses, many people anticipate future rules specifically tailored to connected cars. Such regulations would go beyond the CPPA’s general standards, addressing the unique ways automotive data flows through telematics, in-car apps, and onboard sensors.

On the international front, the  EU Data Act sets out rules for cross-border data handling, which matters if your cars or data move beyond Canada’s borders. The US  Right to Repair Act also gives drivers and independent repair shops greater access to diagnostic information, raising new questions about how personal data is managed.

With these overlapping developments, it’s wise for automotive companies to adopt a comprehensive approach to privacy and data sharing. One that covers both home-grown regulations and global shifts.

 Need help adapting to new rules?

As an OEM, you need to balance international obligations, regional privacy laws, and the technical demands of connected vehicles.

We’re here to assist. Our team not only provides IT consulting but also develops custom software solutions to help you meet complex regulatory requirements.

‍