Achieve EU Data Act readiness with ease

Section 1: What does the EU Data Act actually change for home appliance manufacturers?

What is the EU Data Act?

The EU Data Act (Regulation (EU) 2023/2854) is a horizontal regulation governing who can access and use data generated by connected products and related services. It applies across sectors, but its most direct impact falls on manufacturers of IoT-connected hardware‚ including home appliances.

The EU Data Act requires that data generated by connected products must be accessible to users by default, shareable with third parties upon user request, and handled under clear, enforceable data access rules.

The regulation is now in force. The full text is available here.

Key obligations for home appliance manufacturers

1. Data accessibility by design. Products must be designed so that users can access the data they generate. If your connected washing machine logs cycle data, energy consumption, or fault codes, that data belongs to the user‚ and must be retrievable.
2. Third-party data sharing upon request. Users must be able to direct manufacturers to share their product data with any third party they choose. This includes insurance companies, energy management platforms, and independent repair workshops‚ not just OEM-approved service partners.
3. Non-discriminatory access.Third parties receiving data under user consent must receive it under fair, reasonable, and non-discriminatory (FRAND) conditions. Manufacturers cannot give their own affiliates preferential data access.
4. Portability and standardization. Data must be provided in a machine-readable format. For companies without a structured data catalog or API layer, this is a significant technical build.
5. Right to repair implications. One of the most consequential elements for home appliances: users can share diagnostic and usage data with any repair service, not just the manufacturer's network. This breaks a longstanding lock-in mechanism.

What happens if you don't comply?

The Data Act leaves enforcement to each Member State’s national authority. A single incident could trigger parallel investigations in multiple countries with materially different fine structures -Germany’s draft rules and Malta’s legislation already diverge significantly.

Section 2: The operational challenges behind EU Data Act compliance for home appliances

What are the biggest compliance gaps for connected product manufacturers?

Understanding the regulation is step one. Building the infrastructure to comply‚ at scale, for millions of devices, across multiple markets‚ is where most organizations run into trouble.

"We have the data, but not the access layer"

Most home appliance manufacturers collect product data. The challenge is not generation, it is structured, secure, and auditable exposure. Existing data lakes and telemetry pipelines were not built to handle consent-gated, per-device, per-user, per-third-party data access. Retrofitting them is expensive and slow.

Key pain points:

- No unified data catalog mapping datasets to device types

- No consent management layer tied to the data pipeline

- No audit log for who accessed what data, and when

"We need to demonstrate it, not just do it"

Compliance is not self-certifying. Supervisory authorities will ask for evidence: records of consent, logs of data transfers, documented data retention policies. Without a system that generates these records automatically, compliance becomes a manual, fragile process dependent on spreadsheets and email chains.

Key pain points:

- No centralized record of user data sharing approvals and revocations

- No automated trail for third-party access requests

- No mechanism to enforce FRAND conditions at the data-transfer level

"We can't build this and also ship product features"

For product teams, the EU Data Act is a platform requirement dropped into an already full roadmap. Building a compliant data sharing portal, with user-facing consent flows, partner onboarding, API access, and an admin panel‚ is a multi-quarter engineering project. Most product organizations do not have that bandwidth.

Key pain points:

- Consumer-facing data portals require significant UX investment

- Partner onboarding and access management is operationally complex

- Pricing and monetization of data access has no existing infrastructure

Section 3: How Databoostr Addresses EU Data Act Compliance for Home Appliances

Databoostr is a data sharing and monetization platform designed specifically for manufacturers of connected products. Here is how the platform maps to the compliance requirements outlined above.

What does Databoostr actually do?

Databoostr helps manufacturers turn product usage data into a secure, reliable, compliant data stream while meeting EU Data Act obligations‚ without requiring manufacturers to build the infrastructure themselves.

The system is divided into two portals:  B2C portal for device owners and B2B portal for commercial data partners.

B2C Portal: User-facing data access and consent management

The customer portal gives device owners a real-time view of all their connected appliances‚ including serial numbers, registration data, and device type. Users can:

- Request their own data by selecting a device, choosing a dataset (e.g., accessories data, performance diagnostics, usage metrics), and specifying a data period. This directly satisfies the data accessibility obligation under Article 4 of the EU Data Act.

- Manage third-party access - when a partner‚ an insurer, an energy platform, a repair service‚ requests access to a user's device data, the user sees the request here and can approve or revoke it with a single action.

- Share data manually to any third party of their choosing, not just pre-registered partners. This satisfies the right-to-repair sharing requirement: a user can send diagnostic data to an independent workshop without going through the manufacturer's service network.

The data catalog within the B2C portal shows users exactly which signals their device generates, what datasets are available, the retention period, and average daily data volume. This level of transparency is foundational to the EU Data Act's informed-consent model.

B2B Portal: Partner access, data streaming, and transaction management

For commercial data users‚ insurers, energy companies, maintenance providers, the B2B portal handles the full lifecycle of data access requests.

Partners can:

- Import device lists in bulk via CSV or XLSX, enabling them to request access across large customer fleets without manual entry.

- Track request status across pending, approved, and expired requests from a single dashboard.

- Access real-time data via streaming connectors, configurable per device type and per dataset. This is critical for partners who need live telemetry, fault monitoring, energy consumption tracking, predictive maintenance signals.

The transaction summary layer records price per data catalog, per partner, per month. Pricing is configured in the admin panel and can differ by partner type‚ enabling manufacturers to apply FRAND pricing at the system level, not as a manual agreement process.

Admin Panel: System-level governance

The admin panel gives the manufacturer's internal teams control over:

- Partner registration and management

- Data catalog configuration (datasets, signals, retention policies)

- Pricing per catalog and per partner category

- Operational monitoring and support dashboards

Section 4: What you gain from Databoostr?

For Heads of Data

- Structured data catalog mapped to device types and signal categories, with retention periods and volume metrics built in

- Consent-gated data pipeline ‚no direct exposure of raw data infrastructure to external parties

- Real-time streaming connectors for partners who require live telemetry, configurable per device type and dataset

- Audit trail of all data transfers, timestamps, and access statuses

For Heads of Compliance

- Automated consent records ‚every user approval and revocation is logged with a timestamp

- Third-party access management that enforces the FRAND principle through configurable, catalog-level pricing

- Built-in EU Data Act guidelines surfaced in the user-facing portal, supporting informed consent

- Revocation capability ‚users can withdraw third-party access at any time, and the system enforces it immediately

For Heads of Product

- Ready-to-deploy B2C portal ‚no internal engineering required for user-facing data access flows

- Partner onboarding handled at the platform level ‚B2B registration, request management, and access control are out of the box

- Monetization infrastructure ‚pricing per data catalog and partner type is configured in the admin panel, not coded per integration

- Configurable content ‚FAQ sections, data act guidance, and additional tabs can be updated without a code release

Summary: EU Data Act compliance is an infrastructure problem

The EU Data Act for home appliances is not a policy document that legal teams can simply sign off on. It requires a functioning system: consent management, data access portals, partner onboarding, audit logging, and pricing governance‚ all tied together and operational at scale.

Most home appliance manufacturers are not in the business of building data platforms. Databoostr exists to close that gap‚ providing the infrastructure layer so that manufacturers can meet their EU Data Act obligations without diverting product engineering resources to compliance plumbing.

If you are evaluating how to make your connected product portfolio compliant, or if you are already past the deadline and need to move quickly, Databoostr offers a product demo tailored to home appliance use cases.

Request a demo to see how Databoostr maps to your specific compliance requirements.

FAQ

What is the EU Data Act and when does it apply?

The EU Data Act (Regulation (EU) 2023/2854) is an EU regulation that governs access to and use of data generated by connected products and related services. It became applicable on September 12, 2025, and applies to all manufacturers placing connected products on the EU market.

Which home appliances are covered by the EU Data Act?

Any connected product that generates data by virtue of its use is covered. This includes smart washing machines, dishwashers, ovens, heat pumps, air purifiers, refrigerators, and any other IoT-enabled home appliance sold in the EU.

What are the key data sharing obligations for home appliance manufacturers?

Manufacturers must make product-generated data accessible to users, allow users to share that data with third parties upon request, apply FRAND (fair, reasonable, and non-discriminatory) conditions to third-party data access, and provide data in a machine-readable format.

How does Databoostr help manufacturers comply with the EU Data Act?

Databoostr provides a ready-to-deploy data sharing platform with a user-facing B2C portal for consent management and data access, a B2B portal for commercial partner access, real-time data streaming connectors, and an admin panel for pricing, catalog management, and audit logging ‚all aligned with EU Data Act requirements.

Can third-party repair workshops access appliance data under the EU Data Act?

Yes. The EU Data Act includes provisions that support the right to repair: users can direct manufacturers to share diagnostic and usage data with any third-party repair service, not just OEM-approved workshops. Databoostr supports this flow through its manual data sharing feature in the B2C portal.

‍

Key facts

Why wasn't product data access designed for regulated sharing?

In industrial manufacturing, the Data Act obligation applies to data generated by the use of the product-telemetry, logs, performance metrics, or error events produced by an industrial robot operating in      a customer's plant.

In practice, this data is handled through the product's own technical stack: controllers, gateways, edge collectors, embedded software, OEM applications, and sometimes manufacturer-operated cloud or service platforms. These components are designed to operate the product, support maintenance, and enable value-added services-not to serve as regulated access points for external data consumers.

According to Latham &Watkins, "The EU Data Act is the most significant overhaul of European data law since the GDPR, with its impact being more disruptive than the EU AIAct." The regulation introduces a fundamentally different access paradigm: data access becomes externally initiated, user-directed, and subject to legal and contractual constraints.

Requests may be episodic or continuous, may involve third parties, and must be handled consistently across products, customers, and jurisdictions. Product runtime and service systems are simply not designed to absorb external variability, enforce regulatory access logic, or act as governed interfaces to broader data ecosystems.

How to decouple data sharing from product systems?

A dedicated Data Act enablementlayer reframes the problem entirely. It introduces a buffered, governedboundary between product-generated data and external data consumers.

Product data is collected, normalized, and exposed through this layer-not directly from controllers, gateways, or operational service components. External users never interact with the product runtime itself. They interact with a controlled access surface that enforces policy, security, scope, and contractual constraints by design.

As Gibson Dunn notes, "TheData Act will touch companies of all sizes in almost every sector of theEuropean economy, including manufacturers of smart consumer devices, cars, connected industrial machinery, smart fridges and other home appliances."

This decoupling allows manufacturers to evolve compliance logic independently from product software and service architectures, protecting both product integrity and regulatory readiness.

Why does scalable compliance benefit from robust data access infrastructure?

The Data Act does not create a single access event. It creates a continuous expectation of availability. Users and third parties may request data at different times, at different scales, and for different purposes.

Meeting these obligations at scale requires robust data access infrastructure as a regulatory capability-not just a developer convenience.

Rate limiting, throttling, monitoring, and fair-access enforcement are essential controls for meeting obligations without destabilizing product or service operations. By centralizing these mechanisms, a dedicated enablement layer allows manufacturers to respond predictably to demand without redesigning product integrations for each new request.

What access models does industrial data sharing require?

Industrial data sharing spansdistinct interaction models:

A dedicated data access layer supports both models cleanly-enabling controlled, request-based access where appropriate and governed event-based distribution where justified-while insulating product operation from variability.

Why do manual compliance solutions fail at scale?

Many manufacturers initially respond to Data Act requests using familiar mechanisms: spreadsheet exports, manual data pulls, or custom APIs built for specific customers. These approaches may work in isolation, but they do not survive repetition.

Each manual exception introduces inconsistency, draws engineering teams into compliance activities, and weakens auditability.

Critically, the Data Act is not an isolated requirement. Manufacturers are already facing-or will soon face-additional, structurally similar obligations:

Treating each obligation as a separate exception multiplies complexity. Only standardized, repeatable, and automated mechanisms can support this shift without turning compliance into a permanent operational bottleneck.

How to move beyond product-by-product compliance?

Without a shared enablement layer, Data Act logic is implemented repeatedly-product by product, customer by customer, and integration by integration. This fragments behavior across the product portfolio and makes governance increasingly difficult.

A centralized approach allows manufacturers to implement Data Act rules once and apply them consistently across product lines, deployments, and markets.

Compliance becomes an architectural capability rather than a feature of individual products.

How to enable compliance without compromising product operation?

The most important requirement remains unchanged: compliance must not interfere with how products operate inthe field. Industrial products cannot absorb regulatory experimentation or unstable access patterns.

By decoupling regulated data sharing from product runtime and service systems, manufacturers can meet DataAct obligations while preserving safety, reliability, and performance. A dedicated enablement layer acts as a governed interface between product-generated data and the outside world.

What's at stake: from tactical fixes to architectural readiness

The EU Data Act is not temporary. Expectations around product data access will continue to grow as industrial data ecosystems mature.

The European Commission projects the EU data economy will reach €743–908 billion by 2030, up from €630 billion in 2025. Manufacturers that invest in a dedicated Data Act enablement layer gain predictable compliance, scalable data sharing, and long-term architectural resilience.

Those that rely on tactical fixes will find that each new request increases cost, complexity, and operational risk.

Frequently Asked Questions

When does the EU Data Act come into effect?

The EU Data Act became enforceable on September 12, 2025. Companies selling connected products in theEU must be compliant by this date. Design requirements for new products apply from September 12, 2026.

What data must manufacturers share under the Data Act?

Manufacturers must provide access to data generated by the use of connected products, including telemetry, logs, performance metrics, sensor readings, and error events. This applies to both personal and non-personal data that is "readily available"without disproportionate effort.

What are the penalties for non-compliance?

Penalties can reach up to €20million or 4% of global annual turnover, whichever is higher. This mirrors theGDPR penalty structure. Additionally, the Data Act allows for collective civil lawsuits similar to US class actions.

Does the Data Act apply to B2B products?

Yes. The regulation applies to all connected products sold in the EU, regardless of whether customers are consumers or businesses. Industrial machinery, manufacturing equipment, and B2BIoT devices are all in scope.

Does the Data Act require a specific technical architecture?

No. The Data Act specifies what out comes must be achieved... A dedicated data access layer is one architectural approach that can help meet these requirements, but it is not mandated by the regulation itself.

How is the Data Act different from GDPR?

GDPR focuses on personal data protection and minimization. The Data Act focuses on access rights to product-generated data, including non-personal industrial data. Both regulations can apply simultaneously-where personal data is involved, GDPR requirements also apply.

What is a Digital Product Passport and how does it relate to the Data Act?

Digital Product Passports(DPPs) are digital records containing product lifecycle data, materials, and sustainability information. Starting February 2027 for batteries and expanding to other product categories, DPPs represent a parallel data-sharing obligation that will benefit from the same architectural approach as Data Act compliance.

As we enter 2026, the EU Data Act (Regulation (EU) 2023/2854), which is now in force across the entire European Union, is mandatory for all "connected" home appliance manufacturers. It has been applicable since 12 September 2025.

Compared to other industries, like automotive or agriculture, the situation is far more complicated. The implementation of connected services varies between manufacturers, and lack of connectivity is not often considered an important factor, especially for lower-segment devices.

The core approaches to connectivity in home appliances are:

• Devices connected to a Wi-Fi network and constantly sharing data with the cloud.
• Devices that can be connected via Bluetooth and a mobile app (these devices technically expose a local API that should be accessible to the owner).
• Devices with no connectivity available to the customer (no mobile app), but still collecting data for diagnostic and repair purposes, accessible through an undocumented service interface.
• Devices with no data collection at all (not even diagnostic data).

Apart from the last bullet point, all of the mentioned approaches to building smart home appliances require EU Data Act compliance, and such devices are considered "connected products", even without actual internet connectivity.

The rule of thumb is: if there is data collected by the home appliance or a mobile app associated with its functions, it falls under the EU Data Act.

Short overview of the EU Data Act

To make the discussion more concrete, it helps to name the key roles and the types of data upfront. Under EU Data Act, the user is the person or entity entitled to access and share the data; the data holder is typically the manufacturer and/or provider of the related service (mobile app, cloud platform); and a data recipient is the third party selected by the user to receive the data. In home appliances, “data” usually means both product data (device signals, status, events) and related-service data (app/cloud configuration, diagnostics, alerts, usage history, metadata), and access often needs to cover both historical and near-real-time datasets.

Another important dimension is balancing data access with trade secrets, security, and abuse prevention. Home appliances are not read-only devices. Many can be controlled remotely, and exposing interfaces too broadly can create safety and cybersecurity risks, so strong authentication and fine-grained authorization are essential. On top of that, direct access must be robust: rate limiting, anti-scraping protections, and audit logs help prevent misuse. Direct access should be self-service, but not unrestricted.

Current market situation

As of January 2026, most home appliance manufacturers (over 85% of the 40 manufacturers researched, responsible for 165 home appliance brands currently present on the European market) either provide data access through a manual process (ticket, contact form, email, chatbot) or do not recognize the need to share data with the owner at all.

If we look at the market from the perspective of how manufacturers treat the requirements the EU Data Act imposes on them, we can see that only 12.5% of the 40 companies researched (which means 5 manufacturers) provide full data access with a portal allowing users to easily access their data in a self-service manner (green on the chart below). 55% of the companies researched (yellow on the diagram below) recognize the need to share data with their customers, but only as a manual service request or email, not in an automated or direct way.

‍

‍

The red group (32.5%) consists of manufacturers who, according to our research:

• do not provide an easy way to access your data,
• do not recognize EU Data Act legislation at all,
• recognize the EDA, but their interpretation is that they don’t need to share data with device owners.

A contact form or email can be treated as a temporary solution, but it fails to fulfill the additional requirements regarding direct data access. Although direct access can be understood differently and fulfilled in various ways, a manual request requiring manufacturer permission and interaction is generally not considered "direct". (Notably, "access by design" expectations intensify for products placed on the market from September 2026.)

API access

We can't talk about EU Data Act implementation without understanding the current technical landscape. For the home appliance industry, especially high-end devices, the competitive edge is smart features and smart home integration support. That's why many manufacturers already have cloud API access to their devices.

Major manufacturers, like Samsung, LG, and Bosch, allow users to access appliance data (such as electric ovens, air conditioning systems, humidifiers, or dishwashers) and control their functions. This API is then used by mobile apps (which are related services in terms of the EU Data Act) or by owners integrating with popular smart home systems.

There are two approaches: either the device itself provides a local API through a server running on it (very rare), or the API is provided in the manufacturer's cloud (most common), making access easier from the outside world, securely through their authentication mechanism, but requiring data storage in the cloud.

Both approaches, in light of the EDA, can be treated as direct access. The access does not require specific permission from the manufacturer, anyone can configure it, and if all functions and data are available, this might be considered a compliant solution.

Is API access enough?

The unfortunate part is that it rarely is, and for more than one reason. Let's go through all of them to understand why Samsung, which has a great SmartThings ecosystem, still developed a separate EU Data Act portal for data access.

1. The APIs do not make all data accessible

The APIs are mostly developed for smart home and integration purposes, not with the goal of sharing all the data collected by the appliance or by the related service (mobile app).

Adding endpoints for every single data point, especially for metadata, will be costly and not really useful for either customers or the manufacturer. It's easier and better to provide all supplementary data as a single package.

2. The APIs were developed with the device owner in mind

The EU Data Act streamlines data access for all data market participants - not only device owners, but also other businesses in B2B scenarios. Sharing data with other business entities under fair, reasonable, and non-discriminatory terms is the core of the EDA.

This means that there must be a way to share data with the company selected by the device owner in a simple and secure way. This effectively means that the sharing must be coordinated by the manufacturer, or at least the device should be designed in a way that allows for secure data sharing, which in most cases requires a separate B2B account or API.

3. The APIs lack consent management capabilities

B2B data access scenarios require a carefully designed consent management system to make sure the owner has full control regarding the scope of data sharing, the way it's shared, and with whom. The owner can also revoke data sharing permission at any time.

This functionality falls under the scope of a partner portal, not a smart home API. Some global manufacturers already have partner portals that can be used for this purpose, but an API alone is not enough.

If an API is not enough - what is?

The EU Data Act challenge is not really about expanding the API with new endpoints. The recommended approach, as taken by the previously mentioned Samsung, is to create a separate portal solving compliance problems. Let's also briefly look at potential solutions for direct access to data:

• Self-service export - download package, machine-readable + human-readable, as long as the export is fast, automatic, and allows users to access the data without undue delay.‍
• Delegated access to a third party - OAuth-style authorization, scoped consent, logs.

• Continuous data feed - webhook/stream for authorized recipients.

These are the approaches OEMs currently take to solve the problem.

Other challenges specific to the home appliance market

Home appliance connectivity is different from the automotive market. Because devices are bound to Wi-Fi or Bluetooth networks, or in rare cases smart home protocols (ZigBee, Z-Wave, Matter), they do not move or change owners that often.

Device ownership change happens only when the whole residence changes owners, which is either the specific situation of businesses like Airbnb, or current owners moving out - which very often means the Wi-Fi and/or ISP (Internet Service Provider) is changed anyway.

On the other hand, it is hard to point to the specific "device owner". If there is more than one resident - effectively any scenario outside of a single-person household - there is no way to effectively separate the data applicable to specific individuals. Of course, every reasonable system would include a checkbox or notification stating that data can only be requested when there is a legal basis under the GDPR, but selecting the correct user or admin to authorize data sharing is challenging.

From a business perspective, a challenge also arises from the fact that there are white-label OEMs manufacturing for global brands in specific market segments. A good example here is the TV market - to access system data, there can be a Google/Android access point, while diagnostic data is separate and should be provided by the manufacturer (which may or may not be the brand selling the device). If you purchase a TV branded by Toshiba, Sharp, or Hitachi, it can all be manufactured by Vestel. At the same time, other home appliances with the same brand can be manufactured elsewhere. Gathering all the data and helping users understand where their data is can be tricky, to say the least.

Another important challenge is the broad spectrum of devices with different functions and collecting different signals. This requires complex data catalogs, potentially integrating different data sources and different data formats. Users often purchase multiple different devices from the same brand and request access to all data at once. The user shouldn't have to guess whether the brand, OEM, or platform provider holds specific datasets - the compliance experience must reconcile identities and data sources to make it easy to use.

Conclusion

Navigating the EU Data Act is complicated, no matter which industry we focus on. When we were researching the home appliance market, we saw very different approaches—from a state-of-the-art system created by Samsung, compliant with all EDA requirements, to manufacturers who explain in the user manual that to "access the data" you need to open system settings and reset the device to factory settings, effectively removing the data instead of sharing it. The market as a whole is clearly not ready.

Making your company compliant with the EU Data Act is not that difficult. The overall idea and approach is similar regardless of the industry you represent, but building or procuring a new system to fulfill all requirements is a must for most manufacturers.

For manufacturers seeking a faster path to compliance, Grape Up designed and developed Databoostr, the EU Data Act compliance platform that can be either installed on customer infrastructure or integrated as a SaaS system. This is the quickest and most cost-effective way to become compliant, especially considering the shrinking timeline, while also enabling data monetization.